diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index a6226c81d3..bc9b57fc40 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -6,14 +6,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/15/2019 +ms.date: 05/21/2019 --- # Policy CSP - DeliveryOptimization -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 4db9f3f778..066e52e609 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -6,15 +6,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2019 +ms.date: 05/21/2019 --- # Policy CSP - Experience -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - -
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 823af29f0b..c9be35eac1 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 05/21/2019 --- # Policy CSP - InternetExplorer -
@@ -40,6 +39,9 @@ ms.date: 05/14/2018
+ +**InternetExplorer/AllowEnhancedSuggestionsInAddressBar** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
 |
+  6 |
+ 6 |
+ 6 |
+ 6 |
+ |
+ |
+
+ + + +This policy setting allows Internet Explorer to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user's keystrokes are sent to Microsoft through Microsoft services. + +If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users cannot change the Suggestions setting on the Settings charm. + +If you disable this policy setting, users do not receive enhanced suggestions while typing in the Address bar. In addition, users cannot change the Suggestions setting on the Settings charm. + +If you do not configure this policy setting, users can change the Suggestions setting on the Settings charm. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar* +- GP name: *AllowServicePoweredQSA* +- GP path: *Windows Components/Internet Explorer* +- GP ADMX file name: *inetres.admx* + + + +Supported values: +- 0 - Disabled +- 1 - Enabled (Default) + + + + + + + + + +
+ **InternetExplorer/AllowEnterpriseModeFromToolsMenu** @@ -2713,6 +2809,80 @@ ADMX Info:
+ +**InternetExplorer/DisableActiveXVersionListAutoDownload** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ |
+ |
+
+ + + +This setting determines whether IE automatically downloads updated versions of Microsoft’s VersionList.XML. IE uses this file to determine whether an ActiveX control should be stopped from loading. + +> [!Caution] +> If you enable this setting, IE stops downloading updated versions of VersionList.XML. Turning off this automatic download breaks the [out-of-date ActiveX control blocking feature](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking) by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. + +If you disable or do not configure this setting, IE continues to download updated versions of VersionList.XML. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off automatic download of the ActiveX VersionList* +- GP name: *VersionListAutomaticDownloadDisable* +- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* +- GP ADMX file name: *inetres.admx* + + + +Supported values: +- 0 - Enabled +- 1 - Disabled (Default) + + + + + + + + + +
+ **InternetExplorer/DisableAdobeFlash** @@ -2904,6 +3074,80 @@ ADMX Info:
+ +**InternetExplorer/DisableCompatView** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ |
+ |
+
+ + + +This policy setting controls the Compatibility View feature, which allows users to fix website display problems that they may encounter while browsing. + +If you enable this policy setting, the user cannot use the Compatibility View button or manage the Compatibility View sites list. + +If you disable or do not configure this policy setting, the user can use the Compatibility View button and manage the Compatibility View sites list. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Compatibility View* +- GP name: *CompatView_DisableList* +- GP path: *Windows Components/Internet Explorer/Compatibility View* +- GP ADMX file name: *inetres.admx* + + + +Supported values: +- 0 - Disabled (Default) +- 1 - Enabled + + + + + + + + + +
+ **InternetExplorer/DisableConfiguringHistory** @@ -3290,6 +3534,80 @@ ADMX Info:
+ +**InternetExplorer/DisableFeedsBackgroundSync** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ |
+ |
+
+ + + +This policy setting allows you to choose whether or not to have background synchronization for feeds and Web Slices. + +If you enable this policy setting, the ability to synchronize feeds and Web Slices in the background is turned off. + +If you disable or do not configure this policy setting, the user can synchronize feeds and Web Slices in the background. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off background synchronization for feeds and Web Slices* +- GP name: *Disable_Background_Syncing* +- GP path: *Windows Components/RSS Feeds* +- GP ADMX file name: *inetres.admx* + + + +Supported values: +- 0 - Enabled (Default) +- 1 - Disabled + + + + + + + + + +
+ **InternetExplorer/DisableFirstRunWizard** @@ -3424,6 +3742,82 @@ ADMX Info:
+ +**InternetExplorer/DisableGeolocation** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ |
+ |
+
+ + + +This policy setting allows you to disable browser geolocation support. This prevents websites from requesting location data about the user. + +If you enable this policy setting, browser geolocation support is turned off. + +If you disable this policy setting, browser geolocation support is turned on. + +If you do not configure this policy setting, browser geolocation support can be turned on or off in Internet Options on the Privacy tab. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off browser geolocation* +- GP name: *GeolocationDisable* +- GP path: *Windows Components/Internet Explorer* +- GP ADMX file name: *inetres.admx* + + + +Supported values: +- 0 - Disabled (Default) +- 1 - Enabled + + + + + + + + + +
+ **InternetExplorer/DisableHomePageChange** @@ -4001,6 +4395,82 @@ ADMX Info:
+ +**InternetExplorer/DisableWebAddressAutoComplete** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ |
+ |
+
+ + + +This AutoComplete feature suggests possible matches when users are entering Web addresses in the browser address bar. + +If you enable this policy setting, users are not suggested matches when entering Web addresses. The user cannot change the auto-complete for web-address setting. + +If you disable this policy setting, users are suggested matches when entering Web addresses. The user cannot change the auto-complete for web-address setting. + +If you do not configure this policy setting, users can choose to turn the auto-complete setting for web-addresses on or off. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off the auto-complete feature for web addresses* +- GP name: *RestrictWebAddressSuggest* +- GP path: *Windows Components/Internet Explorer* +- GP ADMX file name: *inetres.admx* + + + +Supported values: +- yes - Disabled (Default) +- no - Enabled + + + + + + + + + +
+ **InternetExplorer/DoNotAllowActiveXControlsInProtectedMode** @@ -12568,6 +13038,83 @@ ADMX Info:
+ +**InternetExplorer/NewTabDefaultPage** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 6 |
+ 6 |
+ 6 |
+ 6 |
+ |
+ |
+
+ + + +This policy setting allows you to specify what is displayed when the user opens a new tab. + +If you enable this policy setting, you can choose which page to display when the user opens a new tab: blank page (about:blank), the first home page, the new tab page or the new tab page with my news feed. + +If you disable or do not configure this policy setting, users can select their preference for this behavior. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify default behavior for a new tab* +- GP name: *NewTabAction* +- GP path: *Windows Components/Internet Explorer* +- GP ADMX file name: *inetres.admx* + + + + +Supported values: +- 0 - NewTab_AboutBlank (about:blank) +- 1 - NewTab_Homepage (Home page) +- 2 - NewTab_AboutTabs (New tab page) +- 3 - NewTab_AboutNewsFeed (New tab page with my news feed) (Default) + + + + + + + + + +
