deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 06:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/Microsoft/win-cpub-itpro-docs

Browse Source
This commit is contained in:
John Tobin 2017-06-09 16:45:09 -07:00
commit 3eb8e51884
95 changed files with 13057 additions and 10467 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
.openpublishing.redirection.json
View File

@ -1,59 +1,64 @@
{
{
"redirections": [
{
"source_path": "windows/device-security/windows-security-baselines.md",
"redirect_url": "https://www.microsoft.com/download/details.aspx?id=55319",
"redirect_document_id": false
},
{
"source_path": "education/windows/windows-10-pro-to-pro-edu-upgrade.md",
"redirect_url": "/education/windows/switch-to-pro-education",
"redirect_document_id": true
"redirect_document_id": true
},
{
"source_path": "windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md",
"redirect_url": "/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune",
"redirect_document_id": false
"redirect_document_id": false
},
{
"source_path": "windows/keep-secure/configure-windows-defender-in-windows-10.md",
"redirect_url": "/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus",
"redirect_document_id": true
"redirect_document_id": true
},
{
"source_path": "windows/keep-secure/enable-pua-windows-defender-for-windows-10.md",
"redirect_url": "/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus",
"redirect_document_id": true
"redirect_document_id": true
},
{
"source_path": "windows/keep-secure/get-started-with-windows-defender-for-windows-10.md",
"redirect_url": "/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus",
"redirect_document_id": false
"redirect_document_id": false
},
{
"source_path": "windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md",
"redirect_url": "/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus",
"redirect_document_id": true
"redirect_document_id": true
},
{
"source_path": "windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md",
"redirect_url": "/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus",
"redirect_document_id": true
"redirect_document_id": true
},
{
"source_path": "windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md",
"redirect_url": "/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus",
"redirect_document_id": true
"redirect_document_id": true
},
{
"source_path": "windows/keep-secure/windows-defender-block-at-first-sight.md",
"redirect_url": "/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus",
"redirect_document_id": true
"redirect_document_id": true
},
{
"source_path": "windows/keep-secure/windows-defender-in-windows-10.md",
"redirect_url": "/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10",
"redirect_document_id": true
"redirect_document_id": true
},
{
"source_path": "windows/keep-secure/windows-defender-enhanced-notifications.md",
"redirect_url": "/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus",
"redirect_document_id": true
"redirect_document_id": true
},
{
"source_path": "windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md",
@ -535,7 +540,7 @@
"redirect_url": "/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection",
"redirect_document_id": true
},
{
{
"source_path": "windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md",
"redirect_url": "https://technet.microsoft.com/library/jj635854.aspx",
"redirect_document_id": true

6
devices/surface-hub/surfacehub-whats-new-1703.md
View File

@ -11,6 +11,12 @@ localizationpriority: medium
# What's new in Windows 10, version 1703 for Microsoft Surface Hub?
Watch Surface Hub engineer Jordan Marchese present updates to Microsoft Surface Hub with Windows 10, version 1703 (Creators Update).
<a href="http://www.youtube.com/watch?feature=player_embedded&v=R8tX10VIgq0
" target="_blank"><img src="http://img.youtube.com/vi/R8tX10VIgq0/0.jpg"
alt="Watch a video about Creators Update on Surface Hub" width="240" height="180" border="10" /></a>
Windows 10, version 1703 (also called the Creators Update), introduces the following changes for Microsoft Surface Hub:
## New settings

2
devices/surface-hub/use-room-control-system-with-surface-hub.md
View File

@ -44,7 +44,7 @@ This diagram shows the correct pinout used for an RJ-11 (6P6C) to DB9 cable.
Room control systems use common meeting-room scenarios for commands. Commands originate from the room control system, and are communicated over a serial connection to a Surface Hub. Commands are ASCII based, and the Surface Hub will acknowledge when state changes occur.
The following command modifiers are available. Commands terminate with a new line character (/n). Responses can come at any time in response to state changes not triggered directly by a management port command.
The following command modifiers are available. Commands terminate with a new line character (\n). Responses can come at any time in response to state changes not triggered directly by a management port command.
| Modifier | Result |
| --- | --- |

38
education/index.md
View File

@ -207,6 +207,25 @@ author: CelesteDG
</div>
</a>
</li>
<li>
<a href="/education/windows/use-set-up-school-pcs-app">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-usb.svg" alt="Set up School PCs" />
</div>
</div>
<div class="cardText">
<h3>Set up School PCs</h3>
<p>Use the app to create a provisioning package that you can use to quickly set up one or more Windows 10 devices.</p>
</div>
</div>
</div>
</div>
</a>
</li>
</ul>
</li>
</ul>
@ -331,6 +350,25 @@ author: CelesteDG
</div>
</a>
</li>
<li>
<a href="/education/windows/use-set-up-school-pcs-app">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-usb.svg" alt="Set up School PCs" />
</div>
</div>
<div class="cardText">
<h3>Set up School PCs</h3>
<p>Use the app to create a provisioning package that you can use to quickly set up one or more Windows 10 devices.</p>
</div>
</div>
</div>
</div>
</a>
</li>
</ul>
</li>
</ul>

4
education/windows/configure-windows-for-education.md
View File

@ -64,7 +64,7 @@ You can configure Windows through provisioning or management tools including ind
You can set all the education compliance areas through both provisioning and management tools. Additionally, these Microsoft education tools will ensure PCs that you set up are education ready:
- [Set up School PCs](use-set-up-school-pcs-app.md)
- Intune for Education (coming soon)
- [Intune for Education](https://docs.microsoft.com/en-us/intune-education/available-settings)
## AllowCortana
**AllowCortana** is a policy that enables or disables Cortana. It is a policy node in the Policy configuration service provider, [AllowCortana](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowcortana).
@ -145,7 +145,7 @@ Provide an ad-free experience that is a safer, more private search option for K
### Configurations
#### IP registration for entire school network using Microsoft Edge
Ad-free searching with Bing in Microsoft Edge can be configured at the network level. To configure this, email bicteam@microsoft.com with the subject "New Windows 10, version 1703 (Creators Update) Registration: [School District Name]" and the include the following information in the body of the email.
Ad-free searching with Bing in Microsoft Edge can be configured at the network level. To configure this, email bingintheclassroom@microsoft.com with the subject "New Windows 10, version 1703 (Creators Update) Registration: [School District Name]" and the include the following information in the body of the email.
**District information**
- **District or School Name:**

2
education/windows/index.md
View File

@ -44,7 +44,7 @@ author: CelesteDG
<p><b>[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)</b><br />Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.</p>
<p><b><a href="https://technet.microsoft.com/en-us/windows/mt574244" target="_blank">Try it out: Windows 10 deployment (for education)</a></b><br />Learn how to upgrade devices running the Windows 7 operating system to Windows 10 Anniversary Update, and how to manage devices, apps, and users in Windows 10 Anniversary Update.<br /><br />For the best experience, use this guide in tandem with the <a href="https://vlabs.holsystems.com/vlabs/technet?eng=VLabs&auth=none&src=vlabs&altadd=true&labid=20949&lod=true" target="_blank">TechNet Virtual Lab: IT Pro Try-It-Out</a>.</p>
### ![Switch to Windows 10 for Education](images/windows.png) Switch
## ![Switch to Windows 10 for Education](images/windows.png) Switch
<p><b>[Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md)</b><br />If you have an education tenant and use Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education.</p>

2
education/windows/set-up-school-pcs-technical.md
View File

@ -70,7 +70,7 @@ To make this as seamless as possible, in your Azure AD tenant:
![Set maximum number of devices per user to unlimited](images/azuread_usersandgroups_devicesettings_maxnumberofdevicesperuser.png)
- Clear your Azure AD tokens from time to time. Your tenant can only have 50 automated Azure AD tokens active at any one time.
- Clear your Azure AD tokens from time to time. Your tenant can only have 500 automated Azure AD tokens active at any one time.
In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > All users** and look at the list of user names. User names that start with **package_** followed by a string of letters and numbers. These are the user accounts that are created automatically for the tokens and you can safely delete these.

4
education/windows/switch-to-pro-education.md
View File

@ -159,7 +159,7 @@ Once you enable the setting to switch to Windows 10 Pro Education, the switch wi
**To turn on the automatic switch to Windows 10 Pro Education**
1. Sign in to [Microsoft Store for Education](https://businessstore.microsoft.com/) with your work or school account.
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your work or school account.
If this is the first time you're signing into the Microsoft Store for Education, you'll be prompted to accept the Microsoft Store for Education Terms of Use.
@ -341,7 +341,7 @@ Once the automatic switch to Windows 10 Pro Education is turned off, the change
**To roll back Windows 10 Pro Education to Windows 10 Pro**
1. Log in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/Store/Apps) with your school or work account, or follow the link from the notification email to turn off the automatic switch.
1. Log in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your school or work account, or follow the link from the notification email to turn off the automatic switch.
2. Select **Manage > Benefits** and locate the section **Windows 10 Pro Education** and follow the link.
3. In the **Revert to Windows 10 Pro** page, click **Revert to Windows 10 Pro**.

8
store-for-business/update-windows-store-for-business-account-settings.md
View File

@ -61,13 +61,13 @@ Taxes for Microsoft Store for Business purchases are determined by your business
- Switzerland
- United Kingdom
These countries can provide their VAT number or local equivalent in **Payments & billing**. However, they can only acquire free apps.
These countries can provide their VAT number or local equivalent in **Payments & billing**.
|Market| Tax identifier |
|------|----------------|
| Brazil | CPNJ (required), CCMID (optional) |
| India | CST ID, VAT ID |
| Taiwan | Unified business number|
| Brazil | CNPJ (required) |
| India | CST ID, VAT ID (both are optional) |
| Taiwan | VAT ID (optional) |
### Tax-exempt status

226
store-for-business/windows-store-for-business-overview.md
View File

@ -157,6 +157,193 @@ For more information, see [Manage settings in the Store for Business](manage-set
Microsoft Store for Business and Education is currently available in these markets.
<!--- <table>
<tr>
<th align="center" colspan="4">Support for free and paid apps</th>
</tr>
<tr align="left">
<td>
<ul>
<li>Algeria</li>
<li>Angola</li>
<li>Argentina</li>
<li>Australia</li>
<li>Austria</li>
<li>Bahamas</li>
<li>Bahrain</li>
<li>Bangladesh</li>
<li>Barbados</li>
<li>Belgium</li>
<li>Belize</li>
<li>Bermuda</li>
<li>Bhutan</li>
<li>Bolivia</li>
<li>Botswana</li>
<li>Brunei Darussalam</li>
<li>Bulgaria</li>
<li>Cambodia</li>
<li>Cameroon</li>
<li>Canada</li>
<li>Republic of Cabo Verde</li>
<li>Cayman Islands</li>
<li>Chile</li>
<li>Colombia</li>
<li>Costa Rica</li>
<li>C&ocirc;te D'ivoire</li>
<li>Croatia</li>
<li>Cur&ccedil;ao</li>
<li>Cyprus</li>
</ul>
</td>
<td>
<ul>
<li>Czech Republic</li>
<li>Denmark</li>
<li>Dominican Republic</li>
<li>Ecuador</li>
<li>Egypt</li>
<li>El Salvador</li>
<li>Estonia</li>
<li>Faroe Islands</li>
<li>Fiji</li>
<li>Finland</li>
<li>France</li>
<li>Germany</li>
<li>Ghana</li>
<li>Greece</li>
<li>Guadeloupe</li>
<li>Guatemala</li>
<li>Honduras</li>
<li>Hong Kong SAR</li>
<li>Hungary</li>
<li>Iceland</li>
<li>Indonesia</li>
<li>Iraq</li>
<li>Ireland</li>
<li>Israel</li>
<li>Italy</li>
<li>Jamaica</li>
<li>Japan</li>
<li>Jordan</li>
<li>Kenya</li>
</ul>
</td>
<td>
<ul>
<li>Kuwait</li>
<li>Latvia</li>
<li>Lebanon</li>
<li>Libya</li>
<li>Liechtenstein</li>
<li>Lithuania</li>
<li>Luxembourg</li>
<li>Malaysia</li>
<li>Malta</li>
<li>Mauritius</li>
<li>Mexico</li>
<li>Mongolia</li>
<li>Montenegro</li>
<li>Morocco</li>
<li>Mozambique</li>
<li>Namibia</li>
<li>Netherlands</li>
<li>New Zealand</li>
<li>Nicaragua</li>
<li>Nigeria</li>
<li>Norway</li>
<li>Oman</li>
<li>Pakistan</li>
<li>Palestinian Authority</li>
<li>Panama</li>
<li>Paraguay</li>
<li>Peru</li>
<li>Philippines</li>
<li>Poland</li>
</ul>
</td>
<td>
<ul>
<li>Portugal</li>
<li>Puerto Rico</li>
<li>Qatar</li>
<li>Romania</li>
<li>Rwanda</li>
<li>Saint Kitts and Nevis</li>
<li>Saudi Arabia</li>
<li>Senegal</li>
<li>Serbia</li>
<li>Singapore</li>
<li>Slovakia</li>
<li>Slovenia</li>
<li>South Africa</li>
<li>Spain</li>
<li>Sweden</li>
<li>Switzerland</li>
<li>Tanzania</li>
<li>Thailand</li>
<li>Trinidad and Tobago</li>
<li>Tunisia</li>
<li>Turkey</li>
<li>Uganda</li>
<li>United Arab Emirates</li>
<li>United Kingdom</li>
<li>United States</li>
</ul>
</td>
<td>
<ul>
<li>Uruguay</li>
<li>Viet Nam</li>
<li>Virgin Islands, U.S.</li>
<li>Zambia</li>
<li>Zimbabwe<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</li>
</ul>
</td>
</tr>
</table>
<table>
<tr>
<th align="center">Support for free apps only</th>
</tr>
<tr align="left">
<td>
<ul>
<li>Russia</li>
</ul>
</td>
</tr>
</table>
<table>
<tr>
<th align="center">Support for free apps and Minecraft: Education Edition</th>
</tr>
<tr align="left">
<td>
<ul>
<li>Albania</li>
<li>Armenia</li>
<li>Azerbaijan</li>
<li>Belarus</li>
<li>Bosnia</li>
<li>Brazil</li>
<li>Georgia</li>
<li>India</li>
<li>Kazakhstan</li>
<li>Korea</li>
<li>Kyrgyzstan</li>
<li>Moldova</li>
<li>Taiwan</li>
<li>Tajikistan</li>
<li>Turkmenistan</li>
<li>Ukraine</li>
<li>Uzbekistan</li>
</ul>
</td>
</tr>
</table> -->
### Support for free and paid apps
<table>
<tr>
<th align="center" colspan="4">Support for free and paid apps</th>
@ -294,22 +481,29 @@ Microsoft Store for Business and Education is currently available in these marke
</tr>
</table>
<table>
<tr>
<th align="center">Support for free apps only</th>
</tr>
<tr align="left">
<td>
<ul>
<li>Brazil</li>
<li>India</li>
<li>Russia</li>
<li>Taiwan</li>
<li>Ukraine</li>
</ul>
</td>
</tr>
</table>
### Support for free apps
Customers in these markets can use Microsoft Store for Business and Education to acquire free apps:
- India
- Russia
### Support for free apps and Minecraft: Education Edition
Customers in these markets can use Microsoft Store for Business and Education to acquire free apps and Minecraft: Education Edition:
- Brazil
- Taiwan
- Ukraine
This table summarize what customers can purchase, depending on which Microsoft Store they are using.
| Store | Free apps | Minecraft: Education Edition |
| ----- | --------- | ---------------------------- |
| Microsoft Store for Business | supported | not supported |
| Microsoft Store for Education | supported | supported; invoice payment required |
> [!NOTE]
> **Microsoft Store for Education customers with support for free apps and Minecraft: Education Edition**
- Admins can acquire free apps from **Microsoft Store for Education**.
- Admins need to use an invoice to purchase **Minecraft: Education Edition**. For more information, see [Invoice payment option](https://docs.microsoft.com/education/windows/school-get-minecraft#invoices).
- Teachers, or people with the Basic Purachaser role, can acquire free apps, but not **Minecraft: Education Edition**.
## Privacy notice

5
windows/access-protection/enterprise-certificate-pinning.md
View File

@ -189,9 +189,12 @@ Sign-in to the reference computer using domain administrator equivalent credenti
8. Right-click the **Registry** node and click **New**.
9. In the **New Registry Properties** dialog box, select **Update** from the **Action** list. Select **HKEY_LOCAL_MACHINE** from the **Hive** list.
10. For the **Key Path**, click **…** to launch the **Registry Item Browser**. Navigate to the following registry key and select the **PinRules** registry value name:
HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config
Click **Select** to close the **Registry Item Browser**.
11. The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REGBINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal). Click **OK** to save your settings and close the dialog box.
11. The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REG\_BINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal). Click **OK** to save your settings and close the dialog box.
![PinRules Properties](images/enterprise-certificate-pinning-pinrules-properties.png)

2
windows/client-management/TOC.md
View File

@ -9,5 +9,5 @@
## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)
## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)
## [Windows libraries](windows-libraries.md)
## [Mobile Device Management](mdm/index.md)
## [Mobile device management protocol](mdm/index.md)
## [Change history for Client management](change-history-for-client-management.md)

2
windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
View File

@ -191,7 +191,7 @@ To see the Notebooks that your Azure AD account has access to, tap **More Notebo
## Use Windows Store for Business
[Windows Store for Business](/microsoft-store/index) allows you to specify applications to be available to your users in the Windows Store application. These applications show up on a tab titled for your company. Applications approved in the Windows Store for Business portal can be installed by users.
[Microsoft Store for Business](/microsoft-store/index) allows you to specify applications to be available to your users in the Windows Store application. These applications show up on a tab titled for your company. Applications approved in the Microsoft Store for Business portal can be installed by users.
![company tab on store](images/aadjwsfb.jpg)

4
windows/client-management/mdm/TOC.md
View File

@ -141,6 +141,8 @@
#### [EnterpriseModernAppManagement DDF](enterprisemodernappmanagement-ddf.md)
#### [EnterpriseModernAppManagement XSD](enterprisemodernappmanagement-xsd.md)
### [FileSystem CSP](filesystem-csp.md)
### [Firewall CSP](firewall-csp.md)
#### [Firewall DDF file](firewall-ddf-file.md)
### [HealthAttestation CSP](healthattestation-csp.md)
#### [HealthAttestation DDF](healthattestation-ddf.md)
### [HotSpot CSP](hotspot-csp.md)
@ -196,6 +198,8 @@
#### [SUPL DDF file](supl-ddf-file.md)
### [SurfaceHub CSP](surfacehub-csp.md)
#### [SurfaceHub DDF file](surfacehub-ddf-file.md)
### [TPMPolicy CSP](tpmpolicy-csp.md)
#### [TPMPolicy DDF file](tpmpolicy-ddf-file.md)
### [UnifiedWriteFilter CSP](unifiedwritefilter-csp.md)
#### [UnifiedWriteFilter DDF file](unifiedwritefilter-ddf.md)
### [Update CSP](update-csp.md)

2
windows/client-management/mdm/bitlocker-csp.md
View File

@ -671,7 +671,7 @@ The following example is provided to show proper format and should not be taken
<CmdID>110</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/DisableWarningForOtherDiskEncryption</LocURI>
<LocURI>./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>

62
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -11,6 +11,9 @@ author: nickbrower
# Configuration service provider reference
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. Some configuration service providers support the WAP format, some support SyncML, and some support both. SyncML is only used overtheair for Open Mobile Alliance Device Management (OMA DM), whereas WAP can be used overtheair for OMA Client Provisioning, or it can be included in the phone image as a .provxml file that is installed during boot.
For information about the bridge WMI provider classes that map to these CSPs, see [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224).
@ -1148,6 +1151,34 @@ The following tables show the configuration service providers support in Windows
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[Firewall CSP](firewall-csp.md)
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[HealthAttestation CSP](healthattestation-csp.md)
@ -2016,6 +2047,34 @@ The following tables show the configuration service providers support in Windows
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[TPMPolicy CSP](tpmpolicy-csp.md)
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[UnifiedWriteFilter CSP](unifiedwritefilter-csp.md)
@ -2330,7 +2389,8 @@ The following tables show the configuration service providers support in Windows
 Footnotes:
- 1 - Added in Windows 10, version 1607
- 2 - Added in Windows 10, version 1703
- 2 - Added in Windows 10, version 1703
- 3 - Added in the next major update to Windows 10
> [!Note]
> You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip).

755
windows/client-management/mdm/enterpriseassignedaccess-csp.md
View File

@ -16,9 +16,8 @@ The EnterpriseAssignedAccess configuration service provider allows IT administra
> **Note**   The EnterpriseAssignedAccess CSP is only supported in Windows 10 Mobile.
 
For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](https://msdn.microsoft.com/library/windows/hardware/mt186983).
To use an app to create a lockdown XML see [Use the Lockdown Designer app to create a Lockdown XML file](https://docs.microsoft.com/en-us/windows/configuration/mobile-devices/mobile-lockdown-designer). For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](https://msdn.microsoft.com/library/windows/hardware/mt186983).
The following diagram shows the EnterpriseAssignedAccess configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
@ -44,137 +43,103 @@ When using the AssignedAccessXml in the EnterpriseAssignedAccess CSP through an
When using the AssignedAccessXml in a provisioning package using the Windows Imaging and Configuration Designer (ICD) tool, do not use escaped characters.
 
Entry | Description
----------- | ------------
ActionCenter | You can enable or disable the Action Center (formerly known as Notification Center) on the device. Set to true to enable the Action Center, or set to false to disable the Action Center.
ActionCenter | Example: `<ActionCenter enabled="true"></ActionCenter>`
ActionCenter | In Windows 10, when the Action Center is disabled, Above Lock notifications and toasts are also disabled. When the Action Center is enabled, the following policies are also enabled; **AboveLock/AllowActionCenterNotifications** and **AboveLock/AllowToasts**. For more information about these policies, see [Policy CSP](policy-configuration-service-provider.md)
ActionCenter | You can also add the following optional attributes to the ActionCenter element to override the default behavior: **aboveLockToastEnabled** and **actionCenterNotificationEnabled**. Valid values are 0 (policy disabled), 1 (policy enabled), and -1 (not set, policy enabled). In this example, the Action Center is enabled and both policies are disabled.: `<ActionCenter enabled="true" aboveLockToastEnabled="0" actionCenterNotificationEnabled="0"/>`
ActionCenter | These optional attributes are independent of each other. In this example, Action Center is enabled, the notifications policy is disabled, and the toast policy is enabled by default because it is not set. `<ActionCenter enabled="true" actionCenterNotificationEnabled="0"/>`
StartScreenSize | Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions. Valid values: **Small** - sets the width to 4 columns on device with short axis &lt;400epx or 6 columns on devices with short axis &gt;=400epx. **Large** - sets the width to 6 columns on devices with short axis &lt;400epx or 8 columns on devices with short axis &gt;=400epx.
StartScreenSize | If you have existing lockdown XML, you must update it if your device has &gt;=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4. Example: `<StartScreenSize>Large</StartScreenSize>`
Application | Provide the product ID for each app that will be available on the device. You can find the product ID for a locally developed app in the AppManifest.xml file of the app. For the list of product ID and AUMID see [ProductIDs in Windows 10 Mobile](#productid).
Application | To turn on the notification for a Windows app, you must include the application's AUMID in the lockdown XML. However, the user can change the setting at any time from user interface. Example: `<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail"/>`
Application | <img src="images/enterpriseassignedaccess-csp.png" alt="modern app notification" />
Application | Include PinToStart to display an app on the Start screen. For apps pinned to the Start screen, identify a tile size (small, medium, or large), and a location. The size of a small tile is 1 column x 1 row, a medium tile is 2 x 2, and a large tile is 4 x 2. For the tile location, the first value indicates the column and the second value indicates the row. A value of 0 (zero) indicates the first column, a value of 1 indicates the second column, and so on. Include autoRun as an attribute to configure the application to run automatically.
Application example:
``` syntax
<Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}" autoRun="true">
<PinToStart>
<Size>Large</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>2</LocationY>
</Location>
</PinToStart>
</Application>
```
Entry | Description
----------- | ------------
Application | Multiple App Packages enable multiple apps to exist inside the same package. Since ProductIds identify packages and not applications, specifying a ProductId is not enough to distinguish between individual apps inside a multiple app package. Trying to include application from a multiple app package with just a ProductId can result in unexpected behavior. To support pinning applications in multiple app packages, use an AUMID parameter in lockdown XML. For the list of product ID and AUMID, see [ProductIDs in Windows 10 Mobile](#productid). The following example shows how to pin both Outlook mail and Outlook calendar.
Application example:
``` syntax
<Apps>
<!-- Outlook Calendar -->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}"
aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
<PinToStart>
<Size>Large</Size>
<Location>
<LocationX>1</LocationX>
<LocationY>4</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Outlook Mail-->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}"
aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail">
<PinToStart>
<Size>Large</Size>
<Location>
<LocationX>1</LocationX>
<LocationY>6</LocationY>
</Location>
</PinToStart>
</Application>
</Apps>
```
Entry | Description
----------- | ------------
Folder | A folder should be contained in &lt;Applications/&gt; node among with other &lt;Application/&gt; nodes, it shares most grammar with the Application Node, **folderId** is mandatory, **folderName** is optional, which is the folder name displayed on Start. **folderId** is a unique unsigned integer for each folder.
Folder example:
``` syntax
<Application folderId="4" folderName="foldername">
<PinToStart>
<Size>Large</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>2</LocationY>
</Location>
</PinToStart>
</Application>
```
An application that belongs in the folder would add an optional attribute **ParentFolderId**, which maps to **folderId** of the folder. In this case, the location of this application will be located inside the folder.
``` syntax
<Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
<PinToStart>
<Size>Medium</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>0</LocationY>
</Location>
<ParentFolderId>2</ParentFolderId>
</PinToStart>
</Application>
```
Entry | Description
----------- | ------------
Settings | Starting in Windows 10, version 1511, you can specify the following settings pages in the lockdown XML file.
> [!Important]
> Do not specify a group entry without a page entry because it will cause an undefined behavior.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Entry</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top"><p>ActionCenter</p></td>
<td><p>You can enable or disable the Action Center (formerly known as Notification Center) on the device. Set to true to enable the Action Center, or set to false to disable the Action Center.</p>
<p>Example:</p>
<pre class="syntax" space="preserve"><code>&lt;ActionCenter enabled=&quot;true&quot;&gt;&lt;/ActionCenter&gt;</code></pre>
<p>In Windows 10, when the Action Center is disabled, Above Lock notifications and toasts are also disabled. When the Action Center is enabled, the following policies are also enabled:</p>
<ul>
<li>AboveLock/AllowActionCenterNotifications</li>
<li>AboveLock/AllowToasts</li>
</ul>
<p>For more information about these policies, see [Policy CSP](policy-configuration-service-provider.md)</p>
<p>You can also add the following optional attributes to the ActionCenter element to override the default behavior:</p>
<ul>
<li>aboveLockToastEnabled</li>
<li>actionCenterNotificationEnabled</li>
</ul>
<p>Valid values are 0 (policy disabled), 1 (policy enabled), and -1 (not set, policy enabled).</p>
<p>In this example, the Action Center is enabled and both policies are disabled.</p>
<pre class="syntax" space="preserve"><code>&lt;ActionCenter enabled=&quot;true&quot; aboveLockToastEnabled=&quot;0&quot; actionCenterNotificationEnabled=&quot;0&quot;/&gt;</code></pre>
<p>These optional attributes are independent of each other.</p>
<p>In this example, Action Center is enabled, the notifications policy is disabled, and the toast policy is enabled by default because it is not set.</p>
<pre class="syntax" space="preserve"><code>&lt;ActionCenter enabled=&quot;true&quot; actionCenterNotificationEnabled=&quot;0&quot;/&gt;</code></pre></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>StartScreenSize</p></td>
<td><p>Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions.</p>
<p>Valid values:</p>
<ul>
<li><strong>Small</strong> sets the width to 4 columns on device with short axis &lt;400epx or 6 columns on devices with short axis &gt;=400epx.</li>
<li><strong>Large</strong> sets the width to 6 columns on devices with short axis &lt;400epx or 8 columns on devices with short axis &gt;=400epx.</li>
</ul>
<p>If you have existing lockdown XML, you must update it if your device has &gt;=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4.</p>
<p>Example:</p>
<pre class="syntax" space="preserve"><code>&lt;StartScreenSize&gt;Large&lt;/StartScreenSize&gt;</code></pre></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>Application</p></td>
<td><p>Provide the product ID for each app that will be available on the device.</p>
<p>You can find the product ID for a locally developed app in the AppManifest.xml file of the app. For the list of product ID and AUMID see [ProductIDs in Windows 10 Mobile](#productid).</p>
<p>To turn on the notification for a Windows app, you must include the application's AUMID in the lockdown XML. However, the user can change the setting at any time from user interface.</p>
<pre class="syntax" space="preserve"><code>&lt;Application productId=&quot;{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}&quot; aumid=&quot;microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail&quot;/&gt;</code></pre>
<img src="images/enterpriseassignedaccess-csp.png" alt="modern app notification" />
<p>Include PinToStart to display an app on the Start screen. For apps pinned to the Start screen, identify a tile size (small, medium, or large), and a location. The size of a small tile is 1 column x 1 row, a medium tile is 2 x 2, and a large tile is 4 x 2.</p>
<p>For the tile location, the first value indicates the column and the second value indicates the row. A value of <strong>0</strong> indicates the first column, a value of <strong>1</strong> indicates the second column, and so on.</p>
<p>Include autoRun as an attribute to configure the application to run automatically.</p>
<p>Example:</p>
<pre class="syntax" space="preserve"><code>&lt;Application productId=&quot;{2A4E62D8-8809-4787-89F8-69D0F01654FB}&quot; autoRun=&quot;true&quot;&gt;
&lt;PinToStart&gt;
&lt;Size&gt;Large&lt;/Size&gt;
&lt;Location&gt;
&lt;LocationX&gt;0&lt;/LocationX&gt;
&lt;LocationY&gt;2&lt;/LocationY&gt;
&lt;/Location&gt;
&lt;/PinToStart&gt;
&lt;/Application&gt;</code></pre>
<p>Multiple App Packages enable multiple apps to exist inside the same package. Since ProductIds identify packages and not applications, specifying a ProductId is not enough to distinguish between individual apps inside a multiple app package. Trying to include application from a multiple app package with just a ProductId can result in unexpected behavior.</p>
<p>To support pinning applications in multiple app packages, use an AUMID parameter in lockdown XML. For the list of product ID and AUMID, see [ProductIDs in Windows 10 Mobile](#productid). The following example shows how to pin both Outlook mail and Outlook calendar.</p>
<pre class="syntax" space="preserve"><code>&lt;Apps&gt;
&lt;!-- Outlook Calendar --&gt;
&lt;Application productId=&quot;{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}&quot;
aumid=&quot;microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar&quot;&gt;
&lt;PinToStart&gt;
&lt;Size&gt;Large&lt;/Size&gt;
&lt;Location&gt;
&lt;LocationX&gt;1&lt;/LocationX&gt;
&lt;LocationY&gt;4&lt;/LocationY&gt;
&lt;/Location&gt;
&lt;/PinToStart&gt;
&lt;/Application&gt;
&lt;!-- Outlook Mail--&gt;
&lt;Application productId=&quot;{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}&quot;
aumid=&quot;microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail&quot;&gt;
&lt;PinToStart&gt;
&lt;Size&gt;Large&lt;/Size&gt;
&lt;Location&gt;
&lt;LocationX&gt;1&lt;/LocationX&gt;
&lt;LocationY&gt;6&lt;/LocationY&gt;
&lt;/Location&gt;
&lt;/PinToStart&gt;
&lt;/Application&gt;
&lt;/Apps&gt;</code></pre></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>Folder</p></td>
<td><p>A folder should be contained in &lt;Applications/&gt; node among with other &lt;Application/&gt; nodes, it shares most grammar with the Application Node, <strong>folderId</strong> is mandatory, <strong>folderName</strong> is optional, which is the folder name displayed on Start. <strong>folderId</strong> is a unique unsigned integer for each folder.</p>
<p>For example:</p>
<pre class="syntax" space="preserve"><code>&lt;Application folderId=&quot;4&quot; folderName=&quot;foldername&quot;&gt;
&lt;PinToStart&gt;
&lt;Size&gt;Large&lt;/Size&gt;
&lt;Location&gt;
&lt;LocationX&gt;0&lt;/LocationX&gt;
&lt;LocationY&gt;2&lt;/LocationY&gt;
&lt;/Location&gt;
&lt;/PinToStart&gt;
&lt;/Application&gt;</code></pre>
<p>An application that belongs in the folder would add an optional attribute <strong>ParentFolderId</strong>, which maps to <strong>folderId</strong> of the folder. In this case, the location of this application will be located inside the folder.</p>
<pre class="syntax" space="preserve"><code>&lt;Application productId=&quot;{2A4E62D8-8809-4787-89F8-69D0F01654FB}&quot;&gt;
&lt;PinToStart&gt;
&lt;Size&gt;Medium&lt;/Size&gt;
&lt;Location&gt;
&lt;LocationX&gt;0&lt;/LocationX&gt;
&lt;LocationY&gt;0&lt;/LocationY&gt;
&lt;/Location&gt;
&lt;ParentFolderId&gt;2&lt;/ParentFolderId&gt;
&lt;/PinToStart&gt;
&lt;/Application&gt;</code></pre></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>Settings</p></td>
<td><p><strong>Settings pages</strong></p>
<p>Starting in Windows 10, version 1511, you can specify the following settings pages in the lockdown XML file.</p>
<div class="alert">
<strong>Important</strong>  Do not specify a group entry without a page entry because it will cause an undefined behavior.
</div>
<div>
 