+ **InternetExplorer/NotificationBarInternetExplorerProcesses** @@ -16878,14 +17425,53 @@ ADMX Info: + + + + +## InternetExplorer policies supported by Windows Holographic + +- [InternetExplorer/DisableActiveXVersionListAutoDownload](#internetexplorer-disableactivexversionlistautodownload) +- [InternetExplorer/DisableCompatView](#internetexplorer-disablecompatview) +- [InternetExplorer/DisableGeolocation](#internetexplorer-disablegeolocation) + + + +## InternetExplorer policies supported by Windows Holographic for Business + +- [InternetExplorer/DisableActiveXVersionListAutoDownload](#internetexplorer-disableactivexversionlistautodownload) +- [InternetExplorer/DisableCompatView](#internetexplorer-disablecompatview) +- [InternetExplorer/DisableGeolocation](#internetexplorer-disablegeolocation) + + + +## InternetExplorer policies supported by IoT Core + +- [InternetExplorer/DisableActiveXVersionListAutoDownload](#internetexplorer-disableactivexversionlistautodownload) +- [InternetExplorer/DisableCompatView](#internetexplorer-disablecompatview) +- [InternetExplorer/DisableGeolocation](#internetexplorer-disablegeolocation) + + + +## InternetExplorer policies supported by IoT Enterprise + +- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](#internetexplorer-allowenhancedsuggestionsinaddressbar) +- [InternetExplorer/DisableActiveXVersionListAutoDownload](#internetexplorer-disableactivexversionlistautodownload) +- [InternetExplorer/DisableCompatView](#internetexplorer-disablecompatview) +- [InternetExplorer/DisableFeedsBackgroundSync](#internetexplorer-disablefeedsbackgroundsync) +- [InternetExplorer/DisableGeolocation](#internetexplorer-disablegeolocation) +- [InternetExplorer/DisableWebAddressAutoComplete](#internetexplorer-disablewebaddressautocomplete) +- [InternetExplorer/NewTabDefaultPage](#internetexplorer-newtabdefaultpage) + + +
-Footnote: +Footnotes: - 1 - Added in Windows 10, version 1607. - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. - - - +- 5 - Added in Windows 10, version 1809. +- 6 - Added in Windows 10, version 1903. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index 3b9db5c095..e1aab20c25 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -6,13 +6,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/03/2019 +ms.date: 05/21/2019 --- # Policy CSP - Power -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index 71f49109e0..03e8096529 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -6,13 +6,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2019 +ms.date: 05/21/2019 --- # Policy CSP - Search -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 92fd30f9bb..63e951ca84 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -6,14 +6,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/09/2019 +ms.date: 05/21/2019 --- # Policy CSP - System -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 9c370fa02c..78dfe6c171 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -6,14 +6,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/08/2019 +ms.date: 05/21/2019 --- # Policy CSP - Update -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 14369d49d1..986631e067 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -6,13 +6,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/07/2019 +ms.date: 05/21/2019 --- # Policy CSP - WindowsLogon -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index e9e1339f46..7508d7364c 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -7,18 +7,17 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 08/29/2018 +ms.date: 05/21/2019 --- # Policy DDF file -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **Policy** configuration service provider. DDF files are used only with OMA DM provisioning XML. You can download the DDF files from the links below: +- [Download the Policy DDF file for Windows 10, version 1809](http://download.microsoft.com/download/7/3/5/735B8537-82F4-4CD1-B059-93984F9FAAC5/PolicyDDF_all_1809.xml) - [Download the Policy DDF file for Windows 10, version 1803](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all.xml) - [Download the Policy DDF file for Windows 10, version 1803 release C](http://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all_1809C_release.xml) - [Download the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml) @@ -27,7 +26,7 @@ You can download the DDF files from the links below: - [Download the Policy DDF file for Windows 10, version 1607 release 8C](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) - [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download) -The XML below is the DDF for Windows 10, version 1809. +The XML below is the DDF for Windows 10, version 1903. ``` syntax @@ -53,7 +52,7 @@ The XML below is the DDF for Windows 10, version 1809.
The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.| |Print 3D app|Going forward, 3D Builder is the recommended 3D printing app. To 3D print objects on new Windows devices, customers must first install 3D Builder from the Store.| diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md index 4dbf3ca380..d2b2333afa 100644 --- a/windows/deployment/update/update-compliance-feature-update-status.md +++ b/windows/deployment/update/update-compliance-feature-update-status.md @@ -32,3 +32,16 @@ Refer to the following list for what each state means: * Devices that have failed the given feature update installation are counted as **Update failed**. * If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. Devices not using Windows Update are the most likely devices to fall into this category. +## Compatibility holds + +Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *compatibility hold* is generated to delay the device’s upgrade and safeguard the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all compatibility holds on the Windows 10 release information page for any given release. + +To learn how compatibility holds are reflected in the experience, see [Update compliance perspectives](update-compliance-perspectives.md#deployment-status). + +### Opting out of compatibility hold + +Microsoft will release a device from a compatibility hold when it has determined it can safely and smoothly install a feature update, but you are ultimately in control of your devices and can opt out if desired. To opt out, set the registry key **HKLM\Software\Microsoft\Windows NT\CurrentVersion\502505fe-762c-4e80-911e-0c3fa4c63fb0** to a name of **DataRequireGatedScanForFeatureUpdates** and a value of **0**. + + +Setting this registry key to **0** will force the device to opt out from *all* compatibility holds. Any other value, or deleting the key, will resume compatibility protection on the device. + diff --git a/windows/deployment/update/update-compliance-perspectives.md b/windows/deployment/update/update-compliance-perspectives.md index f0403b00c8..e08be87ab9 100644 --- a/windows/deployment/update/update-compliance-perspectives.md +++ b/windows/deployment/update/update-compliance-perspectives.md @@ -23,6 +23,8 @@ The first blade is the **Build Summary** blade. This blade summarizes the most i The second blade is the **Deferral Configurations** blade, breaking down Windows Update for Business deferral settings (if any). +## Deployment status + The third blade is the **Deployment Status** blade. This defines how many days it has been since the queried version has been released, and breaks down the various states in the update funnel each device has reported to be in. The possible states are as follows: | State | Description | @@ -35,6 +37,9 @@ The third blade is the **Deployment Status** blade. This defines how many days i | Blocked | There is a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update. | | Unknown | Devices that