</div>
<ul>
<li>System (main menu) - SettingsPageGroupPCSystem
<ul>
@ -278,9 +243,14 @@ aumid=&quot;microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowsl
<li>Extensibility - SettingsPageExtensibility</li>
</ul></li>
</ul>
<p><strong>Quick action settings</strong></p>
<p>Starting in Windows 10, version 1511, you can specify the following quick action settings in the lockdown XML file. The following list shows the quick action settings and settings page dependencies (group and page). </p>
<p>Note: Only Windows 10, versions 1511 and 1607, the dependent settings group and pages are automatically added when the quick action item is specified in the lockdown XML. This statement does not apply to Windows 10, version 1703.</p>
**Quick action settings**
Starting in Windows 10, version 1511, you can specify the following quick action settings in the lockdown XML file. The following list shows the quick action settings and settings page dependencies (group and page).
> [!Note]
> Only Windows 10, versions 1511 and 1607, the dependent settings group and pages are automatically added when the quick action item is specified in the lockdown XML. This statement does not apply to Windows 10, version 1703.
<ul>
<li><p>SystemSettings_System_Display_QuickAction_Brightness</p>
<p>Dependencies - SettingsPageSystemDisplay, SettingsPageDisplay</p></li>
@ -315,277 +285,265 @@ aumid=&quot;microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowsl
<li><p>SystemSettings_QuickAction_Camera</p>
<p>Dependencies - none</p></li>
</ul>
<p>In this example, all settings pages and quick action settings are allowed. An empty &lt;Settings&gt; node indicates that none of the settings are blocked.</p>
<pre class="syntax" space="preserve"><code>&lt;Settings&gt;
&lt;/Settings&gt;</code></pre>
<p>In this example, all System setting pages are enabled. Note that the System page group is added as well as all of the System subpage names.</p>
<pre class="syntax" space="preserve"><code>&lt;Settings&gt;
&lt;System name=&quot;SettingsPageGroupPCSystem&quot; /&gt;
&lt;System name=&quot;SettingsPageDisplay&quot; /&gt;
&lt;System name=&quot;SettingsPageAppsNotifications&quot; /&gt;
&lt;System name=&quot;SettingsPageCalls&quot; /&gt;
&lt;System name=&quot;SettingsPageMessaging&quot; /&gt;
&lt;System name=&quot;SettingsPageBatterySaver&quot; /&gt;
&lt;System name=&quot;SettingsPageStorageSenseStorageOverview&quot; /&gt;
&lt;System name=&quot;SettingsPageGroupPCSystemDeviceEncryption&quot; /&gt;
&lt;System name=&quot;SettingsPageDrivingMode&quot; /&gt;
&lt;System name=&quot;SettingsPagePCSystemInfo&quot; /&gt;
&lt;/Settings&gt;</code></pre>
<p>To remove access to all of the settings in the system, the settings application would simply not be listed in the app list for a particular role.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>Buttons</p></td>
<td><p>The following list identifies the hardware buttons on the device that you can lock down in <strong>ButtonLockdownList</strong>. When a user taps a button that is in the lockdown list, nothing will happen.</p>
In this example, all settings pages and quick action settings are allowed. An empty \<Settings> node indicates that none of the settings are blocked.
``` syntax
<Settings>
</Settings>
```
In this example, all System setting pages are enabled. Note that the System page group is added as well as all of the System subpage names.
``` syntax
<Settings>
<System name="SettingsPageGroupPCSystem" />
<System name="SettingsPageDisplay" />
<System name="SettingsPageAppsNotifications" />
<System name="SettingsPageCalls" />
<System name="SettingsPageMessaging" />
<System name="SettingsPageBatterySaver" />
<System name="SettingsPageStorageSenseStorageOverview" />
<System name="SettingsPageGroupPCSystemDeviceEncryption" />
<System name="SettingsPageDrivingMode" />
<System name="SettingsPagePCSystemInfo" />
</Settings>
```
Entry | Description
----------- | ------------
Buttons | The following list identifies the hardware buttons on the device that you can lock down in <strong>ButtonLockdownList</strong>. When a user taps a button that is in the lockdown list, nothing will happen.
<ul>
<li><p>Start</p>
<div class="alert">
<strong>Note</strong>  
<p>Lock down of the Start button only prevents the press and hold event.</p>
</div>
<div>
 
</div></li>
<li><p>Back</p></li>
<li><p>Search</p></li>
<li><p>Camera</p></li>
<li><p>Custom1</p></li>
<li><p>Custom2</p></li>
<li><p>Custom3</p>
<div class="alert">
<strong>Note</strong>  
<p>Custom buttons are hardware buttons that can be added to devices by OEMs.</p>
</div>
<div>
 
</div></li>
<li><p>Custom3</p></li>
</ul>
<p>Example:</p>
<pre class="syntax" space="preserve"><code>&lt;Buttons&gt;
&lt;ButtonLockdownList&gt;
&lt;!-- Lockdown all buttons --&gt;
&lt;Button name=&quot;Search&quot;&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Camera&quot;&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Custom1&quot;&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Custom2&quot;&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Custom3&quot;&gt;
&lt;/Button&gt;
&lt;/ButtonLockdownList&gt;</code></pre>
<p>The Search and custom buttons can be <em>remapped</em> or configured to open a specific application. Button remapping takes effect for the device and applies to all users.</p>
<div class="alert">
<strong>Note</strong>  
<p>The lockdown settings for a button, per user role, will apply regardless of the button mapping.</p>
</div>
<div>
 
</div>
<div class="alert">
<strong>Warning</strong>  
<p>Button remapping can enable a user to open an application that is not in the Allow list. Use button lock down to prevent application access for a user role.</p>
</div>
<div>
 
</div>
<p>To remap a button in lockdown XML, you supply the button name, the button event (typically &quot;press&quot;), and the product ID for the application the button will open.</p>
<p>Example:</p>
<pre class="syntax" space="preserve"><code>&lt;ButtonRemapList&gt;
&lt;Button name=&quot;Search&quot;&gt;
&lt;ButtonEvent name=&quot;Press&quot;&gt;
&lt;!-- Alarms --&gt;
&lt;Application productId=&quot;{08179793-ED2E-45EA-BA12-BDE3EE9C3CE3}&quot; parameters=&quot;&quot; /&gt;
&lt;/ButtonEvent&gt;
&lt;/Button&gt;
&lt;/ButtonRemapList&gt;</code></pre>
<p><strong>Disabling navigation buttons</strong></p>
<p>To disable navigation buttons (such as Home or Back) in lockdown XML, you supply the name (for example, Start) and button event (typically &quot;press&quot;).</p>
<p>The following section contains a sample lockdown XML file that shows how to disable navigation buttons.</p>
<p>Example:</p>
<pre class="syntax" space="preserve"><code>&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;
&lt;HandheldLockdown version=&quot;1.0&quot; &gt;
&lt;Default&gt;
&lt;ActionCenter enabled=&quot;false&quot; /&gt;
&lt;Apps&gt;
&lt;!-- Settings --&gt;
&lt;Application productId=&quot;{2A4E62D8-8809-4787-89F8-69D0F01654FB}&quot;&gt;
&lt;PinToStart&gt;
&lt;Size&gt;Large&lt;/Size&gt;
&lt;Location&gt;
&lt;LocationX&gt;0&lt;/LocationX&gt;
&lt;LocationY&gt;0&lt;/LocationY&gt;
&lt;/Location&gt;
&lt;/PinToStart&gt;
&lt;/Application&gt;
&lt;!-- Phone Apps --&gt;
&lt;Application productId=&quot;{F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7}&quot;&gt;
&lt;PinToStart&gt;
&lt;Size&gt;Small&lt;/Size&gt;
&lt;Location&gt;
&lt;LocationX&gt;2&lt;/LocationX&gt;
&lt;LocationY&gt;2&lt;/LocationY&gt;
&lt;/Location&gt;
&lt;/PinToStart&gt;
&lt;/Application&gt;
&lt;/Apps&gt;
&lt;Buttons&gt;
&lt;ButtonLockdownList&gt;
&lt;Button name=&quot;Start&quot;&gt;
&lt;ButtonEvent name=&quot;Press&quot; /&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Back&quot;&gt;
&lt;ButtonEvent name=&quot;Press&quot; /&gt;
&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Search&quot;&gt;
&lt;ButtonEvent name=&quot;All&quot; /&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Camera&quot;&gt;
&lt;ButtonEvent name=&quot;Press&quot; /&gt;
&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Custom1&quot;&gt;
&lt;ButtonEvent name=&quot;Press&quot; /&gt;
&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Custom2&quot;&gt;
&lt;ButtonEvent name=&quot;Press&quot; /&gt;
&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Custom3&quot;&gt;
&lt;ButtonEvent name=&quot;Press&quot; /&gt;
&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;
&lt;/Button&gt;
&lt;/ButtonLockdownList&gt;
&lt;ButtonRemapList /&gt;
&lt;/Buttons&gt;
&lt;MenuItems&gt;
&lt;DisableMenuItems/&gt;
&lt;/MenuItems&gt;
&lt;Settings&gt;
&lt;/Settings&gt;
&lt;Tiles&gt;
&lt;EnableTileManipulation/&gt;
&lt;/Tiles&gt;
&lt;StartScreenSize&gt;Small&lt;/StartScreenSize&gt;
&lt;/Default&gt;
&lt;/HandheldLockdown&gt;</code></pre></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>MenuItems</p></td>
<td><p>Use <strong>DisableMenuItems</strong> to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Programs list. You can include this entry in the default profile and in any additional user role profiles that you create.</p>
<p>Example:</p>
<pre class="syntax" space="preserve"><code>&lt;MenuItems&gt;
&lt;DisableMenuItems/&gt;
&lt;/MenuItems&gt;</code></pre>
<div class="alert">
<strong>Important</strong>  
<p>If <strong>DisableMenuItems</strong> is not included in a profile, users of that profile can uninstall apps.</p>
</div>
<div>
 
</div></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>Tiles</p></td>
<td><p><strong>Turning-on tile manipulation</strong></p>
<p>By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the users profile.</p>
<p>If tile manipulation is enabled in the users profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile.</p>
<div class="alert">
<strong>Important</strong>  
<p>If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in users profile.</p>
</div>
<div>
 
</div>
<p>The following sample file contains configuration for enabling tile manipulation.</p>
<div class="alert">
<strong>Note</strong>  
<p>Tile manipulation is disabled when you dont have a <code>&lt;Tiles&gt;</code> node in lockdown XML, or if you have a <code>&lt;Tiles&gt;</code> node but dont have the <code>&lt;EnableTileManipulation/&gt;</code> node.</p>
</div>
<div>
 
</div>
<p>Example:</p>
<pre class="syntax" space="preserve"><code>&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;
&lt;HandheldLockdown version=&quot;1.0&quot; &gt;
&lt;Default&gt;
&lt;ActionCenter enabled=&quot;false&quot; /&gt;
&lt;Apps&gt;
&lt;!-- Settings --&gt;
&lt;Application productId=&quot;{2A4E62D8-8809-4787-89F8-69D0F01654FB}&quot;&gt;
&lt;PinToStart&gt;
&lt;Size&gt;Large&lt;/Size&gt;
&lt;Location&gt;
&lt;LocationX&gt;0&lt;/LocationX&gt;
&lt;LocationY&gt;0&lt;/LocationY&gt;
&lt;/Location&gt;
&lt;/PinToStart&gt;
&lt;/Application&gt;
> [!Note]
> Lock down of the Start button only prevents the press and hold event.
>
> Custom buttons are hardware buttons that can be added to devices by OEMs.
&lt;!-- Phone Apps --&gt;
&lt;Application productId=&quot;{F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7}&quot;&gt;
&lt;PinToStart&gt;
&lt;Size&gt;Small&lt;/Size&gt;
&lt;Location&gt;
&lt;LocationX&gt;2&lt;/LocationX&gt;
&lt;LocationY&gt;2&lt;/LocationY&gt;
&lt;/Location&gt;
&lt;/PinToStart&gt;
&lt;/Application&gt;
&lt;/Apps&gt;
&lt;Buttons&gt;
&lt;ButtonLockdownList&gt;
&lt;Button name=&quot;Start&quot;&gt;
&lt;ButtonEvent name=&quot;Press&quot; /&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Back&quot;&gt;
&lt;ButtonEvent name=&quot;Press&quot; /&gt;
&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Search&quot;&gt;
&lt;ButtonEvent name=&quot;All&quot; /&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Camera&quot;&gt;
&lt;ButtonEvent name=&quot;Press&quot; /&gt;
&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Custom1&quot;&gt;
&lt;ButtonEvent name=&quot;Press&quot; /&gt;
&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Custom2&quot;&gt;
&lt;ButtonEvent name=&quot;Press&quot; /&gt;
&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Custom3&quot;&gt;
&lt;ButtonEvent name=&quot;Press&quot; /&gt;
&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;
&lt;/Button&gt;
&lt;/ButtonLockdownList&gt;
&lt;ButtonRemapList /&gt;
&lt;/Buttons&gt;
&lt;MenuItems&gt;
&lt;DisableMenuItems/&gt;
&lt;/MenuItems&gt;
&lt;Settings&gt;
&lt;/Settings&gt;
&lt;Tiles&gt;
&lt;EnableTileManipulation/&gt;
&lt;/Tiles&gt;
&lt;StartScreenSize&gt;Small&lt;/StartScreenSize&gt;
&lt;/Default&gt;
&lt;/HandheldLockdown&gt;</code></pre></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>CSP Runner</p></td>
<td><p>Allows CSPs to be executed on the device per user role. You can use this to implement role specific policies, such as changing the color scheme when an admin logs on the device, or to set configurations per role.</p></td>
</tr>
</tbody>
</table>
Buttons example:
``` syntax
<Buttons>
<ButtonLockdownList>
<!-- Lockdown all buttons -->
<Button name="Search">
</Button>
<Button name="Camera">
</Button>
<Button name="Custom1">
</Button>
<Button name="Custom2">
</Button>
<Button name="Custom3">
</Button>
</ButtonLockdownList>
```
The Search and custom buttons can be <em>remapped</em> or configured to open a specific application. Button remapping takes effect for the device and applies to all users.
> [!Note]
> The lockdown settings for a button, per user role, will apply regardless of the button mapping.
>
> Button remapping can enable a user to open an application that is not in the Allow list. Use button lock down to prevent application access for a user role.
To remap a button in lockdown XML, you supply the button name, the button event (typically &quot;press&quot;), and the product ID for the application the button will open.
``` syntax
<ButtonRemapList>
<Button name="Search">
<ButtonEvent name="Press">
<!-- Alarms -->
<Application productId="{08179793-ED2E-45EA-BA12-BDE3EE9C3CE3}" parameters="" />
</ButtonEvent>
</Button>
</ButtonRemapList>
```
**Disabling navigation buttons**
To disable navigation buttons (such as Home or Back) in lockdown XML, you supply the name (for example, Start) and button event (typically "press").
The following section contains a sample lockdown XML file that shows how to disable navigation buttons.
``` syntax
<?xml version="1.0" encoding="utf-8"?>
<HandheldLockdown version="1.0" >
<Default>
<ActionCenter enabled="false" />
<Apps>
<!-- Settings -->
<Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
<PinToStart>
<Size>Large</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Phone Apps -->
<Application productId="{F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7}">
<PinToStart>
<Size>Small</Size>
<Location>
<LocationX>2</LocationX>
<LocationY>2</LocationY>
</Location>
</PinToStart>
</Application>
</Apps>
<Buttons>
<ButtonLockdownList>
<Button name="Start">
<ButtonEvent name="Press" />
</Button>
<Button name="Back">
<ButtonEvent name="Press" />
<ButtonEvent name="PressAndHold" />
</Button>
<Button name="Search">
<ButtonEvent name="All" />
</Button>
<Button name="Camera">
<ButtonEvent name="Press" />
<ButtonEvent name="PressAndHold" />
</Button>
<Button name="Custom1">
<ButtonEvent name="Press" />
<ButtonEvent name="PressAndHold" />
</Button>
<Button name="Custom2">
<ButtonEvent name="Press" />
<ButtonEvent name="PressAndHold" />
</Button>
<Button name="Custom3">
<ButtonEvent name="Press" />
<ButtonEvent name="PressAndHold" />
</Button>
</ButtonLockdownList>
<ButtonRemapList />
</Buttons>
<MenuItems>
<DisableMenuItems/>
</MenuItems>
<Settings>
</Settings>
<Tiles>
<EnableTileManipulation/>
</Tiles>
<StartScreenSize>Small</StartScreenSize>
</Default>
</HandheldLockdown>
```
Entry | Description
----------- | ------------
MenuItems | Use **DisableMenuItems** to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Programs list. You can include this entry in the default profile and in any additional user role profiles that you create.
> [!Important]
> If **DisableMenuItems** is not included in a profile, users of that profile can uninstall apps.
MenuItems example:
``` syntax
<MenuItems>
<DisableMenuItems/>
</MenuItems>
```
Entry | Description
----------- | ------------
Tiles | **Turning-on tile manipulation** - By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the users profile. If tile manipulation is enabled in the users profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile.
> [!Important]
> If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in users profile.
The following sample file contains configuration for enabling tile manipulation.
> [!Note]
> Tile manipulation is disabled when you dont have a `<Tiles>` node in lockdown XML, or if you have a `<Tiles>` node but dont have the `<EnableTileManipulation>` node.
``` syntax
<?xml version="1.0" encoding="utf-8"?>
<HandheldLockdown version="1.0" >
<Default>
<ActionCenter enabled="false" />
<Apps>
<!-- Settings -->
<Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
<PinToStart>
<Size>Large</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Phone Apps -->
<Application productId="{F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7}">
<PinToStart>
<Size>Small</Size>
<Location>
<LocationX>2</LocationX>
<LocationY>2</LocationY>
</Location>
</PinToStart>
</Application>
</Apps>
<Buttons>
<ButtonLockdownList>
<Button name="Start">
<ButtonEvent name="Press" />
</Button>
<Button name="Back">
<ButtonEvent name="Press" />
<ButtonEvent name="PressAndHold" />
</Button>
<Button name="Search">
<ButtonEvent name="All" />
</Button>
<Button name="Camera">
<ButtonEvent name="Press" />
<ButtonEvent name="PressAndHold" />
</Button>
<Button name="Custom1">
<ButtonEvent name="Press" />
<ButtonEvent name="PressAndHold" />
</Button>
<Button name="Custom2">
<ButtonEvent name="Press" />
<ButtonEvent name="PressAndHold" />
</Button>
<Button name="Custom3">
<ButtonEvent name="Press" />
<ButtonEvent name="PressAndHold" />
</Button>
</ButtonLockdownList>
<ButtonRemapList />
</Buttons>
<MenuItems>
<DisableMenuItems/>
</MenuItems>
<Settings>
</Settings>
<Tiles>
<EnableTileManipulation/>
</Tiles>
<StartScreenSize>Small</StartScreenSize>
</Default>
</HandheldLockdown>
```
Entry | Description
----------- | ------------
CSP Runner | Allows CSPs to be executed on the device per user role. You can use this to implement role specific policies, such as changing the color scheme when an admin logs on the device, or to set configurations per role.
 