do not report detailed information on the status of their updates will report Unknown. This is most likely devices that do not use Windows Update for deployment. | | Update paused | These devices have Windows Update for Business pause enabled, preventing this update from being installed. | +| Failed | A device is unable to install an update. This failure could be linked to a serious error in the update installation process or, in some cases, a [compatibility hold](update-compliance-feature-update-status.md#compatibility-holds). | + +## Detailed deployment status The final blade is the **Detailed Deployment Status** blade. This blade breaks down the detailed stage of deployment a device is in, beyond the generalized terms defined in Deployment Status. The following are the possible stages a device can report: @@ -44,6 +49,7 @@ The final blade is the **Detailed Deployment Status** blade. This blade breaks d | Update paused | The device’s Windows Update for Business policy dictates the update is paused from being offered. | | Update offered | The device has been offered the update, but has not begun downloading it. | | Pre-Download tasks passed | The device has finished all necessary tasks prior to downloading the update. | +| Compatibility hold | The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds) | | Download Started | The update has begun downloading on the device. | | Download Succeeded | The update has successfully completed downloading. | | Pre-Install Tasks Passed | Tasks that must be completed prior to installing the update have been completed. | diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md b/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md index 7e67c7eca1..a0415fac11 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md @@ -21,7 +21,7 @@ ms.topic: article When performing a remote Windows Autopilot Reset, an MDM service such an Microsoft Intune can be used to initiate the reset process, avoiding the need for IT staff or other administrators to visit each machine to initiate the process. -To enable a device for a remote Windows Autopilot Reset, the device must be MDM managed, joined to Azure AD, and configured to use the [enrollment status page](enrollment-status.md). This feature is not supported on devices that were enrolled using [Autopilot self deploying mode](self-deploying.md). +To enable a device for a remote Windows Autopilot Reset, the device must be MDM managed and joined to Azure AD. This feature is not supported on devices that were enrolled using [Autopilot self deploying mode](self-deploying.md). ## Triggering a remote Windows Autopilot Reset diff --git a/windows/hub/index.md b/windows/hub/index.md index dac41359d2..805d3fa7cd 100644 --- a/windows/hub/index.md +++ b/windows/hub/index.md @@ -15,19 +15,14 @@ ms.date: 10/02/2018 Find the latest how to and support content that IT pros need to evaluate, plan, deploy, secure and manage devices running Windows 10 or Windows 10 Mobile. - - -> [!video https://www.youtube.com/embed/hAva4B-wsVA] - - -## Check out [what's new in Windows 10, version 1809](/windows/whats-new/whats-new-windows-10-version-1809). +## Check out [what's new in Windows 10, version 1903](/windows/whats-new/whats-new-windows-10-version-1903).
-
+
What's New? |
diff --git a/windows/privacy/TOC.md b/windows/privacy/TOC.md
index cd6466b6eb..9247b0b811 100644
--- a/windows/privacy/TOC.md
+++ b/windows/privacy/TOC.md
@@ -18,10 +18,14 @@
### [Windows 10, version 1709 and newer diagnostic data for the Full level](windows-diagnostic-data.md)
### [Windows 10, version 1703 diagnostic data for the Full level](windows-diagnostic-data-1703.md)
## Manage Windows 10 connection endpoints
-### [Connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
-### [Connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
+### [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
+### [Manage connections from Windows operating system components to Microsoft services using MDM](manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md)
+### [Connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
### [Connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
-### [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
-### [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
-### [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md)
-## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
+### [Connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
+### [Connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
+### [Connection endpoints for non-Enterprise editions of Windows 10, version 1903](windows-endpoints-1903-non-enterprise-editions.md)
+### [Connection endpoints for non-Enterprise editions of Windows 10, version 1809](windows-endpoints-1809-non-enterprise-editions.md)
+### [Connection endpoints for non-Enterprise editions of Windows 10, version 1803](windows-endpoints-1803-non-enterprise-editions.md)
+### [Connection endpoints for non-Enterprise editions of Windows 10, version 1709](windows-endpoints-1709-non-enterprise-editions.md)
+
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
new file mode 100644
index 0000000000..53034ea742
--- /dev/null
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@@ -0,0 +1,135 @@
+---
+title: Manage connections from Windows operating system components to Microsoft services using Microsoft Intune MDM Server
+description: Use MDM CSPs to minimize connections from Windows to Microsoft services, or to configure particular privacy settings.
+ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9
+keywords: privacy, manage connections to Microsoft, Windows 10
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: medium
+author: medgarmedgar
+ms.author: v-medgar
+ms.date: 3/1/2019
+---
+
+# Manage connections from Windows operating system components to Microsoft services using Microsoft Intune MDM Server
+
+**Applies to**
+
+- Windows 10 Enterprise 1903 version and newer
+
+You can use Microsoft InTune with MDM CSPs and custom [OMA URIs](https://docs.microsoft.com/en-us/intune/custom-settings-windows-10) to minimize connections from Windows to Microsoft services, or to configure particular privacy settings. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
+
+To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy.
+
+You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience.
+
+Note, there is some traffic which is required (i.e. "whitelisted") for the operation of Windows and the Microsoft InTune based management. This traffic includes CRL and OCSP network traffic which will show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign. Additional whitelisted traffic specifically for MDM managed devices includes Windows Notification Service related traffic as well as some specific Microsoft InTune and Windows Update related traffic.
+
+For more information on Microsoft InTune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/en-us/intune/).
+
+For detailed information about managing network connections to Microsoft services using Registries, Group Policies, or UI see [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services).
+
+
+The endpoints for the MDM “whitelisted” traffic are in the [Whitelisted Traffic](#bkmk-mdm-whitelist).
+
+
+### Settings for Windows 10 Enterprise edition 1903 and newer
+
+The following table lists management options for each setting.
+
+For Windows 10, the following MDM policies are available in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+
+| Setting | MDM Policy | Description |
+| --- | --- | --- |
+| 1. Automatic Root Certificates Update | There is intentionally no MDM available for Automatic Root Certificate Update. | This MDM does not exist since it would prevent the operation and management of MDM management of devices.
+| 2. Cortana and Search | [Experience/AllowCortana](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | Choose whether to let Cortana install and run on the device. **Set to 0 (zero)**
+| | [Search/AllowSearchToUseLocation](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-allowsearchtouselocation) | Choose whether Cortana and Search can provide location-aware search results. **Set to 0 (zero)**
+| 3. Date & Time | [Settings/AllowDateTime](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-settings#settings-allowdatetime)| Allows the user to change date and time settings. **Set to 0 (zero)**
+| 4. Device metadata retrieval | [DeviceInstallation/PreventDeviceMetadataFromNetwork](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventdevicemetadatafromnetwork) | Choose whether to prevent Windows from retrieving device metadata from the Internet. **Set to Enabled**
+| 5. Find My Device | [Experience/AllowFindMyDevice](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice)| This policy turns on Find My Device. **Set to 0 (zero)**
+| 6. Font streaming | [System/AllowFontProviders](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#system-allowfontproviders) | Setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. **Set to 0 (zero)**
+| 7. Insider Preview builds | [System/AllowBuildPreview](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#system-allowbuildpreview) | This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. **Set to 0 (zero)**
+| 8. Internet Explorer | The following Microsoft Internet Explorer MDM policies are available in the [Internet Explorer CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer) |
+| | [InternetExplorer/AllowSuggestedSites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-allowsuggestedsites) | Recommends websites based on the user’s browsing activity. **Set to Disabled**
+| | [InternetExplorer/PreventManagingSmartScreenFilter]( https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-preventmanagingsmartscreenfilter) | Prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. **Set to Enabled**
+| | [InternetExplorer/DisableFlipAheadFeature]( https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disableflipaheadfeature) | Determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website. **Set to Enabled**
+| | [InternetExplorer/DisableHomePageChange]( https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disablehomepagechange) | Determines whether users can change the default Home Page or not. **Set to Enabled**
+| | [InternetExplorer/DisableFirstRunWizard]( https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disablefirstrunwizard) | Prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows. **Set to Enabled**
+| 9. Live Tiles | [Notifications/DisallowTileNotification](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-notifications)| This policy setting turns off tile notifications. If you enable this policy setting applications and system features will not be able to update their tiles and tile badges in the Start screen. **Set to Enabled**
+| 10. Mail synchronization | [Accounts/AllowMicrosoftAccountConnection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection) | Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services. **Set to 0 (zero)**
+| 11. Microsoft Account | [Accounts/AllowMicrosoftAccountSignInAssistant](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountsigninassistant) | Disable the Microsoft Account Sign-In Assistant. **Set to 0 (zero)**
+| 12. Microsoft Edge | | The following Microsoft Edge MDM policies are available in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/available-policies).
+| | [Browser/AllowAutoFill](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowautofill) | Choose whether employees can use autofill on websites. **Set to 0 (zero)**
+| | [Browser/AllowDoNotTrack](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) | Choose whether employees can send Do Not Track headers. **Set to 0 (zero)**
+| | [Browser/AllowMicrosoftCompatbilityList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) | Specify the Microsoft compatibility list in Microsoft Edge. **Set to 0 (zero)**
+| | [Browser/AllowPasswordManager](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) | Choose whether employees can save passwords locally on their devices. **Set to 0 (zero)**
+| | [Browser/AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar) | Choose whether the Address Bar shows search suggestions. **Set to 0 (zero)**
+| | [Browser/AllowSmartScreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) | Choose whether SmartScreen is turned on or off. **Set to 0 (zero)**
+| 13. Network Connection Status Indicator | [Connectivity/DisallowNetworkConnectivityActiveTests](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-connectivity#connectivity-disallownetworkconnectivityactivetests) | Note: After you apply this policy you must restart the device for the policy setting to take effect. **Set to 1 (one)**
+| 14. Offline maps | [AllowOfflineMapsDownloadOverMeteredConnection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-maps)|Allows the download and update of map data over metered connections.
| Current status: - Windows 10, version 1903 is available by manually by selecting “Check for updates” via Windows Update. (Note: We are slowly throttling up this availability while we carefully monitor data and feedback). The recommended servicing status is Semi-Annual Channel.
+ Windows 10, version 1903 is available by manually selecting “Check for updates” via Windows Update. (Note We are slowly throttling up this availability while we carefully monitor data and feedback.) The recommended servicing status is Semi-Annual Channel.
|
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Display brightness may not respond to adjustments Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel drivers. See details > | OS Build 18362.116 May 20, 2019 KB4505057 | Investigating | May 21, 2019 07:56 AM PT |
| Duplicate folders and documents showing in user profile directory If known folders (e.g. Desktop, Documents, or Pictures folders) are redirected, an empty folder with that same name may be created. See details > | OS Build 18362.116 May 20, 2019 KB4505057 | Investigating | May 21, 2019 07:35 AM PT |
| Audio not working with Dolby Atmos headphones and home theater Users may experience audio loss with Dolby Atmos headphones or Dolby Atmos home theater. See details > | OS Build 18362.116 May 20, 2019 KB4505057 | Investigating | May 21, 2019 07:17 AM PT |
| Intel Audio displays an intcdaud.sys notification Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in battery drain. See details > | OS Build 18362.116 May 20, 2019 KB4505057 | Mitigated | May 21, 2019 08:34 AM PT |
| Error attempting to update with external USB device or memory card attached PCs with an external USB device or SD memory card attached may get error: \"This PC can't be upgraded to Windows 10.\" See details > | OS Build 18362.116 May 20, 2019 KB4505057 | Mitigated | May 21, 2019 07:38 AM PT |
| Older versions of BattlEye anti-cheat software incompatible Microsoft and BattlEye have identified a compatibility issue with some games that use older versions of BattlEye anti-cheat software. See details > | OS Build 18362.116 May 20, 2019 KB4505057 | Mitigated | May 21, 2019 07:34 AM PT |
| Unable to discover or connect to Bluetooth devices Microsoft has identified compatibility issues with some versions of Realtek and Qualcomm Bluetooth radio drivers. See details > | OS Build 18362.116 May 20, 2019 KB4505057 | Mitigated | May 21, 2019 07:29 AM PT |
| Night light settings do not apply in some cases Microsoft has identified some scenarios where night light settings may stop working. See details > | OS Build 18362.116 May 20, 2019 KB4505057 | Mitigated | May 21, 2019 07:28 AM PT |