<a href="" id="lockscreenwallpaper-"></a>**LockscreenWallpaper/**
@ -734,6 +692,8 @@ Not supported in Windows 10. Use doWipePersistProvisionedData in [RemoteWipe CS
<a href="" id="clock-timezone-"></a>**Clock/TimeZone/**
An integer that specifies the time zone of the device. The following table shows the possible values.
Supported operations are Get and Replace.
<table>
<colgroup>
<col width="20%" />
@ -1161,9 +1121,6 @@ An integer that specifies the time zone of the device. The following table shows
</tbody>
</table>
 
Supported operations are Get and Replace.
<a href="" id="locale-language-"></a>**Locale/Language/**
The culture code that identifies the language to display on a device, and specifies the formatting of numbers, currencies, time, and dates. For language values, see [Locale IDs Assigned by Microsoft](http://go.microsoft.com/fwlink/p/?LinkID=189567).
@ -1172,8 +1129,6 @@ The language setting is configured in the Default User profile only.
> **Note**  Apply the Locale ID only after the corresponding language packs are built into and supported for the OS image running on the device. The specified language will be applied as the phone language and a restart may be required.
 
Supported operations are Get and Replace.
## OMA client provisioning examples

282
windows/client-management/mdm/firewall-csp.md Normal file
View File

@ -0,0 +1,282 @@
---
title: Firewall CSP
description: Firewall CSP
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Firewall CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP is new in the next major update to Windows 10.
Firewall configuration commands must be wrapped in an Atomic block in SyncML.
For detailed information on some of the fields below see [[MS-FASP]: Firewall and Advanced Security Protocol documentation](https://msdn.microsoft.com/en-us/library/mt620101.aspx).
The following diagram shows the Firewall configuration service provider in tree format.
![firewall csp](images/provisioning-csp-firewall.png)
<a href="" id="--vendor-msft-applocker"></a>**./Vendor/MSFT/Firewall**
<p style="margin-left: 20px">Root node for the Firewall configuration service provider.</p>
<a href="" id="mdmstore"></a>**MdmStore**
<p style="margin-left: 20px">Interior node.</p>
<p style="margin-left: 20px">Supported operation is Get.</p>
<a href="" id="global"></a>**MdmStore/Global**
<p style="margin-left: 20px">Interior node.</p>
<p style="margin-left: 20px">Supported operations are Get and Replace. </p>
<a href="" id="policyversionsupported"></a>**MdmStore/Global/PolicyVersionSupported**
<p style="margin-left: 20px">DWORD value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.</p>
<p style="margin-left: 20px">Value type in integer. Supported operation is Get.</p>
<a href="" id="currentprofiles"></a>**MdmStore/Global/CurrentProfiles**
<p style="margin-left: 20px">DWORD value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.</p>
<p style="margin-left: 20px">Value type in integer. Supported operation is Get.</p>
<a href="" id="disablestatefulftp"></a>**MdmStore/Global/DisableStatefulFtp**
<p style="margin-left: 20px">This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. The value is a DWORD; 0x00000000 means off; 0x00000001 means on. The merge law for this option is to let "on" values win.</p>
<p style="margin-left: 20px">Boolean value. Supported operations are Get and Replace. </p>
<a href="" id="saidletime"></a>**MdmStore/Global/SaIdleTime**
<p style="margin-left: 20px">This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is a DWORD and MUST be a value in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.<</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<a href="" id="presharedkeyencoding"></a>**MdmStore/Global/TPresharedKeyEncodingBD**
<p style="margin-left: 20px">Specifies the preshared key encoding that is used. The value is a DWORD and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<a href="" id="ipsecexempt"></a>**MdmStore/Global/IPsecExempt**
<p style="margin-left: 20px">This configuration value configures IPsec exceptions. The value is a DWORD and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<a href="" id="crlcheck"></a>**MdmStore/Global/CRLcheck**
<p style="margin-left: 20px">This value specifies how certificate revocation list (CRL) verification is enforced. The value is a DWORD and MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<a href="" id="policyversion"></a>**MdmStore/Global/PolicyVersion**
<p style="margin-left: 20px">This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law.</p>
<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
<a href="" id="binaryversionsupported"></a>**MdmStore/Global/BinaryVersionSupported**
<p style="margin-left: 20px">This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.</p>
<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
<a href="" id="opportunisticallymatchauthsetperkm"></a>**MdmStore/Global/OpportunisticallyMatchAuthSetPerKM**
<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. When this option is off, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is on, keying modules MUST ignore only the authentication suites that they dont support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</p>
<p style="margin-left: 20px">Boolean value. Supported operations are Get and Replace.</p>
<a href="" id="enablepacketqueue"></a>**MdmStore/Global/EnablePacketQueue**
<p style="margin-left: 20px">This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a DWORD and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<a href="" id="domainprofile"></a>**MdmStore/DomainProfile**
<p style="margin-left: 20px">Interior node. Supported operation is Get.</p>
<a href="" id="privateprofile"></a>**MdmStore/PrivateProfile**
<p style="margin-left: 20px">Interior node. Supported operation is Get.</p>
<a href="" id="publicprofile"></a>**MdmStore/PublicProfile**
<p style="margin-left: 20px">Interior node. Supported operation is Get.</p>
<a href="" id="enablefirewall"></a>**/EnableFirewall**
<p style="margin-left: 20px">This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<a href="" id="disablestealthmode"></a>**/DisableStealthMode**
<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<a href="" id="shielded"></a>**/Shielded**
<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<a href="" id="disableunicastresponsestomulticastbroadcast"></a>**/DisableUnicastResponsesToMulticastBroadcast**
<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<a href="" id="disableinboundnotifications"></a>**/DisableInboundNotifications**
<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<a href="" id="authappsallowuserprefmerge"></a>**/AuthAppsAllowUserPrefMerge**
<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<a href="" id="globalportsallowuserprefmerge"></a>**/GlobalPortsAllowUserPrefMerge**
<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<a href="" id="allowlocalpolicymerge"></a>**/AllowLocalPolicyMerge**
<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<a href="" id="allowlocalipsecpolicymerge"></a>**/AllowLocalIpsecPolicyMerge**
<p style="margin-left: 20px">This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<a href="" id="defaultoutboundaction"></a>**/DefaultOutboundAction**
<p style="margin-left: 20px">This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<a href="" id="defaultinboundaction"></a>**/DefaultInboundAction**
<p style="margin-left: 20px">This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<a href="" id="disablestealthmodeipsecsecuredpacketexemption"></a>**/DisableStealthModeIpsecSecuredPacketExemption**
<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<a href="" id="firewallrules"></a>**FirewallRules**
<p style="margin-left: 20px">A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.</p>
<a href="" id="firewallrulename"></a>**FirewallRules/_FirewallRuleName_**
<p style="margin-left: 20px">Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).</p>
<a href="" id="app"></a>**FirewallRules/_FirewallRuleName_/App**
<p style="margin-left: 20px">Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:</p>
<ul>
<li>PackageFamilyName</li>
<li>FilePath</li>
<li>FQBN</li>
<li>ServiceName</li>
</ul>
<p style="margin-left: 20px">Supported operation is Get.</p>
<a href="" id="packagefamilyname"></a>**FirewallRules/_FirewallRuleName_/App/PackageFamilyName**
<p style="margin-left: 20px">This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Windows Store application.</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="filepath"></a>**FirewallRules/_FirewallRuleName_/App/FilePath**
<p style="margin-left: 20px">This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="fqbn"></a>**FirewallRules/_FirewallRuleName_/App/Fqbn**
<p style="margin-left: 20px">Fully Qualified Binary Name</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="servicename"></a>**FirewallRules/_FirewallRuleName_/App/ServiceName**
<p style="margin-left: 20px">This is a service name used in cases when a service, not an application, is sending or receiving traffic.</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="protocol"></a>**FirewallRules/_FirewallRuleName_/Protocol**
<p style="margin-left: 20px">0-255 number representing the ip protocol (TCP = 6, UDP = 17)</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="localportranges"></a>**FirewallRules/_FirewallRuleName_/LocalPortRanges**
<p style="margin-left: 20px">Comma separated list of ranges. For example, 100-120,200,300-320.</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="remoteportranges"></a>**FirewallRules/_FirewallRuleName_/RemotePortRanges**
<p style="margin-left: 20px">Comma separated list of ranges, For example, 100-120,200,300-320.</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="localaddressranges"></a>**FirewallRules/_FirewallRuleName_/LocalAddressRanges**
<p style="margin-left: 20px">Comma separated list of local addresses covered by the rule. The default value is "\*". Valid tokens include:</p>
<ul>
<li>"\*" indicates any local address. If present, this must be the only token included.</li>
<li>A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.</li>
<li>A valid IPv6 address.</li>
<li>An IPv4 address range in the format of "start address - end address" with no spaces included.</li>
<li>An IPv6 address range in the format of "start address - end address" with no spaces included.</li>
</ul>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="remoteaddressranges"></a>**FirewallRules/_FirewallRuleName_/RemoteAddressRanges**
<p style="margin-left: 20px">List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "\*". Valid tokens include:</p>
<ul>
<li>"\*" indicates any remote address. If present, this must be the only token included.</li>
<li>"Defaultgateway"</li>
<li>"DHCP"</li>
<li>"DNS"</li>
<li>"WINS"</li>
<li>"Intranet"</li>
<li>"RemoteCorpNetwork"</li>
<li>"Internet"</li>
<li>"PlayToRenderers"</li>
<li>"LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive.</li>
<li>A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.</li>
<li>A valid IPv6 address.</li>
<li>An IPv4 address range in the format of "start address - end address" with no spaces included.</li>
<li>An IPv6 address range in the format of "start address - end address" with no spaces included.</li>
</ul>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="description"></a>**FirewallRules/_FirewallRuleName_/Description**
<p style="margin-left: 20px">Specifies the description of the rule.</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="enabled"></a>**FirewallRules/_FirewallRuleName_/Enabled**
<p style="margin-left: 20px">Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
If not specified - a new rule is disabled by default.</p>
<p style="margin-left: 20px">Boolean value. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="profiles"></a>**FirewallRules_FirewallRuleName_/Profiles**
<p style="margin-left: 20px">Specifies the profiles to which the rule belongs: Domain, Private, Public. . See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="action"></a>**FirewallRules/_FirewallRuleName_/Action**
<p style="margin-left: 20px">Specifies the action for the rule.</p>
<p style="margin-left: 20px">Supported operation is Get.</p>
<a href="" id="type"></a>**FirewallRules/_FirewallRuleName_/Action/Type**
<p style="margin-left: 20px">Specifies the action the rule enforces. Supported values:</p>
<ul>
<li>0 - Block</li>
<li>1 - Allow</li>
</ul>
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="direction"></a>**FirewallRules/_FirewallRuleName_/Direction**
<p style="margin-left: 20px">Comma separated list. The rule is enabled based on the traffic direction as following. Supported values:</p>
<ul>
<li>IN - the rule applies to inbound traffic.</li>
<li>OUT - the rule applies to outbound traffic.</li>
<li>If not specified, the default is IN.</li>
</ul>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="interfacetypes"></a>**FirewallRules/FirewallRuleName/InterfaceTypes**
<p style="margin-left: 20px">Comma separated list of interface types. Valid values:</p>
<ul>
<li>RemoteAccess</li>
<li>Wireless</li>
<li>MobileBroadband</li>
<li>All</li>
</ul>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="icmptypesandcodes"></a>**FirewallRules/_FirewallRuleName_/IcmpTypesAndCodes**
<p style="margin-left: 20px">List of ICMP types and codes separated by semicolon. "\*" indicates all ICMP types and codes.<</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="edgetraversal"></a>**FirewallRules/_FirewallRuleName_/EdgeTraversal**
<p style="margin-left: 20px">Indicates whether edge traversal is enabled or disabled for this rule.</p>
<p style="margin-left: 20px">The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.</p>
<p style="margin-left: 20px">New rules have the EdgeTraversal property disabled by default.</p>
<p style="margin-left: 20px">Boolean value. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="localuserauthorizedlist"></a>**FirewallRules/_FirewallRuleName_/LocalUserAuthorizedList**
<p style="margin-left: 20px">Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format.</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="status"></a>**FirewallRules/_FirewallRuleName_/Status**
<p style="margin-left: 20px">Provides information about the specific verrsion of the rule in deployment for monitoring purposes.</p>
<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
<a href="" id="friendlyname"></a>**FirewallRules/_FirewallRuleName_/FriendlyName**
<p style="margin-left: 20px">Specifies the friendly name of the rule. The string must not contain the "|" character.</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="name"></a>**FirewallRules/_FirewallRuleName_/Name**
<p style="margin-left: 20px">Name of the rule.</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>

1815
windows/client-management/mdm/firewall-ddf-file.md Normal file
View File

File diff suppressed because it is too large Load Diff

BIN
windows/client-management/mdm/images/provisioning-csp-firewall.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 95 KiB

BIN
windows/client-management/mdm/images/provisioning-csp-tpmpolicy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.2 KiB

81
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -14,6 +14,8 @@ author: nickbrower
# What's new in MDM enrollment and management
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic provides information about what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices.
@ -640,6 +642,16 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>SmartScreen/EnableAppInstallControl</li>
<li>SmartScreen/EnableSmartScreenInShell</li>
<li>SmartScreen/PreventOverrideForFilesInShell</li>
<li>Start/AllowPinnedFolderDocuments</li>
<li>Start/AllowPinnedFolderDownloads</li>
<li>Start/AllowPinnedFolderFileExplorer</li>
<li>Start/AllowPinnedFolderHomeGroup</li>
<li>Start/AllowPinnedFolderMusic</li>
<li>Start/AllowPinnedFolderNetwork</li>
<li>Start/AllowPinnedFolderPersonalFolder </li>
<li>Start/AllowPinnedFolderPictures</li>
<li>Start/AllowPinnedFolderSettings</li>
<li>Start/AllowPinnedFolderVideos</li>
<li>Start/HideAppList</li>
<li>Start/HideChangeAccountSettings</li>
<li>Start/HideFrequentlyUsedApps</li>
@ -661,6 +673,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>TextInput/AllowKeyboardTextSuggestions</li>
<li>TimeLanguageSettings/AllowSet24HourClock</li>
<li>Update/ActiveHoursMaxRange</li>
<li>Update/AutoRestartDeadlinePeriodInDays</li>
<li>Update/AutoRestartNotificationSchedule</li>
<li>Update/AutoRestartNotificationStyle</li>
<li>Update/AutoRestartRequiredNotificationDismissal</li>
@ -850,6 +863,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<td style="vertical-align:top"><p>Added a section describing SyncML examples of various ADMX elements.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md)</td>
<td style="vertical-align:top">New topic.</td>
</tr>
<tr class="odd">
<td style="vertical-align:top">[Deploy and configure App-V apps using MDM](appv-deploy-and-config.md)</td>
<td style="vertical-align:top"><p>Added a new topic describing how to deploy and configure App-V apps using MDM.</p>
</td></tr>
@ -888,6 +905,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>[Policy CSP](policy-configuration-service-provider.md)</li>
</ul>
</td></tr>
<tr class="even">
<td style="vertical-align:top">[TPMPolicy CSP](tpmpolicy-csp.md)</td>
<td style="vertical-align:top">New CSP added in Windows 10, version 1703.</td>
</tr>
</tbody>
</table> 
@ -1158,6 +1179,60 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
## Change history in MDM documentation
### June 2017
<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<thead>
<tr class="header">
<th>New or updated topic</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top">[Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md)</td>
<td style="vertical-align:top">Added a list of registry locations that ingested policies are allowed to write to.</td>
</tr>
<tr class="even">
<td style="vertical-align:top">[Firewall CSP](firewall-csp.md)</td>
<td style="vertical-align:top">Added the following nodes:
<ul>
<li>Profiles</li>
<li>Direction</li>
<li>InterfaceTypes</li>
<li>EdgeTraversal</li>
<li>Status</li>
</ul>
Also Added [Firewall DDF file](firewall-ddf-file.md).</td></tr>
<tr class="odd">
<td style="vertical-align:top">[TPMPolicy CSP](tpmpolicy-csp.md)</td>
<td style="vertical-align:top">New CSP added in Windows 10, version 1703.</td>
</tr>
<tr class="even">
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top">
<p>Added the following new policies for Windows 10, version 1703:</p>
<ul>
<li>Start/AllowPinnedFolderDocuments</li>
<li>Start/AllowPinnedFolderDownloads</li>
<li>Start/AllowPinnedFolderFileExplorer</li>
<li>Start/AllowPinnedFolderHomeGroup</li>
<li>Start/AllowPinnedFolderMusic</li>
<li>Start/AllowPinnedFolderNetwork</li>
<li>Start/AllowPinnedFolderPersonalFolder </li>
<li>Start/AllowPinnedFolderPictures</li>
<li>Start/AllowPinnedFolderSettings</li>
<li>Start/AllowPinnedFolderVideos</li>
<li>Update/AutoRestartDeadlinePeriodInDays</li>
</ul>
</td></tr>
</tbody>
</table>
### May 2017
<table>
@ -1216,7 +1291,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>EnterpriseDataProtection/RetrieveByCount/Type</li>
</ul>
</td></tr>
<tr class="even">
<tr class="odd">
<td style="vertical-align:top">[Connecting your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connecting-your-windows-10-based-device-to-work-using-a-deep-link)</td>
<td style="vertical-align:top"><p>Added following deep link parameters to the table:</p>
<ul>
@ -1228,6 +1303,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>Ownership</li>
</ul>
</td></tr>
<tr class="even">
<td style="vertical-align:top">[Firewall CSP](firewall-csp.md)</td>
<td style="vertical-align:top"><p>Added new CSP in the next major update to Windows 10.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">MDM support for Windows 10 S</td>
<td style="vertical-align:top"><p>Updated the following topics to indicate MDM support in Windows 10 S.</p>