| Cannot launch Camera app Microsoft and Intel have identified an issue affecting Intel RealSense SR300 or Intel RealSense S200 camera apps. See details > | OS Build 18362.116 May 20, 2019 KB4505057 | Mitigated | May 21, 2019 07:20 AM PT |
| Intermittent Wi-Fi connectivity loss Some older devices may experience losing Wi-Fi connectivity due to an outdated Qualcomm driver. See details > | OS Build 18362.116 May 20, 2019 KB4505057 | Mitigated | May 21, 2019 07:13 AM PT |
| AMD RAID driver incompatibility Installation process may stop when trying to instal Windows 10, version 1903 update on computers that run certain versions of AMD RAID drivers. See details > | OS Build 18362.116 May 20, 2019 KB4505057 | Mitigated | May 21, 2019 07:12 AM PT |
| D3D applications and games may fail to enter full-screen mode on rotated displays Some Direct 3D (D3D) applications and games may fail to enter full-screen mode on rotated displays. See details > | OS Build 18362.116 May 20, 2019 KB4505057 | Mitigated | May 21, 2019 07:05 AM PT |
| Display brightness may not respond to adjustments Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers. See details > | OS Build 18362.116 May 21, 2019 KB4505057 | Investigating | May 21, 2019 04:47 PM PT |
| Audio not working with Dolby Atmos headphones and home theater Users may experience audio loss with Dolby Atmos headphones or Dolby Atmos home theater. See details > | OS Build 18362.116 May 21, 2019 KB4505057 | Investigating | May 21, 2019 07:17 AM PT |
| Duplicate folders and documents showing in user profile directory If known folders (e.g. Desktop, Documents, or Pictures folders) are redirected, an empty folder with that same name may be created. See details > | OS Build 18362.116 May 21, 2019 KB4505057 | Investigating | May 21, 2019 07:16 AM PT |
| Error attempting to update with external USB device or memory card attached PCs with an external USB device or SD memory card attached may get error: \"This PC can't be upgraded to Windows 10.\" See details > | OS Build 18362.116 May 21, 2019 KB4505057 | Mitigated | May 21, 2019 04:49 PM PT |
| Unable to discover or connect to Bluetooth devices Microsoft has identified compatibility issues with some versions of Realtek and Qualcomm Bluetooth radio drivers. See details > | OS Build 18362.116 May 21, 2019 KB4505057 | Mitigated | May 21, 2019 04:48 PM PT |
| Night light settings do not apply in some cases Microsoft has identified some scenarios where night light settings may stop working. See details > | OS Build 18362.116 May 21, 2019 KB4505057 | Mitigated | May 21, 2019 04:48 PM PT |
| Intel Audio displays an intcdaud.sys notification Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in battery drain. See details > | OS Build 18362.116 May 21, 2019 KB4505057 | Mitigated | May 21, 2019 04:47 PM PT |
| Cannot launch Camera app Microsoft and Intel have identified an issue affecting Intel RealSense SR300 or Intel RealSense S200 camera apps. See details > | OS Build 18362.116 May 21, 2019 KB4505057 | Mitigated | May 21, 2019 04:47 PM PT |
| Intermittent loss of Wi-Fi connectivity Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. See details > | OS Build 18362.116 May 21, 2019 KB4505057 | Mitigated | May 21, 2019 04:46 PM PT |
| AMD RAID driver incompatibility Installation process may stop when trying to install Windows 10, version 1903 update on computers that run certain versions of AMD RAID drivers. See details > | OS Build 18362.116 May 21, 2019 KB4505057 | Mitigated | May 21, 2019 04:45 PM PT |
| D3D applications and games may fail to enter full-screen mode on rotated displays Some Direct3D (D3D) applications and games may fail to enter full-screen mode on rotated displays. See details > | OS Build 18362.116 May 21, 2019 KB4505057 | Mitigated | May 21, 2019 04:45 PM PT |
| Older versions of BattlEye anti-cheat software incompatible Microsoft and BattlEye have identified a compatibility issue with some games that use older versions of BattlEye anti-cheat software. See details > | OS Build 18362.116 May 21, 2019 KB4505057 | Mitigated | May 21, 2019 07:34 AM PT |
| Details | Originating update | Status | History |
| Display brightness may not respond to adjustments Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel drivers. After updating to Window 10, version 1903, brightness settings may sometime appear as if changes applied took effect, yet the actual display brightness doesn't change. To safeguard your update experience, we have applied a compatibility hold on devices with certain Intel drivers from being offered Windows 10, version 1903, until this issue is resolved. Affected platforms:
Workaround: Restart your device to apply changes to brightness. Next steps: We are working on a resolution that will be made available in upcoming release. Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved. Back to top | OS Build 18362.116 May 20, 2019 KB4505057 | Investigating | Last updated: May 21, 2019 07:56 AM PT Opened: May 21, 2019 07:56 AM PT |
| Duplicate folders and documents showing in user profile directory If you have redirected known folders (e.g. Desktop, Documents, or Pictures folders) you may see an empty folder with the same name in your %userprofile% directories after updating to Windows 10, version 1903. This may occur if known folders were redirected when you chose to back up your content to OneDrive using the OneDrive wizard, or if you chose to back up your content during the Windows Out-of-Box-Experience (OOBE). This may also occur if you redirected your known folders manually through the Properties dialog box in File Explorer. This issue does not cause any user files to be deleted and a solution is in progress. To safeguard your update experience, we have applied a quality hold on devices with redirected known folders from being offered Windows 10, version 1903, until this issue is resolved. Affected platforms:
Next steps: Microsoft is working on a resolution and estimates a solution will be available in late May. Note We recommend that you do not attempt to manually update to Windows 10, version 1903 using the Update now button or the Media Creation Tool until this issue has been resolved. Back to top | OS Build 18362.116 May 20, 2019 KB4505057 | Investigating | Last updated: May 21, 2019 07:35 AM PT Opened: May 21, 2019 07:35 AM PT |
| Audio not working with Dolby Atmos headphones and home theater After updating to Windows 10, version 1903, you may experience loss of audio with Dolby Atmos for home theater (free extension) or Dolby Atmos for headphones (paid extension) acquired through the Microsoft Store due to a licensing configuration error. This occurs due to an issue with a Microsoft Store licensing component, where license holders are not able to connect to the Dolby Access app and enable Dolby Atmos extensions. To safeguard your update experience, we have applied protective hold on devices from being offered Windows 10, version 1903 until this issue is resolved. This configuration error will not result in loss of access for the acquired license once the problem is resolved. Affected platforms:
Next steps: We are working on a resolution for Microsoft Store and estimate a solution will be available in mid-June. Note We recommend you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved. Back to top | OS Build 18362.116 May 20, 2019 KB4505057 | Investigating | Last updated: May 21, 2019 07:17 AM PT Opened: May 21, 2019 07:16 AM PT |
| Intel Audio displays an intcdaud.sys notification Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in higher than normal battery drain. If you see an intcdaud.sys notification or “What needs your attention” notification when trying to update to the latest Windows feature update, you have an Intel Audio Display device driver (intcdaud.sys, versions 10.25.0.3 through 10.25.0.8) installed on your machine. To safeguard your update experience, we have applied a compatibility hold on devices with drivers from being offered Windows 10, version 1903 until updated device drivers have been installed. Affected platforms:
Workaround: On the “What needs your attention\" notification, click the Back button to remain on your current version of Windows 10. (Do not click Confirm as this will proceed with the update and you may experience compatibility issues.) Affected devices will automatically revert to the previous working configuration. For more information, see Intel's customer support guidance and the Microsoft knowledge base article KB4465877. Next steps: You can opt to wait for newer drivers to be installed automatically through Windows Update or check with the computer manufacturer for the latest device driver software availability and installation procedures. Note We recommend you do not attempt to update your devices until newer device drivers are installed. Back to top | OS Build 18362.116 May 20, 2019 KB4505057 | Mitigated | Last updated: May 21, 2019 08:34 AM PT Opened: May 21, 2019 07:22 AM PT |
| Error attempting to update with external USB device or memory card attached If you have an external USB device or SD memory card attached when installing Windows 10, version 1903, you may get an error message stating \"This PC can't be upgraded to Windows 10.\" This is caused by inappropriate drive reassignment during installation. Sample scenario: An update to Windows 10, 1903 is attempted on a computer that has a thumb drive inserted into its USB port. Before the update, the thumb drive is mounted in the system as drive G based on the existing drive configuration. After the feature update is installed; however, the device is reassigned a different drive letter (e.g., drive H). Note The drive reassignment is not limited to removable drives. Internal hard drives may also be affected. To safeguard your update experience, we have applied a hold on devices with an external USB device or SD memory card attached from being offered Windows 10, version 1903 until this issue is resolved. Affected platforms:
Workaround: To work around this issue, remove all external media, such as USB devices and SD cards, from your computer and restart installation of the Windows 10, version 1903 feature update. The update should then proceed normally. Next steps: Microsoft is working on a resolution and estimate a solution will be available in late May. Note If you need to keep your external device, SD memory card, or other devices attached to your computer while updating, we recommend that you do not attempt to manually update to Windows 10, version 1903 using the Update now button or the Media Creation Tool until this issue has been resolved. Back to top | OS Build 18362.116 May 20, 2019 KB4505057 | Mitigated | Last updated: May 21, 2019 07:38 AM PT Opened: May 21, 2019 07:38 AM PT |
| Older versions of BattlEye anti-cheat software incompatible Microsoft and BattlEye have identified a compatibility issue with some games that use older versions of BattlEye anti-cheat software. When launching a game that uses an older, impacted version of BattlEye anti-cheat software on a device running Windows 10, version 1903, the device may experience a system crash. To safeguard your gaming experience, we have applied a compatibility hold on devices with the impacted versions of BattlEye software used by games installed on your PC. This will prevent Windows 10, version 1903 from being offered until the incompatible version of BattlEye software is no longer installed on the device. Affected platforms:
Mitigated: BattlEye has provided an updated patch to known impacted games. For a list of recent games that use BattlEye, go to https://www.battleye.com/. Workaround: Before updating your machine, we recommend you do one or more of the following:
For more troubleshooting options, see https://www.battleye.com/support/faq/. Next steps: We are working with BattlEye and gaming partners to ensure games are automatically updated with the latest BattlEye software. We have confirmed the latest version of impacted games do not exhibit this issue. To minimize the chance of hitting this upgrade compatibility hold, please make sure you are running the latest version of your games before attempting to update the operating system. Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until you have installed an updated version of BattlEye software that resolves this issue. Back to top | OS Build 18362.116 May 20, 2019 KB4505057 | Mitigated | Last updated: May 21, 2019 07:34 AM PT Opened: May 21, 2019 07:34 AM PT |
| Unable to discover or connect to Bluetooth devices Microsoft has identified compatibility issues with some versions of Realtek and Qualcomm Bluetooth radio drivers. To safeguard your update experience, we have applied a compatibility hold on certain devices with Realtek or Qualcomm Bluetooth radio drivers from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated. Affected platforms:
Workaround: Check with your device manufacturer (OEM) to see if an updated driver is available and install it.
Next steps: Microsoft is working with Realtek and Qualcomm to release new drivers for all affected system via Windows Update. Note Until an updated driver has been installed, we recommend you do not attempt to manually update using the Update now button or the Media Creation Tool. Back to top | OS Build 18362.116 May 20, 2019 KB4505057 | Mitigated | Last updated: May 21, 2019 07:29 AM PT Opened: May 21, 2019 07:29 AM PT |
| Night light settings do not apply in some cases Microsoft has identified some scenarios where night light settings may stop working. The night light feature may stop working in the following scenarios:
Affected platforms:
Workaround: If you find that your night light settings have stopped working, try turning the night light on and off, or restart your computer. Next steps: We are working on a resolution and will provide an update in an upcoming release. Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved. Back to top | OS Build 18362.116 May 20, 2019 KB4505057 | Mitigated | Last updated: May 21, 2019 07:28 AM PT Opened: May 21, 2019 07:28 AM PT |
| Cannot launch Camera app Microsoft and Intel have identified an issue affecting Intel RealSense SR300 and Intel RealSense S200 cameras when using the Camera app. After updating to the Windows 10 May 2019 Update and launching the Camera app, you may get an error message stating: \"Close other apps, error code: 0XA00F4243.” To safeguard your update experience, we have applied a protective hold on machines with Intel RealSense SR300 or Intel RealSense S200 cameras installed from being offered Windows 10, version 1903, until this issue is resolved. Affected platforms:
Workaround: To temporarily resolve this issue, perform one of the following:
or
or
Note This workaround will only resolve the issue until your next system restart. Next steps: We are working on a resolution and will provide an update in an upcoming release. Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved. Back to top | OS Build 18362.116 May 20, 2019 KB4505057 | Mitigated | Last updated: May 21, 2019 07:20 AM PT Opened: May 21, 2019 07:20 AM PT |
| Intermittent Wi-Fi connectivity loss Some older computers may experience losing Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available by your device manufacturer. To safeguard your upgrade experience, we have applied a hold on devices with this Qualcomm driver from being offered Windows 10, version 1903, until the updated driver is installed. Affected platforms:
Workaround: Download and install an updated Wi-Fi driver from your computer manufacturer (OEM). Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new driver has been installed and the Windows 10, version 1903 feature update has been automatically offered to you. Back to top | OS Build 18362.116 May 20, 2019 KB4505057 | Mitigated | Last updated: May 21, 2019 07:13 AM PT Opened: May 21, 2019 07:13 AM PT |
| AMD RAID driver incompatibility Microsoft and Intel have identified an incompatibility with AMD RAID driver versions lower than 9.2.0.105. When you install the Windows 10, version 1903 update on a Windows 10-based computer, the installation process stops and you get a message like the following: AMD Ryzen™ or AMD Ryzen™ Threadripper™ configured in SATA or NVMe RAID mode. “A driver is installed that causes stability problems on Windows. This driver will be disabled. Check with your software/driver provider for an updated version that runs on this version of Windows.” On computers that have AMD Ryzen™ or AMD Ryzen™ Threadripper™ processors, AMD RAID drivers less than version 9.2.0.105 are not compatible with the this update. If a computer has these drivers installed and configured in RAID mode, it cannot install the Windows 10, version 1903 update. Computers with an AMD RAID driver, version 9.2.0.105 or higher, installed will not encounter this issue. For more information about this issue, please see the AMD support article. To safeguard your update experience, we have applied a quality hold on devices with these AMD drivers from being offered Windows 10, version 1903, until this issue is resolved. Affected platforms:
Workaround: To resolve this issue, download the latest AMD RAID drivers directly from AMD at https://www.amd.com/en/support/chipsets/amd-socket-tr4/x399. The drivers must be version 9.2.0.105 or later. Install the drivers on the affected computer, and then restart the installation process for the Windows 10, version 1903 feature update. Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new driver has been installed and the Windows 10, version 1903 feature update has been automatically offered to you. Back to top | OS Build 18362.116 May 20, 2019 KB4505057 | Mitigated | Last updated: May 21, 2019 07:12 AM PT Opened: May 21, 2019 07:12 AM PT |
| D3D applications and games may fail to enter full-screen mode on rotated displays Some Direct 3D (D3D) applications and games (e.g., 3DMark) may fail to enter full-screen mode on displays where the display orientation has been changed from the default (e.g., a landscape display in portrait mode). Affected platforms:
Workaround: To work around this issue, do one of the following:
Next steps: Microsoft is working on a resolution and estimates a solution will be available in late May. Back to top | OS Build 18362.116 May 20, 2019 KB4505057 | Mitigated | Last updated: May 21, 2019 07:05 AM PT Opened: May 21, 2019 07:05 AM PT |
| Display brightness may not respond to adjustments Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers. After updating to Window 10, version 1903, brightness settings may sometime appear as if changes applied took effect, yet the actual display brightness doesn't change. To safeguard your update experience, we have applied a compatibility hold on devices with certain Intel drivers from being offered Windows 10, version 1903, until this issue is resolved. Affected platforms:
Workaround: Restart your device to apply changes to brightness. Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved. Next steps: We are working on a resolution that will be made available in upcoming release. Back to top | OS Build 18362.116 May 21, 2019 KB4505057 | Investigating | Last updated: May 21, 2019 04:47 PM PT Opened: May 21, 2019 07:56 AM PT |
| Audio not working with Dolby Atmos headphones and home theater After updating to Windows 10, version 1903, you may experience loss of audio with Dolby Atmos for home theater (free extension) or Dolby Atmos for headphones (paid extension) acquired through the Microsoft Store due to a licensing configuration error. This occurs due to an issue with a Microsoft Store licensing component, where license holders are not able to connect to the Dolby Access app and enable Dolby Atmos extensions. To safeguard your update experience, we have applied protective hold on devices from being offered Windows 10, version 1903 until this issue is resolved. This configuration error will not result in loss of access for the acquired license once the problem is resolved. Affected platforms:
Next steps: We are working on a resolution for Microsoft Store and estimate a solution will be available in mid-June. Note We recommend you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved. Back to top | OS Build 18362.116 May 21, 2019 KB4505057 | Investigating | Last updated: May 21, 2019 07:17 AM PT Opened: May 21, 2019 07:16 AM PT |
| Duplicate folders and documents showing in user profile directory If you have redirected known folders (e.g. Desktop, Documents, or Pictures folders) you may see an empty folder with the same name in your %userprofile% directories after updating to Windows 10, version 1903. This may occur if known folders were redirected when you chose to back up your content to OneDrive using the OneDrive wizard, or if you chose to back up your content during the Windows Out-of-Box-Experience (OOBE). This may also occur if you redirected your known folders manually through the Properties dialog box in File Explorer. This issue does not cause any user files to be deleted and a solution is in progress. To safeguard your update experience, we have applied a quality hold on devices with redirected known folders from being offered Windows 10, version 1903, until this issue is resolved. Affected platforms:
Next steps: Microsoft is working on a resolution and estimates a solution will be available in late May. Note We recommend that you do not attempt to manually update to Windows 10, version 1903 using the Update now button or the Media Creation Tool until this issue has been resolved. Back to top | OS Build 18362.116 May 21, 2019 KB4505057 | Investigating | Last updated: May 21, 2019 07:16 AM PT Opened: May 21, 2019 07:16 AM PT |
| Error attempting to update with external USB device or memory card attached If you have an external USB device or SD memory card attached when installing Windows 10, version 1903, you may get an error message stating \"This PC can't be upgraded to Windows 10.\" This is caused by inappropriate drive reassignment during installation. Sample scenario: An update to Windows 10, version 1903 is attempted on a computer that has a thumb drive inserted into its USB port. Before the update, the thumb drive is mounted in the system as drive G based on the existing drive configuration. After the feature update is installed; however, the device is reassigned a different drive letter (e.g., drive H). Note The drive reassignment is not limited to removable drives. Internal hard drives may also be affected. To safeguard your update experience, we have applied a hold on devices with an external USB device or SD memory card attached from being offered Windows 10, version 1903 until this issue is resolved. Affected platforms:
Workaround: To work around this issue, remove all external media, such as USB devices and SD cards, from your computer and restart installation of the Windows 10, version 1903 feature update. The update should then proceed normally. Note If you need to keep your external device, SD memory card, or other devices attached to your computer while updating, we recommend that you do not attempt to manually update to Windows 10, version 1903 using the Update now button or the Media Creation Tool until this issue has been resolved. Next steps: Microsoft is working on a resolution and estimate a solution will be available in late May. Back to top | OS Build 18362.116 May 21, 2019 KB4505057 | Mitigated | Last updated: May 21, 2019 04:49 PM PT Opened: May 21, 2019 07:38 AM PT |
| Unable to discover or connect to Bluetooth devices Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek and Qualcomm. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek or Qualcomm Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated. Affected platforms:
Workaround: Check with your device manufacturer (OEM) to see if an updated driver is available and install it.