4
windows/client-management/mdm/passportforwork-csp.md
View File

@ -201,9 +201,9 @@ This cloud service encrypts a recovery secret, which is stored locally on the cl
<a href="" id="biometrics-facialfeaturesuseenhancedantispoofing--only-for---device-vendor-msft-"></a>**Biometrics/FacialFeaturesUseEnhancedAntiSpoofing** (only for ./Device/Vendor/MSFT)
<p style="margin-left: 20px">Boolean value used to enable or disable enhanced anti-spoofing for facial feature recognition on Windows Hello face authentication. This node was added in Windows 10, version 1511.
<p style="margin-left: 20px">Default value is false. If you set this policy to true or don't configure this setting, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. Windows Hello face authentication is disabled on devices that do not support enhanced anti-spoofing.
<p style="margin-left: 20px">Default value is false. If you set this policy to false or don't configure this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication.
<p style="margin-left: 20px">If you set this policy to false, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication.
<p style="margin-left: 20px">If you set this policy to true, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. Windows Hello face authentication is disabled on devices that do not support enhanced anti-spoofing.
<p style="margin-left: 20px">Note that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices.

4032
windows/client-management/mdm/policy-admx-backed.md
View File

File diff suppressed because it is too large Load Diff

15107
windows/client-management/mdm/policy-configuration-service-provider.md
View File

File diff suppressed because it is too large Load Diff

55
windows/client-management/mdm/tpmpolicy-csp.md Normal file
View File

@ -0,0 +1,55 @@
---
title: TPMPolicy CSP
description: TPMPolicy CSP
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# TPMPolicy CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (telemetry or otherwise, such as downloading background images, Windows Updates, etc.) from Windows and inbox applications to public IP addresses unless directly intended by the user. This allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval.
The TPMPolicy CSP was added in Windows 10, version 1703.
The following diagram shows the TPMPolicy configuration service provider in tree format.
![tpmpolicy csp](images/provisioning-csp-tpmpolicy.png)
<a href="" id="--device-vendor-msft-tpmpolicy"></a>**./Device/Vendor/MSFT/TPMPolicy**
<p style="margin-left: 20px">Defines the root node.</p>
<a href="" id="isactivezeroexhaust"></a>**IsActiveZeroExhaust**
<p style="margin-left: 20px">Boolean value that indicates whether network traffic from the device to public IP addresses are not allowed unless directly intended by the user (zero exhaust). Default value is false. Some examples when zero exhaust is configured:</p>
<ul>
<li>There should be no traffic when machine is on idle. When the user is not interacting with the system/device, no traffic is expected. </li>
<li>There should be no traffic during installation of Windows and first logon when local ID is used.</li>
<li>Launching and using a local app (Notepad, Paint, etc.) should not send any traffic. Similarly, performing common tasks (clicking on start menu, browsing folders, etc.) should not send any traffic.</li>
<li>Launching and using Internet enabled apps should not send any unexpected traffic (for maintenance, diagnostic, telemetry, etc.) to Microsoft.</li>
</ul>
Here is an example:
``` syntax
                <Replace>
                    <CmdID>101</CmdID>
                    <Item>
                        <Target>
                            <LocURI>
                                ./Vendor/MSFT/TpmPolicy/IsActiveZeroExhaust
                            </LocURI>
                        </Target>
                        <Meta>
<Format>bool</Format>
               <Type>text/plain</Type>
        </Meta>
        <Data>true</Data>
                    </Item>
                </Replace>
```

71
windows/client-management/mdm/tpmpolicy-ddf-file.md Normal file
View File

@ -0,0 +1,71 @@
---
title: TPMPolicy DDF file
description: TPMPolicy DDF file
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# TPMPolicy DDF file
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **TPMPolicy** configuration service provider. The TPMPolicy CSP was added in Windows 10, version 1703.
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>TPMPolicy</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/TPMPolicy</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>IsActiveZeroExhaust</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>False</DefaultValue>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</MgmtTree>
```

8
windows/client-management/mdm/understanding-admx-backed-policies.md
View File

@ -240,17 +240,13 @@ This section describes sample SyncML for the various ADMX elements like Text, Mu
### <a href="" id="how-a-group-policy-policy-category-path-and-name-are-mapped-to-a-mdm-area-and-policy-name"></a>How a Group Policy policy category path and name are mapped to a MDM area and policy name
Below is the internal OS mapping of a Group Policy to a MDM area and name. This is part of a set of Windows manifests (extension **wm.xml**) that when compiled parses out the associated ADMX file, finds the specified Group Policy policy and stores that definition (metadata) in the MDM Policy CSP client store.  ADMX backed policies are organized hierarchically. Their scope can be **machine**, **user**, or have a scope of **both**. When the MDM policy is referred to through a SyncML command and the Policy CSP URI, as shown below, this metadata is referenced and determines what registry keys are set or removed. Machine-scope policies are referenced via .\Device and the user scope policies via .\User.
Below is the internal OS mapping of a Group Policy to a MDM area and name. This is part of a set of Windows manifest that when compiled parses out the associated ADMX file, finds the specified Group Policy policy and stores that definition (metadata) in the MDM Policy CSP client store.  ADMX backed policies are organized hierarchically. Their scope can be **machine**, **user**, or have a scope of **both**. When the MDM policy is referred to through a SyncML command and the Policy CSP URI, as shown below, this metadata is referenced and determines what registry keys are set or removed. Machine-scope policies are referenced via .\Device and the user scope policies via .\User.
`./[Device|User]/Vendor/MSFT/Policy/Config/[config|result]/<area>/<policy>`
The **wm.xml** for each mapped area can be found in its own directory under:
`\\SDXROOT\onecoreuap\admin\enterprisemgmt\policymanager\policydefinition\`
Note that the data payload of the SyncML needs to be encoded so that it does not conflict with the boilerplate SyncML XML tags. Use this online tool for encoding and encoding the policy data [Coder's Toolbox](http://coderstoolbox.net/string/#!encoding=xml&action=encode&charset=us_ascii)
**Snippet of wm.xml for AppVirtualization area:**
**Snippet of manifest for AppVirtualization area:**
```XML
<identity xmlns="urn:Microsoft.CompPlat/ManifestSchema.v1.00" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" owner="Microsoft" namespace="Windows-DeviceManagement-PolicyDefinition" name="AppVirtualization">

21
windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md
View File

@ -24,8 +24,27 @@ author: nickbrower
Starting in Windows 10, version 1703, you can import ADMX files (also called ADMX ingestion) and set those ADMX-backed policies for Win32 and Desktop Bridge apps by using Windows 10 Mobile Device Management (MDM) on desktop SKUs. The ADMX files that define policy information can be ingested to your device by using the Policy CSP URI, `./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. The ingested ADMX file is then processed into MDM policies.
When the ADMX policies are imported, the registry keys to which each policy is written are checked so that known system registry keys, or registry keys that are used by existing inbox policies or system components, are not overwritten. This precaution helps to avoid security concerns over opening the entire registry. Currently, the ingested policies are not allowed to write to locations within the **System**, **Software\Microsoft**, and **Software\Policies\Microsoft** keys.
When the ADMX policies are imported, the registry keys to which each policy is written are checked so that known system registry keys, or registry keys that are used by existing inbox policies or system components, are not overwritten. This precaution helps to avoid security concerns over opening the entire registry. Currently, the ingested policies are not allowed to write to locations within the **System**, **Software\Microsoft**, and **Software\Policies\Microsoft** keys, except for the following locations:
- Software\Policies\Microsoft\Office\
- Software\Microsoft\Office\
- Software\Microsoft\Windows\CurrentVersion\Explorer\
- Software\Microsoft\Internet Explorer\
- software\policies\microsoft\shared tools\proofing tools\
- software\policies\microsoft\imejp\
- software\policies\microsoft\ime\shared\
- software\policies\microsoft\shared tools\graphics filters\
- software\policies\microsoft\windows\currentversion\explorer\
- software\policies\microsoft\softwareprotectionplatform\
- software\policies\microsoft\officesoftwareprotectionplatform\
- software\policies\microsoft\windows\windows search\preferences\
- software\policies\microsoft\exchange\
- software\microsoft\shared tools\proofing tools\
- software\microsoft\shared tools\graphics filters\
- software\microsoft\windows\windows search\preferences\
- software\microsoft\exchange\
- software\policies\microsoft\vba\security\
- software\microsoft\onedrive
## <a href="" id="ingesting-an-app-admx-file"></a>Ingesting an app ADMX file

3
windows/configuration/customize-and-export-start-layout.md
View File

@ -122,6 +122,9 @@ When you have the Start layout that you want your users to see, use the [Export-
</tbody>
</table>
>[!IMPORTANT]
>If the Start layout that you export contains tiles for desktop (Win32) apps or .url links, **Export-StartLayout** will use **DesktopApplicationLinkPath** in the resulting file. Use a text or XML editor to change **DesktopApplicationLinkPath** to **DesktopApplicationID**. See [Specify Start tiles](start-layout-xml-desktop.md#specify-start-tiles) for details on using the app ID in place of the link path.
## Configure a partial Start layout

2
windows/configuration/mobile-devices/mobile-lockdown-designer.md
View File

@ -15,7 +15,7 @@ author: jdeckerms
Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available. This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile.
When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file.
When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. You can deploy the lockdown XML file by [adding it to a provisioning package](lockdown-xml.md#add-lockdown-xml-to-a-provisioning-package) or [by using mobile device management (MDM)](lockdown-xml.md#push-lockdown-xml-using-mdm).
The Lockdown Designer app helps you configure and create a lockdown XML file that you can apply to devices running Windows 10 Mobile, version 1703, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Lockdown Designer also validates the XML. Using Lockdown Designer is easier than [manually creating a lockdown XML file](lockdown-xml.md).

36
windows/configuration/start-layout-xml-desktop.md
View File

@ -160,35 +160,40 @@ You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop ap
- By using a path to a shortcut link (.lnk file) to a Windows desktop application.
To pin a Windows desktop application through this method, you must first add the .lnk file in the specified location when the device first boots.
>[!NOTE]
>In Start layouts for Windows 10, version 1703, you should use **DesktopApplicationID** rather than **DesktopApplicationLinkPath** if you are using Group Policy or MDM to apply the start layout and the application was installed after the user's first sign-in.
The following example shows how to pin the Command Prompt:
To pin a Windows desktop application through this method, you must first add the .lnk file in the specified location when the device first boots.
```XML
<start:DesktopApplicationTile
The following example shows how to pin the Command Prompt:
```XML
<start:DesktopApplicationTile
DesktopApplicationLinkPath="%appdata%\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk"
Size="2x2"
Row="0"
Column="4"/>
```
```
You must set the **DesktopApplicationLinkPath** attribute to the .lnk file that points to the Windows desktop application. The path also supports environment variables.
You must set the **DesktopApplicationLinkPath** attribute to the .lnk file that points to the Windows desktop application. The path also supports environment variables.
If you are pointing to a third-party Windows desktop application, you must put the .lnk file in a legacy Start Menu directory before first boot; for example, "%APPDATA%\Microsoft\Windows\Start Menu\Programs\" or the all users profile "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\".
If you are pointing to a third-party Windows desktop application and the layout is being applied before the first boot, you must put the .lnk file in a legacy Start Menu directory before first boot; for example, "%APPDATA%\Microsoft\Windows\Start Menu\Programs\" or the all users profile "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\".
- By using the application's application user model ID, if this is known. If the Windows desktop application doesn't have one, use the shortcut link option.
To pin a Windows desktop application through this method, you must set the **DesktopApplicationID** attribute to the application user model ID that's associated with the corresponding app.
You can use the [Get-StartApps cmdlet](https://technet.microsoft.com/library/dn283402.aspx) on a PC that has the application pinned to Start to obtain the app ID.
The following example shows how to pin the Internet Explorer Windows desktop application:
To pin a Windows desktop application through this method, you must set the **DesktopApplicationID** attribute to the application user model ID that's associated with the corresponding app.
```XML
The following example shows how to pin the Internet Explorer Windows desktop application:
```XML
<start:DesktopApplicationTile
DesktopApplicationID="Microsoft.Windows.Explorer"
Size="2x2"
Row="0"
Column="2"/>
```
```
You can also use the **start:DesktopApplicationTile** tag as one of the methods for pinning a Web link to Start. The other method is to use a Microsoft Edge secondary tile.
@ -205,6 +210,9 @@ The following example shows how to create a tile of the Web site's URL, which yo
Column="2"/>
```
>[!NOTE]
>In Windows 10, version 1703, **Export-StartLayout** will use **DesktopApplicationLinkPath** for the .url shortcut. You must change **DesktopApplicationLinkPath** to **DesktopApplicationID** and provide the URL.
#### start:SecondaryTile
You can use the **start:SecondaryTile** tag to pin a Web link through a Microsoft Edge secondary tile. This method doesn't require any additional action compared to the method of using legacy .url shortcuts (through the start:DesktopApplicationTile tag).
@ -273,6 +281,9 @@ The following example shows how to modify your LayoutModification.xml file to ad
You can use the **AppendOfficeSuite** tag to add the in-box installed Office suite of apps to Start.
>[!NOTE]
>The OEM must have installed Office for this tag to work.
The following example shows how to add the **AppendOfficeSuite** tag to your LayoutModification.xml file to append the full Universal Office suite to Start:
```XML
@ -289,6 +300,9 @@ The following example shows how to add the **AppendOfficeSuite** tag to your Lay
You can use the **AppendDownloadOfficeTile** tag to append the Office trial installer to Start. This tag adds the Download Office tile to Start and the download tile will appear at the bottom right-hand side of the second group.
>[!NOTE]
>The OEM must have installed the Office trial installer for this tag to work.
The following example shows how to add the **AppendDownloadOfficeTile** tag to your LayoutModification.xml file:
```XML

22
windows/deployment/mbr-to-gpt.md
View File

@ -73,16 +73,23 @@ MBR2GPT: Validation completed successfully
In the following example:
1. The current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0.
1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0.
2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx) is **07** corresponding to the installable file system (IFS) type.
2. The MBR2GPT tool is used to convert disk 0.
3. The DISKPART tool displays that disk 0 is now using the GPT format.
3. The DiskPart tool displays that disk 0 is now using the GPT format.
4. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3).
5. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
>As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly.
```
X:\>DiskPart
Microsoft DiskPart version 10.0.15048.0
Copyright (C) Microsoft Corporation.
On computer: MININT-K71F13N
DISKPART> list volume
Volume ### Ltr Label Fs Type Size Status Info
@ -140,7 +147,7 @@ MBR2GPT: Fixing drive letter mapping
MBR2GPT: Conversion completed successfully
MBR2GPT: Before the new system can boot properly you need to switch the firmware to boot to UEFI mode!
X:\>diskpart
X:\>DiskPart
Microsoft DiskPart version 10.0.15048.0
@ -364,9 +371,16 @@ You can also view the partition type of a disk by opening the Disk Management to
![Volumes](images/mbr2gpt-volume.PNG)
If Windows PowerShell and Disk Management are not available, such as when you are using Windows PE, you can determine the partition type at a command prompt with the diskpart tool. To determine the partition style, type **diskpart** and then type **list disk**. See the following example:
If Windows PowerShell and Disk Management are not available, such as when you are using Windows PE, you can determine the partition type at a command prompt with the DiskPart tool. To determine the partition style from a command line, type **diskpart** and then type **list disk**. See the following example:
```
X:\>DiskPart
Microsoft DiskPart version 10.0.15048.0
Copyright (C) Microsoft Corporation.
On computer: MININT-K71F13N
DISKPART> list disk
Disk ### Status Size Free Dyn Gpt

BIN
windows/deployment/update/images/uc-01-wdav.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 56 KiB

BIN
windows/deployment/update/images/update-compliance-wdav-assessment.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 82 KiB

BIN
windows/deployment/update/images/update-compliance-wdav-overview.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 33 KiB

BIN
windows/deployment/update/images/update-compliance-wdav-prot-status.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
windows/deployment/update/images/update-compliance-wdav-query-not-assessed.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
windows/deployment/update/images/update-compliance-wdav-status-add-filter.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 68 KiB

BIN
windows/deployment/update/images/update-compliance-wdav-status-filter-apply.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

BIN
windows/deployment/update/images/update-compliance-wdav-status-filter.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

BIN
windows/deployment/update/images/update-compliance-wdav-status-log.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 52 KiB

BIN
windows/deployment/update/images/update-compliance-wdav-status-query.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.7 KiB

BIN
windows/deployment/update/images/update-compliance-wdav-threat-status.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

87
windows/deployment/update/update-compliance-get-started.md
View File

@ -1,6 +1,7 @@
---
title: Get started with Update Compliance (Windows 10)
description: Explains how to configure Update Compliance.
description: Configure Update Compliance in OMS to see the status of updates and antimalware protection on devices in your network.
keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@ -14,88 +15,90 @@ This topic explains the steps necessary to configure your environment for Window
Steps are provided in sections that follow the recommended setup process:
1. Ensure that [prerequisites](#update-compliance-prerequisites) are met.
2. [Add Update Compliance](#add-update-compliance-to-microsoft-operations-management-suite) to Microsoft Operations Management Suite
3. [Deploy your Commercial ID](#deploy-your-commercial-id-to-your-windows-10-devices) to your organizations devices
2. [Add Update Compliance](#add-update-compliance-to-microsoft-operations-management-suite) to Microsoft Operations Management Suite.
3. [Deploy your Commercial ID](#deploy-your-commercial-id-to-your-windows-10-devices) to your organizations devices.
## Update Compliance Prerequisites
## Update Compliance prerequisites
Update Compliance has the following requirements:
1. Update Compliance is currently only compatible with Windows 10 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops).
2. The solution requires that Windows 10 telemetry is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) enabled. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization).
3. The telemetry of your organizations Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for different aspects of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on telemetry endpoints and summarizes the use of each endpoint:
3. The telemetry of your organizations Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for each of the telemetry services](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on telemetry endpoints and summarizes the use of each endpoint:
Service | Endpoint
--- | ---
Connected User Experience and Telemetry component | v10.vortex-win.data.microsoft.com<BR>settings-win.data.microsoft.com
Windows Error Reporting | watson.telemetry.microsoft.com
Online Crash Analysis | oca.telemetry.microsoft.com
4. To use Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a 3rd party AV program), and must have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) content library for more information on enabling, configuring, and validating Windows Defender AV.
<TABLE BORDER=1>
<TR><TD BGCOLOR="#cceeff">Service<TD BGCOLOR="#cceeff">Endpoint
<TR><TD>Connected User Experience and Telemetry component<TD>v10.vortex-win.data.microsoft.com
<BR>settings-win.data.microsoft.com
<TR><TD>Windows Error Reporting <TD>watson.telemetry.microsoft.com
<TR><TD>Online Crash Analysis <TD>oca.telemetry.microsoft.com
</TABLE>
## Add Update Compliance to Microsoft Operations Management Suite
Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
If you are already using OMS, youll find Update Compliance in the Solutions Gallery. Select the **Update Compliance** tile in the gallery and then click **Add** on the solution's details page. Update Compliance is now visible in your workspace.
If you are not yet using OMS, use the following steps to subscribe to OMS Update Compliance:
1. Go to [Operations Management Suites page](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
[![](images/uc-02a.png)](images/uc-02.png)
<P><TABLE BORDER=1><TR><TD>
<A HREF="images/uc-02.png"><img src="images/uc-02a.png"></A>
<TABLE>
2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
<P><TABLE BORDER=1><TR><TD>
<A HREF="images/uc-03.png"><img src="images/uc-03a.png"></A>
<TABLE>
[![](images/uc-03a.png)](images/uc-03.png)
3. Create a new OMS workspace.
<P><TABLE BORDER=1><TR><TD>
<A HREF="images/uc-04.png"><img src="images/uc-04a.png"></A>
<TABLE>
[![](images/uc-04a.png)](images/uc-04.png)
4. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Click **Create**.
<P><TABLE BORDER=1><TR><TD>
<A HREF="images/uc-05.png"><img src="images/uc-05a.png"></A>
<TABLE>
[![](images/uc-05a.png)](images/uc-05.png)
5. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organizations Azure administrator. If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. If you do not yet have an Azure subscription, follow [this guide](https://blogs.technet.microsoft.com/upgradeanalytics/2016/11/08/linking-operations-management-suite-workspaces-to-microsoft-azure/) to create and link an Azure subscription to an OMS workspace.
<P><TABLE BORDER=1><TR><TD>
<A HREF="images/uc-06.png"><img src="images/uc-06a.png"></A>
<TABLE>
[![](images/uc-06a.png)](images/uc-06.png)
6. To add the Update Compliance solution to your workspace, go to the Solutions Gallery.
<P><TABLE BORDER=1><TR><TD>
<A HREF="images/uc-07.png"><img src="images/uc-07a.png"></A>
<TABLE>
7. Select the **Update Compliance** tile in the gallery and then select **Add** on the solutions details page. You might need to scroll to find **Update Compliance**. The solution is now visible on your workspace.
[![](images/uc-07a.png)](images/uc-07.png)
7. Select the **Update Compliance** tile in the gallery and then select **Add** on the solutions details page. You might need to scroll to find **Update Compliance**. The solution is now visible in your workspace.
[![](images/uc-08a.png)](images/uc-08.png)
<P><TABLE BORDER=1><TR><TD>
<A HREF="images/uc-08.png"><img src="images/uc-08a.png"></A>
<TABLE>
8. Click the **Update Compliance** tile to configure the solution. The **Settings Dashboard** opens.
<P><TABLE BORDER=1><TR><TD>
<A HREF="images/uc-09.png"><img src="images/uc-09a.png"></A>
<TABLE>
[![](images/uc-09a.png)](images/uc-09.png)
9. Click **Subscribe** to subscribe to OMS Update Compliance. You will then need to distribute your Commercial ID across all your organizations devices. More information on the Commercial ID is provided below.
<P><TABLE BORDER=1><TR><TD>
<A HREF="images/uc-10.png"><img src="images/uc-10a.png"></A>
<TABLE>
[![](images/uc-10a.png)](images/uc-10.png)
After you are subscribed to OMS Update Compliance and your devices have a Commercial ID, you will begin receiving data. It will typically take 24 hours for the first data to begin appearing. The following section explains how to deploy your Commercial ID to your Windows 10 devices.
>[!NOTE]
>You can unsubscribe from the Update Compliance solution if you no longer want to monitor your organizations devices. User device data will continue to be shared with Microsoft while the opt-in keys are set on user devices and the proxy allows traffic.
## Deploy your Commercial ID to your Windows 10 devices

34
windows/deployment/update/update-compliance-monitor.md
View File

@ -1,6 +1,7 @@
---
title: Monitor Windows Updates with Update Compliance (Windows 10)
description: Introduction to Update Compliance.
title: Monitor Windows Updates and Windows Defender AV with Update Compliance (Windows 10)
description: You can use Update Compliance in OMS to monitor the progress of updates and key antimalware protection features on devices in your network.
keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@ -8,26 +9,26 @@ ms.pagetype: deploy
author: greg-lindsay
---
# Monitor Windows Updates with Update Compliance
# Monitor Windows Updates and Windows Defender Antivirus with Update Compliance
## Introduction
With Windows 10, organizations need to change the way they approach monitoring and deploying updates. Update Compliance is a powerful set of tools that enable organizations to monitor and track all important aspects of Microsofts new servicing strategy: [Windows as a Service](waas-overview.md).
With Windows 10, organizations need to change the way they approach monitoring and deploying updates. Update Compliance is a powerful set of tools that enable organizations to monitor and track all important aspects of the new servicing strategy from Microsoft: [Windows as a Service](waas-overview.md).
Update Compliance is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service which has a flexible servicing subscription based off data usage/retention. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
Update Compliance uses the Windows telemetry that is part of all Windows 10 devices. It collects system data including update installation progress, Windows Update for Business (WUfB) configuration data, and other update-specific information, and then sends this data privately to a secure cloud to be stored for analysis and usage within the solution.
Update Compliance uses the Windows telemetry that is part of all Windows 10 devices. It collects system data including update installation progress, Windows Update for Business (WUfB) configuration data, Windows Defender Antivirus data, and other update-specific information, and then sends this data privately to a secure cloud to be stored for analysis and usage within the solution.
Update Compliance provides the following:
- An overview of your organizations devices that just works.
- Dedicated drill-downs for devices that might need attention.
- An inventory of devices, including the version of Windows they are running and their update status.
- An overview of WUfB deferral configurations (Windows 10 Anniversary Update [1607] and later).
- Powerful built-in [log analytics](https://www.microsoft.com/en-us/cloud-platform/insight-and-analytics?WT.srch=1&WT.mc_id=AID529558_SEM_%5B_uniqid%5D&utm_source=Bing&utm_medium=CPC&utm_term=log%20analytics&utm_campaign=Hybrid_Cloud_Management) to create useful custom queries.
- Cloud-connected access utilizing Windows 10 telemetry means no need for new complex, customized infrastructure.
- Dedicated drill-downs for devices that might need attention
- An inventory of devices, including the version of Windows they are running and their update status
- The ability to track protection and threat status for Windows Defender Antivirus-enabled devices
- An overview of WUfB deferral configurations (Windows 10 Anniversary Update [1607] and later)
- Powerful built-in [log analytics](https://www.microsoft.com/en-us/cloud-platform/insight-and-analytics?WT.srch=1&WT.mc_id=AID529558_SEM_%5B_uniqid%5D&utm_source=Bing&utm_medium=CPC&utm_term=log%20analytics&utm_campaign=Hybrid_Cloud_Management) to create useful custom queries
- Cloud-connected access utilizing Windows 10 telemetry means no need for new complex, customized infrastructure
See the following topics in this guide for detailed information about configuring and use the Update Compliance solution:
See the following topics in this guide for detailed information about configuring and using the Update Compliance solution:
- [Get started with Update Compliance](update-compliance-get-started.md): How to add Update Compliance to your environment.
- [Using Update Compliance](update-compliance-using.md): How to begin using Update Compliance.
@ -36,19 +37,20 @@ An overview of the processes used by the Update Compliance solution is provided
## Update Compliance architecture
The Update Compliance architecture and data flow is summarized by the following five step process:
The Update Compliance architecture and data flow is summarized by the following five-step process:
**(1)** User computers send telemetry data to a secure Microsoft data center using the Microsoft Data Management Service.<BR>
**(2)** Telemetry data is analyzed by the Update Compliance Data Service.<BR>
**(3)** Telemetry data is pushed from the Update Compliance Data Service to your OMS workspace.<BR>
**(4)** Telemetry data is available in the Update Compliance solution.<BR>
**(5)** You are able to monitor and troubleshoot Windows updates on your network.<BR>
**(5)** You are able to monitor and troubleshoot Windows updates and Windows Defender AV in your environment.<BR>
These steps are illustrated in following diagram:
![Update Compliance architecture](images/uc-01.png)
![Update Compliance architecture](images/uc-01-wdav.png)
>This process assumes that Windows telemetry is enabled and devices are assigned your Commercial ID.
>[!NOTE]
>This process assumes that Windows telemetry is enabled and you [have assigned your Commercial ID to devices](update-compliance-get-started#deploy-your-commercial-id-to-your-windows-10-devices.

132
windows/deployment/update/update-compliance-using.md
View File

@ -19,6 +19,7 @@ Update Compliance:
- Provides a workflow that can be used to quickly identify which devices require attention.
- Enables you to track deployment compliance targets for updates.
>[!NOTE]
>Information is refreshed daily so that update progress can be monitored. Changes will be displayed about 24 hours after their occurrence, so you always have a recent snapshot of your devices.
In OMS, the aspects of a solution's dashboard are usually divided into <I>blades</I>. Blades are a slice of information, typically with a summarization tile and an enumeration of the items that makes up that data. All data is presented through <I>queries</I>. <I>Perspectives</I> are also possible, wherein a given query has a unique view designed to display custom data. The terminology of blades, tiles, and perspectives will be used in the sections that follow.
@ -31,7 +32,8 @@ Update Compliance has the following primary blades:
3. [Latest and Previous Security Update Status](#latest-and-previous-security-update-status)
4. [Overall Feature Update Status](#overall-feature-update-status)
5. [CB, CBB, LTSB Deployment Status](#cb-cbb-ltsb-deployment-status)
6. [List of Queries](#list-of-queries)
6. [Windows Defender Antivirus Assessment](#wdav-assessment)
7. [List of Queries](#list-of-queries)
## OS Update Overview
@ -41,6 +43,7 @@ The first blade of OMS Update Compliance is the General **OS Update Overview** b
![OS Update Overview](images/uc-11.png)
This blade is divided into three sections:
- Device Summary:
- Needs Attention Summary
@ -139,6 +142,133 @@ The Overall Feature Update Status blade focuses around whether or not your devic
Devices are evaluated by OS Version (e.g., 1607) and the count of how many are Current, Not Current, and have Update Failures is displayed. Clicking on any of these counts will allow you to view all those devices, as well as select the **Update Deployment Status** perspective, described below.
<a id="wdav-assessment"></a>
## Windows Defender Antivirus Assessment
You'll notice some new tiles in the Overview blade which provide a summary of Windows Defender AV-related issues, highlighted in the following screenshot.
![verview blade showing a summary of key Windows Defender Antivirus issues](images/update-compliance-wdav-overview.png)
The **AV Signature** chart shows the number of devices that either have up-to-date [protection updates (also known as signatures or definitions)](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus), while the **Windows Defender AV Status** tile indicates the percentage of all assessed devices that are not updated and do not have real-time protection enabled. The Windows Defender Antivirus Assessment section provides more information that lets you investigate potential issues.
If you're using [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) to protect devices in your organization and have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus), you can use this section to review the overall status of key protection features, including the number of devices that have [always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) and up-to-date definitions.
There are two blades in the Windows Defender AV Assessment section:
- Protection status
- Threats status
![Windows Defender Antivirus Assessment blade in Update Compliance](images/update-compliance-wdav-assessment.png)
The **Protection Status** blade shows three key measurements:
1. How many devices have old or current signatures (also known as protection updates or definitions)
2. How many devices have the core Windows Defender AV always-on scanning feature enabled, called real-time protection
![Windows Defender Antivirus protection status in Update Compliance](images/update-compliance-wdav-prot-status.png)
See the [Manage Windows Defender AV updates and apply baselines](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) topic for an overview on how updates work, and further information on applying updates.
The **Threats Status** blade shows the following measurements:
1. How many devices that have threats that have been remediated (removed or quarantined on the device)
2. How many devices that have threats where remediation was not successful (this may indicate a manual reboot or clean is required)
![Windows Defender Antivirus threat status in Update Compliance](images/update-compliance-wdav-threat-status.png)
Devices can be in multiple states at once, as one device may have multiple threats, some of which may or may not be remediated.
> [!IMPORTANT]
> The data reported in Update Compliance can be delayed by up to 24 hours.
See the [Customize, initiate, and review the results of Windows Defender AV scans and remediation](/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus) topic for more information on how to perform scans and other manual remediation tasks.
As with other blades in Update Compliance, clicking on a specific measurement or item will open the associated query that you can use to investigate individual devices and issues, as described below.
### Investigate individual devices and threats
Click on any of the status measurements to be taken to a pre-built log query that shows the impacted devices for that status.
![Sample Windows Defender AV query in Update Compliance](images/update-compliance-wdav-status-log.png)
You can also find a pre-built query on the main Update Compliance screen, under the **Queries** blade, that lists devices that have not been assessed for Windows Defender AV.
![Overview blade showing a summary of key Windows Defender Antivirus issues](images/update-compliance-wdav-query-not-assessed.png)
You can further filter queries by clicking any of the measurement labels for each incident, changing the values in the query filter pane, and then clicking **Apply**.
![Click the Apply button on the left pane](images/update-compliance-wdav-status-filter-apply.png)
Click **+Add** at the bottom of the filter pane to open a list of filters you can apply.
![Click Add to add more filters](images/update-compliance-wdav-status-add-filter.png)
You can also click the **. . .** button next to each label to instantly filter by that label or value.
![Click the elipsis icon to instantly filter by the selected label](images/update-compliance-wdav-status-filter.png)
You can create your own queries by using a query string in the following format:
```
Type:<Group type> <Label>="<Value>"
```
You can use the following `<Group type>` options to scope your query:
- `Type:WDAVStatus` to query information related to signature and real-time protection status
- `Type:WDAVThreat` to query information about threat remediation and specific threats
The `<Label>`, and `<Value>` fields are listed in the following table. All labels and values are case sensitive and must be entered as written below (including spaces).
For queries that use `Type:WDAVStatus`, you can use the following labels and values.
Label | Value
---|---
`Computer`|\<computer name>
`ComputerID`|\<computer ID>
`OSName`|\<Operating system name>
`UpdateStatus`|`Not assessed` <br />`Signature up-to-date` <br />`Signature out-of-date`
`DetailedStatus`|`Unknown` <br />`Non-Microsoft AV` <br />`No AV` <br />`AV expired` <br />`Disabled by GP` <br />`Disabled by LP` <br />`Recently disappeared`
`ProtectionState`|`Real-time protection is off `<br />`Real-time protection is on`
`MoreInformation`| \<free text string>
`LastScan`| \<date and time of the last scan>
For queries that use `Type:WDAVThreat`, you can use the following labels and values.
Label | Value
---|---
`Computer`|\<computer name>
`ComputerID`|\<computer ID>
`ThreatName`|\<detected threat name>
`ThreatStatus`|`Remediation failed`<br/>`Remediated`
`ThreatAction`|`Remediation pending reboot`
`ThreatError`|`Disk full`<br/>`Network issue`<br/>`Operation aborted`
`MoreInformation`|\<free text string>
`LastScan`|\<date and time of the last scan>
You can add multiple label-value pairs in the same query to refine and filter the results.
![Add multiple value and name pairs in your query, separated by spaces](images/update-compliance-wdav-status-query.png)
## CB, CBB, LTSB Deployment Status

2
windows/deployment/update/waas-configure-wufb.md
View File

@ -44,7 +44,7 @@ With Windows Update for Business, you can set a device to be on either the Curre
| GPO for version 1607 and above: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel |
| GPO for version 1511: </br>Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade |
| MDM for version 1607 and above: </br>../Vendor/MSFT/Policy/Config/Update/</br>**BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel |
| MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**RequireDeferredUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
| MDM for version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**RequireDeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade |
Starting with version 1703, users are able to configure their device's branch readiness level, by going to **Settings > Update & security > Windows Update > Advanced options**.

4
windows/deployment/update/waas-servicing-branches-windows-10-updates.md
View File

@ -60,7 +60,7 @@ Current Branch is the default servicing branch for all Windows 10 devices except
- In Windows 10, version 1511:
../Vendor/MSFT/Policy/Config/Update/**RequireDeferredUpgrade**
../Vendor/MSFT/Policy/Config/Update/**RequireDeferUpgrade**
- In Windows 10, version 1607:
@ -70,7 +70,7 @@ Current Branch is the default servicing branch for all Windows 10 devices except
- In Windows 10 Mobile Enterprise, version 1511:
../Vendor/MSFT/Policy/Config/Update/RequireDeferredUpgrade
../Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade
- In Windows 10 Mobile Enterprise, version 1607:

12
windows/deployment/upgrade/upgrade-readiness-additional-insights.md
View File

@ -16,17 +16,19 @@ This topic provides information on additional features that are available in Upg
The site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 8.1 and Windows 7. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data.
> Note: Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. In addition, the data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees.
> [!NOTE]
> Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. In addition, the data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees.
### Install prerequisite security update for Internet Explorer
Ensure the following prerequisites are met before using site discovery:
1. Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update.
2. Install the update for customer experience and diagnostic telemetery ([KB3080149](https://support.microsoft.com/kb/3080149)).
3. Enable Internet Explorer data collection, which is disabled by default. The best way to enable it is to modify the [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md) to allow Internet Explorer data collection before you run it.
1. Install the prerequisite KBs to add Site Discovery support and the latest fixes from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/home.aspx). Install the following:
- For Windows 7 and Windows 8.1 - March, 2017 (or later) Security Monthly Rollup
- For Windows 10 - Cumulative Update for Windows 10 Version 1607 (KB4015217) (or later)
2. Enable Internet Explorer data collection, which is disabled by default. The best way to enable it is to modify the [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md) to allow Internet Explorer data collection before you run it. In addition, to enable Site Discovery on Windows 10 set **Enhanced Telemetry Level** for the Feedback and Diagnostics setting (Privacy > Feedback & Diagnostics settings), and enable **Page Prediction within Internet Explorer 11**.
If necessary, you can also enable it by creating the following registry entry.
If necessary, you can also enable data collection by creating the following registry entry.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection

74
windows/device-security/windows-security-baselines.md
View File

@ -1,74 +0,0 @@
---
title: Windows security baselines (Windows 10)
description: Use this topic to learn what security baselines are and how you can use them in your organization to help keep your devices secure.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: brianlic-msft
---
# Windows security baselines
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2012 R2
Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, a large number of organizations still want more granular control of their security configurations. To navigate these large number of controls, organizations need guidance for configuring various security features. Microsoft provides this guidance in the form of security baselines.
We recommend implementing an industry-standard configuration that is broadly known and well-tested, such as a Microsoft security baseline, as opposed to creating one yourself. This helps increase flexibility and reduce costs.
> [!NOTE]
> Microsoft Security Compliance Manager 4.0 is available from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=53353).
## What are security baselines?
Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting their Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
A security baseline is a collection of settings that have a security impact and include Microsofts recommended value for configuring those settings along with guidance on the security impact of those settings. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and
customers.
## Why are security baselines needed?
Security baselines are an essential benefit to customers because they bring together expert knowlege from Microsoft, partners, and customers.
For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of those 4,800 settings, only some of them are security-related. While Microsoft provides extensive guidance on different security features, going through each of them can take a long time. You would have to determine the security impact of each setting on your own. After you've done that, you still need to determine what values each of these settings should be.
In modern organizations, the security threat landscape is constantly evolving. IT pros and policy makers must keep current with security threats and changes to Windows security settings to help mitigate these threats.
To help faster deployments and increase the ease of managing Windows, Microsoft provides customers with security baselines that are available in formats that can be consumed, such as Group Policy Objects backups.
## How can you use security baselines?
You can use security baselines to:
- Ensure that user and device configuration settings are compliant with the baseline.
- Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline.
## Where can I get the security baselines?
Here's a list of security baselines that are currently available.
> [!NOTE]
> If you want to know what has changed with each security baseline, or if you want to stay up-to-date on whats happening with them, check out the [Microsoft Security Guidance](http://blogs.technet.microsoft.com/secguide) blog.
### Windows 10 security baselines
- [Windows 10, version 1607 and Windows Server 2016 security baseline](https://go.microsoft.com/fwlink/?linkid=831663)
- [Windows 10, Version 1511 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799381)
- [Windows 10, Version 1507 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799380)
### Windows Server security baselines
- [Windows 10, version 1607 and Windows Server 2016 security baseline](https://go.microsoft.com/fwlink/?linkid=831663)
- [Windows Server 2012 R2 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799382)
## How can I monitor security baseline deployments?
Microsofts Operation Management Services (OMS) helps you monitor security baseline deployments across your servers. To find out more, check out [Operations Management Suite](https://aka.ms/omssecscm).
You can use [System Center Configuration Manager](https://www.microsoft.com/cloud-platform/system-center-configuration-manager) to monitor security baseline deployments on client devices within your organization.

2
windows/threat-protection/TOC.md
View File

@ -1,5 +1,5 @@
# [Threat protection](index.md)
## [Windows Defender Security Center](windows-defender-security-center\windows-defender-security-center.md)
## [Windows Defender Advanced Threat Protection](windows-defender-atp\windows-defender-advanced-threat-protection.md)
### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md)
### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md)

4
windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
View File

@ -33,7 +33,7 @@ You'll also see additional links for:
- Reporting on Windows Defender Antivirus protection
> [!IMPORTANT]
> In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product running and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will be functioning. If you re-enable or install third-part antivirus products, then Windows 10 will automatically disable Windows Defender Antivirus.
> In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product running and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will be functioning. If you re-enable or install third-party antivirus products, then Windows 10 will automatically disable Windows Defender Antivirus.
Tool|Deployment options (<a href="#fn2" id="ref2">2</a>)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options
@ -84,6 +84,6 @@ Topic | Description
---|---
[Deploy and enable Windows Defender Antivirus protection](deploy-windows-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with System Center Configuration Manager, Microsoft Intune, or Group Policy Objects.
[Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating Windows Defender Antivirus: updating the client on endpoints (product updates), and updating definitions (protection updates). You can update definitions in a number of ways, using System Center Configuration Manager, Group Policy, PowerShell, and WMI.
[Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use System Center Configuration Manager, a third-party SIEM product (by consuming Windows event logs), or Microsoft Intune to monitor protection status and create reports about endpoint protection
[Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use System Center Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, a third-party SIEM product (by consuming Windows event logs), or Microsoft Intune to monitor protection status and create reports about endpoint protection

2
windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
View File

@ -33,7 +33,7 @@ You can also apply [Windows security baselines](https://technet.microsoft.com/en
Windows Defender AV uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as "definitions" or "signature updates".
The cloud-delivered protection is “always-on” and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection.
The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection.
## Product updates

3
windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
View File

@ -28,6 +28,9 @@ There are a number of ways you can review protection status and alerts, dependin
You can use System Center Configuration Manager to [monitor Windows Defender AV protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using the [Microsoft Intune console](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection).
Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Windows Defender AV issues, including protection updates and real-time protection settings.
If you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client events](https://msdn.microsoft.com/en-us/library/windows/desktop/aa964766(v=vs.85).aspx).
Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](https://technet.microsoft.com/library/mt431757.aspx), also see the [Security audting](/windows/device-security/auditing/security-auditing-overview) topic) and [Windows Defender events](troubleshoot-windows-defender-antivirus.md).

6
windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
View File

@ -31,11 +31,11 @@ See the [Windows Defender Advanced Threat Protection](../windows-defender-atp/wi
If you are enrolled in Windows Defender ATP, and you are not using Windows Defender AV as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. On Windows Server 2016 SKUs, Windows Defender AV will not enter into the passive mode and will run alongside your other antivirus product.
In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won't run, and Windows Defender will not provide real-time protection from malware.
In passive mode, Windows Defender AV will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won't run, and Windows Defender AV will not provide real-time protection from malware.
You can still [manage updates for Windows Defender](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
You can still [manage updates for Windows Defender](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender AV into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
If you uninstall the other product, and choose to use Windows Defender to provide protection to your endpoints, Windows Defender will automatically return to its normal active mode.
If you uninstall the other product, and choose to use Windows Defender AV to provide protection to your endpoints, Windows Defender AV will automatically return to its normal active mode.
## Related topics

4
windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
View File

@ -36,12 +36,12 @@ author: iaanw
Windows Defender Antivirus is available on Windows Server 2016. In some instances it is referred to as Endpoint Protection - however, the protection engine is the same.
See [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server) for more information on enabling the client interface and configuring roles and specific server features.
See the [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server) for more information on enabling the client interface and configuring roles and specific server features.
While the functionality, configuration, and management is largely the same for Windows Defender AV either on Windows 10 or Windows Server 2016, there are a few key differences:
- In Windows Server 2016, [automatic exclusions](configure-server-exclusions-windows-defender-antivirus.md) are applied based on your defined Server Role.
- In Windows Server 2016, [Windows Defender AV will not disable itself if you are running another antivirus product](windows-defender-antivirus-on-windows-server-2016.md).
- In Windows Server 2016, Windows Defender AV will not disable itself if you are running another antivirus product.
## Related topics

14
windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
View File

@ -35,12 +35,16 @@ In Windows 10, version 1703 (also known as the Creators Update), the Windows Def
Settings that were previously part of the Windows Defender client and main Windows Settings have been combined and moved to the new app, which is installed by default as part of Windows 10, version 1703.
The app also includes the settings and status of:
> [!IMPORTANT]
> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Firewall](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These will be disabled automatically when a 3rd party antivirus or firewall product is installed and kept up to date.
- The PC (as "device health")
- Windows Firewall
- Windows Defender SmartScreen Filter
- Parental and Family Controls
> [!WARNING]
> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Defender Security Center may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
>It may also prevent Windows Defender AV from enabling itself if you have an old or outdated 3rd party antivirus, or if you uninstall any 3rd party antivirus products you may have previously installed.
>This will significantly lower the protection of your device and could lead to malware infection.
See the [Windows Defender Security Center topic](/windows/threat-protection/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app.
>[!NOTE]
>The Windows Defender Security Center app is a client interface on Windows 10, version 1703. It is not the Windows Defender Security Center web portal that is used to review and manage [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md).

286
windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
View File

@ -25,52 +25,262 @@ Understand what data fields are exposed as part of the alerts API and how they m
## Alert API fields and portal mapping
The following table lists the available fields exposed in the alerts API payload. It shows examples for the populated values and a reference on how data is reflected on the portal.
The ArcSight field column contains the default mapping between the Windows Defender ATP fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the needs of your organization. For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md).
Field numbers match the numbers in the images below.
Portal label | SIEM field name | Description
:---|:---|:---
1 | LinkToWDATP | Link back to the alert page in Windows Defender ATP
2 | Alert ID | Alert ID visible in the link: `https://securitycenter.windows.com/alert/<alert id>`
3 | AlertTitle | Alert title
4 | Actor | Actor name
5 | AlertTime | Last time the alert was observed
6 | Severity | Alert severity
7 | Category | Alert category
8 | Status in queue | Alert status in queue
9 | ComputerDnsName| Computer DNS name and machine name
10| IoaDefinitionId | (Internal only) <br><br> ID for the IOA (Indication of attack) that this alert belongs to. It usually correlates with the title. <br><br> **Note**: This is an internal ID of the rule which triggers the alert. It's provided here as it can be used for aggregations in the SIEM.
11 | UserName | The user context relevant to the activity on the machine which triggered the alert. NOTE: Not yet populated.
12 | FileName | File name
13 | FileHash | Sha1 of file observed
14 | FilePath | File path
15 | IpAddress | IP of the IOC (when relevant)
16 | URL | URL of the IOC (when relevant)
17 | FullId | (Internal only) <br><br> Unique ID for each combination of IOC and Alert ID. Provides the ability to apply dedup logic in the SIEM.
18 | AlertPart | (Internal only) <br><br> Alerts which contain multiple IOCs will be split into several messages, each message contains one IOC and a running counter. The counter provides the ability to reconstruct the alerts in the SIEM.
19 | LastProccesedTimeUtc | (Internal only) <br><br> Time the alert was last processed in Windows Defender ATP.
20 | Source| Alert detection source (Windows Defender AV, Windows Defender ATP, and Device Guard)
21 | ThreatCategory| Windows Defender AV threat category
22 | ThreatFamily | Windows Defender AV family name
23 | RemediationAction | Windows Defender AV threat category |
24 | WasExecutingWhileDetected | Indicates if a file was running while being detected.
25| RemediationIsSuccess | Indicates if an alert was successfully remediated.
26 | Sha1 | Sha1 of file observed in alert timeline and in file side pane (when available)
27 | Md5 | Md5 of file observed (when available)
28 | Sha256 | Sha256 of file observed (when available)
29 | ThreatName | Windows Defender AV threat name
<table style="table-layout:fixed;width:100%" >
<tr>
<th class>Portal label</th>
<th class>SIEM field name</th>
<th class>ArcSight field</th>
<th class>Example value</th>
<th class>Description</th>
<th class></th>
</tr>
<tr>
<td class>1</td>
<td class>AlertTitle</td>
<td class>name</td>
<td class>A dll was unexpectedly loaded into a high integrity process without a UAC prompt</td>
<td class>Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>2</td>
<td class>Severity</td>
<td class>deviceSeverity</td>
<td class>Medium</td>
<td class>Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>3</td>
<td class>Category</td>
<td class>deviceEventCategory</td>
<td class>Privilege Escalation</td>
<td class>Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>4</td>
<td class>Source</td>
<td class>sourceServiceName</td>
<td class>WindowsDefenderATP</td>
<td class>Windows Defender Antivirus or Windows Defender ATP. Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>5</td>
<td class>MachineName</td>
<td class>sourceHostName</td>
<td class>liz-bean</td>
<td class>Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>6</td>
<td class>FileName</td>
<td class>fileName</td>
<td class>Robocopy.exe</td>
<td class>Available for alerts associated with a file or process.</td>
<td class></td>
</tr>
<tr>
<td class>7</td>
<td class>FilePath</td>
<td class>filePath</td>
<td class>C:\Windows\System32\Robocopy.exe</td>
<td class>Available for alerts associated with a file or process. \</td>
<td class></td>
</tr>
<tr>
<td class>8</td>
<td class>UserDomain</td>
<td class>sourceNtDomain</td>
<td class>contoso</td>
<td class>The domain of the user context running the activity, available for Windows Defender ATP behavioral based alerts.</td>
<td class></td>
</tr>
<tr>
<td class>9</td>
<td class>UserName</td>
<td class>sourceUserName</td>
<td class>liz-bean</td>
<td class>The user context running the activity, available for Windows Defender ATP behavioral based alerts.</td>
<td class></td>
</tr>
<tr>
<td class>10</td>
<td class>Sha1</td>
<td class>fileHash</td>
<td class>5b4b3985339529be3151d331395f667e1d5b7f35</td>
<td class>Available for alerts associated with a file or process.</td>
<td class></td>
</tr>
<tr>
<td class>11</td>
<td class>Md5</td>
<td class>deviceCustomString5</td>
<td class>55394b85cb5edddff551f6f3faa9d8eb</td>
<td class>Available for Windows Defender AV alerts.</td>
<td class></td>
</tr>
<tr>
<td class>12</td>
<td class>Sha256</td>
<td class>deviceCustomString6</td>
<td class>9987474deb9f457ece2a9533a08ec173a0986fa3aa6ac355eeba5b622e4a43f5</td>
<td class>Available for Windows Defender AV alerts.</td>
<td class></td>
</tr>
<tr>
<td class>13</td>
<td class>ThreatName</td>
<td class>eviceCustomString1</td>
<td class>Trojan:Win32/Skeeyah.A!bit</td>
<td class>Available for Windows Defender AV alerts.</td>
<td class></td>
</tr>
<tr>
<td class>14</td>
<td class>IpAddress</td>
<td class>sourceAddress</td>
<td class>218.90.204.141</td>
<td class>Available for alerts associated to network events. For example, 'Communication to a malicious network destination'.</td>
<td class></td>
</tr>
<tr>
<td class>15</td>
<td class>Url</td>
<td class>requestUrl</td>
<td class>down.esales360.cn</td>
<td class>Availabe for alerts associated to network events. For example, 'Communication to a malicious network destination'.</td>
<td class></td>
</tr>
<tr>
<td class>16</td>
<td class>RemediationIsSuccess</td>
<td class>deviceCustomNumber2</td>
<td class>TRUE</td>
<td class>Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE.</td>
<td class></td>
</tr>
<tr>
<td class>17</td>
<td class>WasExecutingWhileDetected</td>
<td class>deviceCustomNumber1</td>
<td class>FALSE</td>
<td class>Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE.</td>
<td class></td>
</tr>
<tr>
<td class>18</td>
<td class>AlertId</td>
<td class>externalId</td>
<td class>636210704265059241_673569822</td>
<td class>Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>19</td>
<td class>LinkToWDATP</td>
<td class>flexString1</td>
<td class>`https://securitycenter.windows.com/alert/636210704265059241_673569822`</td>
<td class>Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>20</td>
<td class>AlertTime</td>
<td class>deviceReceiptTime</td>
<td class>2017-05-07T01:56:59.3191352Z</td>
<td class>The time the activity relevant to the alert occurred. Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>21</td>
<td class>MachineDomain</td>
<td class>sourceDnsDomain</td>
<td class>contoso.com</td>
<td class>Domain name not relevant for AAD joined machines. Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>22</td>
<td class>Actor</td>
<td class>deviceCustomString4</td>
<td class></td>
<td class>Available for alerts related to a known actor group.</td>
<td class></td>
</tr>
<tr>
<td class>21+5</td>
<td class>ComputerDnsName</td>
<td class>No mapping</td>
<td class>liz-bean.contoso.com</td>
<td class>The machine fully qualified domain name. Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class></td>
<td class>LogOnUsers</td>
<td class>sourceUserId</td>
<td class>contoso\liz-bean; contoso\jay-hardee</td>
<td class>The domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available.</td>
<td class></td>
</tr>
<tr>
<td class>Internal field</td>
<td class>LastProcessedTimeUtc</td>
<td class>No mapping</td>
<td class>2017-05-07T01:56:58.9936648Z</td>
<td class>Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that alerts are retrieved.</td>
<td class></td>
</tr>
<tr>
<td class></td>
<td class>Not part of the schema</td>
<td class>deviceVendor</td>
<td class></td>
<td class>Static value in the ArcSight mapping - 'Microsoft'.</td>
<td class></td>
</tr>
<tr>
<td class></td>
<td class>Not part of the schema</td>
<td class>deviceProduct</td>
<td class></td>
<td class>Static value in the ArcSight mapping - 'Windows Defender ATP'.</td>
<td class></td>
</tr>
<tr>
<td class></td>
<td class>Not part of the schema</td>
<td class>deviceVersion</td>
<td class></td>
<td class>Static value in the ArcSight mapping - '2.0', used to identify the mapping versions.</td>
<td class></td>
</tr>
</table>
>[!NOTE]
> Fields #21-29 are related to Windows Defender Antivirus alerts.
![Image of actor profile with numbers](images/atp-actor.png)
![Image of alert with numbers](images/atp-alert-page.png)
![Image of alert timeline with numbers](images/atp-alert-timeline-numbered.png)
![Image of alert details pane with numbers](images/atp-siem-mapping13.png)
![Image of new alerts with numbers](images/atp-alert-source.png)
![Image of alert timeline with numbers](images/atp-siem-mapping3.png)
![Image of machine timeline with numbers](images/atp-remediated-alert.png)
![Image of alert timeline with numbers](images/atp-siem-mapping4.png)
![Image of file details](images/atp-file-details.png)
![Image machine view](images/atp-mapping6.png)
![Image browser URL](images/atp-mapping5.png)
![Image actor alert](images/atp-mapping7.png)
## Related topics

4
windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
View File

@ -24,14 +24,14 @@ localizationpriority: high
<span id="sccm1606"/>
## Configure endpoints using System Center Configuration Manager (current branch) version 1606
System Center Configuration Manager (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682).
System Center Configuration Manager (SCCM) (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682).
>[!NOTE]
> If youre using SCCM client version 1606 with server version 1610 or above, you must upgrade the client version to match the server version.
<span id="sccm1602"/>
## Configure endpoints using System Center Configuration Manager earlier versions
You can use System Center Configuration Managers existing functionality to create a policy to configure your endpoints. This is supported in the following System Center Configuration Manager versions:
You can use existing System Center Configuration Manager functionality to create a policy to configure your endpoints. This is supported in the following System Center Configuration Manager versions:
- System Center 2012 Configuration Manager
- System Center 2012 R2 Configuration Manager

BIN
windows/threat-protection/windows-defender-atp/images/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 430 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-actor-alert.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 432 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-alert-details.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 120 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-alert-mgt-pane.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 58 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-alert-page.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 435 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-alert-process-tree.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 92 KiB

After

Width:  |  Height:  |  Size: 66 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 187 KiB

After

Width:  |  Height:  |  Size: 79 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-alerts-related-to-machine.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 133 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-detailed-actor.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 599 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-incident-graph.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 132 KiB

After

Width:  |  Height:  |  Size: 26 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-machine-details-view.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 212 KiB

After

Width:  |  Height:  |  Size: 572 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 114 KiB

After

Width:  |  Height:  |  Size: 180 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 66 KiB

After

Width:  |  Height:  |  Size: 79 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-machines-timeline.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 51 KiB

After

Width:  |  Height:  |  Size: 48 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-mapping 3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-mapping1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 196 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-mapping2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 100 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-mapping3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-mapping4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 29 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-mapping5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 166 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-mapping6.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-mapping7.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 31 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-siem-mapping1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 330 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-siem-mapping13.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 82 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-siem-mapping2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 100 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-siem-mapping3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 72 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-siem-mapping4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 92 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-user-details-pane.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 205 KiB

After

Width:  |  Height:  |  Size: 143 KiB

33
windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
View File

@ -1,6 +1,6 @@
---
title: Investigate Windows Defender Advanced Threat Protection alerts
description: Use the investigation options to get details on which alerts are affecting your network, what they mean, and how to resolve them.
description: Use the investigation options to get details on alerts are affecting your network, what they mean, and how to resolve them.
keywords: investigate, investigation, machines, machine, endpoints, endpoint, alerts queue, dashboard, IP address, file, submit, submissions, deep analysis, timeline, search, domain, URL, IP
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@ -15,30 +15,35 @@ localizationpriority: high
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
You can click an alert in any of the [alert queues](alerts-queue-windows-defender-advanced-threat-protection.md) to begin an investigation. Selecting an alert brings up the **Alert management pane**, while clicking an alert brings you the alert details view where general information about the alert, some recommended actions, an alert process tree, an incident graph, and an alert timeline is shown.
Investigate alerts that are affecting your network, what they mean, and how to resolve them. Use the alert details view to see various tiles that provide information about alerts. You can also manage an alert and see alert metadata along with other information that can help you make better decisions on how to approach them.
![Image of the alert page](images/atp-alert-details.png)
The alert context tile shows the where, who, and when context of the alert. As with other pages, you can click on the icon beside the name or user account to bring up the machine or user details pane. The alert details view also has a status tile that shows the status of the alert in the queue. You'll also see a description and a set of recommended actions which you can expand.
For more information about managing alerts, see [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md).
The alert details page also shows the alert process tree, an incident graph, and an alert timeline.
You can click on the machine link from the alert view to navigate to the machine. The alert will be highlighted automatically, and the timeline will display the appearance of the alert and its evidence in the **Machine timeline**. If the alert appeared more than once on the machine, the latest occurrence will be displayed in the **Machine timeline**.
Alerts attributed to an adversary or actor display a colored tile with the actor's name.
![A detailed view of an alert when clicked](images/alert-details.png)
![A detailed view of an alert when clicked](images/atp-actor-alert.png)
Click on the actor's name to see the threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, their tools, tactics, and processes (TTPs) and areas where they've been observed worldwide. You will also see a set of recommended actions to take.
Some actor profiles include a link to download a more comprehensive threat intelligence report.
![Image of detailed actor profile](images/atp-actor-report.png)
![Image of detailed actor profile](images/atp-detailed-actor.png)
The detailed alert profile helps you understand who the attackers are, who they target, what techniques, tools, and procedures (TTPs) they use, which geolocations they are active in, and finally, what recommended actions you may take. In many cases, you can download a more detailed Threat Intelligence report about this attacker or campaign for offline reading.
## Alert process tree
The **Alert process tree** takes alert triage and investigation to the next level, displaying the alert and related evidence and other events that occurred within the same execution context and time. This rich triage context of the alert and surrounding events is available on the alert page.
The **Alert process tree** takes alert triage and investigation to the next level, displaying the alert and related evidence, together with other events that occurred within the same execution context and time. This rich triage context of the alert and surrounding events is available on the alert page.
![Image of the alert process tree](images/atp-alert-process-tree.png)
@ -46,11 +51,15 @@ The **Alert process tree** expands to display the execution path of the alert, i
The alert and related events or evidence have circles with thunderbolt icons inside them.
>[!NOTE]
>The alert process tree might not be available in some alerts.
Clicking in the circle immediately to the left of the indicator displays the **Alert details** pane where you can take a deeper look at the details about the alert. It displays rich information about the selected process, file, IP address, and other details taken from the entity's page while remaining on the alert page, so you never leave the current context of your investigation.
Clicking in the circle immediately to the left of the indicator displays its details.
![Image of the alert details pane](images/atp-alert-mgt-pane.png)
The alert details pane helps you take a deeper look at the details about the alert. It displays rich information about the execution details, file details, detections, observed worldwide, observed in organization, and other details taken from the entity's page while remaining on the alert page, so you never leave the current context of your investigation.
## Incident graph
@ -58,9 +67,7 @@ The **Incident Graph** provides a visual representation of the organizational f
![Image of the Incident graph](images/atp-incident-graph.png)
The **Incident Graph** previously supported expansion by File and Process, and now supports expansion by additional criteria: known processes and Destination IP Address.
The Windows Defender ATP service keeps track of "known processes". Alerts related to known processes mostly include specific command lines, that combined are the basis for the alert. The **Incident Graph** supports expanding known processes with their command line to display other machines where the known process and the same command line were observed.
The **Incident Graph** supports expansion by File, Process, command line, or Destination IP Address, as appropriate.
The **Incident Graph** expansion by destination IP Address, shows the organizational footprint of communications with this IP Address without having to change context by navigating to the IP Address page.

8
windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
View File

@ -15,10 +15,6 @@ localizationpriority: high
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
## Investigate machines
@ -55,7 +51,9 @@ You'll also see details such as logon types for each user account, the user grou
For more information, see [Investigate user entities](investigate-user-windows-defender-advanced-threat-protection.md).
The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. This list is a filtered version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the alert's last activity was detected, a short description of the alert, the user account associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert.
The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. You can also manage alerts from this section by clicking the circle icons to the left of the alert (or using Ctrl or Shift + click to select multiple alerts).
This list is a filtered version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the alert's last activity was detected, a short description of the alert, the user account associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert. You'll also see a list of displayed alerts and you'll be able to quickly know the total number of alerts on the machine.
You can also choose to highlight an alert from the **Alerts related to this machine** or from the **Machine timeline** section to see the correlation between the alert and its related events on the machine by right-clicking on the alert and selecting **Select and mark events**. This highlights the alert and its related events and helps distinguish them from other alerts and events appearing in the timeline. Highlighted events are displayed in all information levels whether you choose to view the timeline by **Detections**, **Behaviors**, or **Verbose**.

BIN
windows/threat-protection/windows-defender-security-center/images/security-center-home.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 39 KiB

BIN
windows/threat-protection/windows-defender-security-center/images/security-center-start-menu.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 49 KiB

BIN
windows/threat-protection/windows-defender-security-center/images/security-center-taskbar.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.2 KiB

BIN
windows/threat-protection/windows-defender-security-center/images/security-center-turned-off.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

119
windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md Normal file
View File

@ -0,0 +1,119 @@
---
title: Windows Defender Security Center
description: The Windows Defender Security Center brings together common Windows security features into one place
keywords: wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
---
# The Windows Defender Security Center
**Applies to**
- Windows 10, version 1703
In Windows 10, version 1703 we introduced the new Windows Defender Security Center, which brings together common Windows security features into one, easy-to-use app.
![Screen shot of the Windows Defender Security Center showing that the device is protected and five icons for each of the features](images/security-center-home.png)
Many settings that were previously part of the individual features and main Windows Settings have been combined and moved to the new app, which is installed out-of-the-box as part of Windows 10, version 1703.
The app includes the settings and status for the following security features:
- Virus & threat protection, including settings for Windows Defender Antivirus
- Device performance & health, which includes information about drivers, storage space, and general Windows Update issues
- Firewall & network protection, including Windows Firewall
- App & browser control, covering Windows Defender SmartScreen settings
- Family options, which include a number of parental controls along with tips and information for keeping kids safe online
The Windows Defender Security Center uses the [Windows Security Center service](https://technet.microsoft.com/en-us/library/bb457154.aspx#EDAA) to provide the status and information on 3rd party antivirus and firewall products that are installed on the device.
> [!IMPORTANT]
> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Firewall](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These will be disabled automatically when a 3rd party antivirus or firewall product is installed and kept up to date.
> [!WARNING]
> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Defender Security Center may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
>It may also prevent Windows Defender AV from enabling itself if you have an old or outdated 3rd party antivirus, or if you uninstall any 3rd party antivirus products you may have previously installed.
>This will significantly lower the protection of your device and could lead to malware infection.
## Open the Windows Defender Security Center
- Right-click the icon in the notification area on the taskbar and click **Open**.
![Screen shot of the Shield icon for the Windows Defender Security Center in the bottom Windows task bar](images/security-center-taskbar.png)
- Search the Start menu for **Windows Defender Security Center**.
![Screen shot of the Start menu showing the results of a search for Windows Defender Security Center, the first option with a large shield symbol is selected](images/security-center-start-menu.png)
> [!NOTE]
> Settings configured with management tools, such as Group Policy, Microsoft Intune, or System Center Configuration Manager, will generally take precedence over the settings in the Windows Defender Security Center. Review the settings for each feature in its appropriate library. Links for both home user and enterprise or commercial audiences are listed below.
## How the Windows Defender Security Center works with Windows security features
The Windows Defender Security Center operates as a separate app or process from each of the individual features, and will display notifications through the Action Center.
It acts as a collector or single place to see the status and perform some configuration for each of the features.
Disabling any of the individual features (through Group Policy or other management tools, such as System Center Configuration Manager) will prevent that feature from reporting its status in the Windows Defender Security Center. The Windows Defender Security Center itself will still run and show status for the other security features.
> [!IMPORTANT]
> Individually disabling any of the services will not disable the other services or the Windows Defender Security Center itself.
For example, [using a 3rd party antivirus will disable Windows Defender Antivirus](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus). However, the Windows Defender Security Center will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Firewall.
The presence of the 3rd party antivirus will be indicated under the **Virus & threat protection** section in the Windows Defender Security Center.
## More information
See the following links for more information on the features in the Windows Defender Security Center:
- Windows Defender Antivirus
- IT administrators and IT pros can get configuration guidance from the [Windows Defender Antivirus in the Windows Defender Security Center topic](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus) and the [Windows Defender Antivirus documentation library](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)
- Home users can learn more at the [Virus & threat protection in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4012987/windows-10-virus-threat-protection-windows-defender-security-center)
- Device performance & health
- It administrators and IT pros can [configure the Load and unload device drivers security policy setting](https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/load-and-unload-device-drivers), and learn how to [deploy drivers during Windows 10 deployment using System Center Configuration Manager](https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager)
- Home users can learn more at the [Track your device and performance health in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4012986/windows-defender-track-your-device-performance-health)
- Windows Firewall
- IT administrators and IT pros can get configuration guidance from the [Windows Firewall with Advanced Security documentation library](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security)
- Home users can learn more at the [Firewall & network protection in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4012988/windows-10-firewall-network-protection-windows-defender-security-center)
- Windows Defender SmartScreen
- IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview)
- Home users can learn more at the [App & browser control in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4013218/windows-10-app-browser-control-in-windows-defender)
- Family options, which include a number of parental controls along with tips and information for keeping kids safe online
- Home users can learn more at the [Help protection your family online in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4013209/windows-10-protect-your-family-online-in-windows-defender)
>[!NOTE]
>The Windows Defender Security Center app is a client interface on Windows 10, version 1703. It is not the Windows Defender Security Center web portal that is used to review and manage [Windows Defender Advanced Threat Protection](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).