Note Until an updated driver has been installed, we recommend you do not attempt to manually update using the Update now button or the Media Creation Tool. Next steps: Microsoft is working with Realtek and Qualcomm to release new drivers for all affected system via Windows Update. Back to top | OS Build 18362.116 May 21, 2019 KB4505057 | Mitigated | Last updated: May 21, 2019 04:48 PM PT Opened: May 21, 2019 07:29 AM PT |
| Night light settings do not apply in some cases Microsoft has identified some scenarios where night light settings may stop working, for example:
Affected platforms:
Workaround: If you find that your night light settings have stopped working, try turning the night light on and off, or restart your computer. Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved. Next steps: We are working on a resolution and will provide an update in an upcoming release. Back to top | OS Build 18362.116 May 21, 2019 KB4505057 | Mitigated | Last updated: May 21, 2019 04:48 PM PT Opened: May 21, 2019 07:28 AM PT |
| Intel Audio displays an intcdaud.sys notification Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in higher than normal battery drain. If you see an intcdaud.sys notification or “What needs your attention” notification when trying to update to Windows 10, version 1903, you have an affected Intel Audio Display device driver installed on your machine (intcdaud.sys, versions 10.25.0.3 through 10.25.0.8). To safeguard your update experience, we have applied a compatibility hold on devices with drivers from being offered Windows 10, version 1903 until updated device drivers have been installed. Affected platforms:
Workaround: On the “What needs your attention\" notification, click the Back button to remain on your current version of Windows 10. (Do not click Confirm as this will proceed with the update and you may experience compatibility issues.) Affected devices will automatically revert to the previous working configuration. For more information, see Intel's customer support guidance and the Microsoft knowledge base article KB4465877. Note We recommend you do not attempt to update your devices until newer device drivers are installed. Next steps: You can opt to wait for newer drivers to be installed automatically through Windows Update or check with the computer manufacturer for the latest device driver software availability and installation procedures. Back to top | OS Build 18362.116 May 21, 2019 KB4505057 | Mitigated | Last updated: May 21, 2019 04:47 PM PT Opened: May 21, 2019 07:22 AM PT |
| Cannot launch Camera app Microsoft and Intel have identified an issue affecting Intel RealSense SR300 and Intel RealSense S200 cameras when using the Camera app. After updating to the Windows 10 May 2019 Update and launching the Camera app, you may get an error message stating: \"Close other apps, error code: 0XA00F4243.” To safeguard your update experience, we have applied a protective hold on machines with Intel RealSense SR300 or Intel RealSense S200 cameras installed from being offered Windows 10, version 1903, until this issue is resolved. Affected platforms:
Workaround: To temporarily resolve this issue, perform one of the following:
or
or
Note This workaround will only resolve the issue until your next system restart. Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved. Next steps: We are working on a resolution and will provide an update in an upcoming release. Back to top | OS Build 18362.116 May 21, 2019 KB4505057 | Mitigated | Last updated: May 21, 2019 04:47 PM PT Opened: May 21, 2019 07:20 AM PT |
| Intermittent loss of Wi-Fi connectivity Some older computers may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM). To safeguard your upgrade experience, we have applied a hold on devices with this Qualcomm driver from being offered Windows 10, version 1903, until the updated driver is installed. Affected platforms:
Workaround: Download and install an updated Wi-Fi driver from your device manufacturer (OEM). Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new driver has been installed and the Windows 10, version 1903 feature update has been automatically offered to you. Back to top | OS Build 18362.116 May 21, 2019 KB4505057 | Mitigated | Last updated: May 21, 2019 04:46 PM PT Opened: May 21, 2019 07:13 AM PT |
| AMD RAID driver incompatibility Microsoft and AMD have identified an incompatibility with AMD RAID driver versions lower than 9.2.0.105. When you attempt to install the Windows 10, version 1903 update on a Windows 10-based computer with an affected driver version, the installation process stops and you get a message like the following: AMD Ryzen™ or AMD Ryzen™ Threadripper™ configured in SATA or NVMe RAID mode. “A driver is installed that causes stability problems on Windows. This driver will be disabled. Check with your software/driver provider for an updated version that runs on this version of Windows.” To safeguard your update experience, we have applied a compatibility hold on devices with these AMD drivers from being offered Windows 10, version 1903, until this issue is resolved. Affected platforms:
Workaround: To resolve this issue, download the latest AMD RAID drivers directly from AMD at https://www.amd.com/en/support/chipsets/amd-socket-tr4/x399. The drivers must be version 9.2.0.105 or later. Install the drivers on the affected computer, and then restart the installation process for the Windows 10, version 1903 feature update. Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new driver has been installed and the Windows 10, version 1903 feature update has been automatically offered to you. Back to top | OS Build 18362.116 May 21, 2019 KB4505057 | Mitigated | Last updated: May 21, 2019 04:45 PM PT Opened: May 21, 2019 07:12 AM PT |
| D3D applications and games may fail to enter full-screen mode on rotated displays Some Direct3D (D3D) applications and games (e.g., 3DMark) may fail to enter full-screen mode on displays where the display orientation has been changed from the default (e.g., a landscape display in portrait mode). Affected platforms:
Workaround: To work around this issue, do one of the following:
Next steps: Microsoft is working on a resolution and estimates a solution will be available in late May. Back to top | OS Build 18362.116 May 21, 2019 KB4505057 | Mitigated | Last updated: May 21, 2019 04:45 PM PT Opened: May 21, 2019 07:05 AM PT |
| Older versions of BattlEye anti-cheat software incompatible Microsoft and BattlEye have identified a compatibility issue with some games that use older versions of BattlEye anti-cheat software. When launching a game that uses an older, impacted version of BattlEye anti-cheat software on a device running Windows 10, version 1903, the device may experience a system crash. To safeguard your gaming experience, we have applied a compatibility hold on devices with the impacted versions of BattlEye software used by games installed on your PC. This will prevent Windows 10, version 1903 from being offered until the incompatible version of BattlEye software is no longer installed on the device. Affected platforms:
Mitigated: BattlEye has provided an updated patch to known impacted games. For a list of recent games that use BattlEye, go to https://www.battleye.com/. Workaround: Before updating your machine, we recommend you do one or more of the following:
For more troubleshooting options, see https://www.battleye.com/support/faq/. Next steps: We are working with BattlEye and gaming partners to ensure games are automatically updated with the latest BattlEye software. We have confirmed the latest version of impacted games do not exhibit this issue. To minimize the chance of hitting this upgrade compatibility hold, please make sure you are running the latest version of your games before attempting to update the operating system. Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until you have installed an updated version of BattlEye software that resolves this issue. Back to top | OS Build 18362.116 May 21, 2019 KB4505057 | Mitigated | Last updated: May 21, 2019 07:34 AM PT Opened: May 21, 2019 07:34 AM PT |
Get instantaneous access to a machine using a remote shell connection. Do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time. +- [Live response](live-response.md)
Get instantaneous access to a machine using a remote shell connection. Do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time. - [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
A new built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md index 71c901e041..f297a4328b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md @@ -21,7 +21,7 @@ ms.topic: conceptual **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md) +[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) >[!IMPORTANT] >This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -114,4 +114,4 @@ See [Logging installation issues](microsoft-defender-atp-mac-resources.md#loggin ## Uninstallation -See [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file +See [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md index 15bfabbd53..695a6be30d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md @@ -21,7 +21,7 @@ ms.topic: conceptual **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md) +[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) >[!IMPORTANT] >This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -32,13 +32,13 @@ Before you get started, please see [the main Microsoft Defender ATP for Mac page ## Download installation and onboarding packages -Download the installation and onboarding packages from Windows Defender Security Center: +Download the installation and onboarding packages from Microsoft Defender Security Center: -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. -5. Download IntuneAppUtil from [https://docs.microsoft.com/en-us/intune/lob-apps-macos](https://docs.microsoft.com/en-us/intune/lob-apps-macos). +1. In Microsoft Defender Security Center, go to **Settings** > **Device Management** > **Onboarding**. +2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS or Android** and the deployment method to **Mobile Device Management / Microsoft Intune**. +3. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. +5. Download **IntuneAppUtil** from [https://docs.microsoft.com/en-us/intune/lob-apps-macos](https://docs.microsoft.com/en-us/intune/lob-apps-macos).  @@ -80,41 +80,41 @@ Download the installation and onboarding packages from Windows Defender Security to deploy refer to the product documentation. ``` -## Client Machine Setup +## Client device setup -You need no special provisioning for a Mac machine beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp). +You need no special provisioning for a Mac device beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp). 1. You'll be asked to confirm device management.  -Select Open System Preferences, locate Management Profile on the list and select the **Approve...** button. Your Management Profile would be displayed as **Verified**: +Select **Open System Preferences**, locate **Management Profile** on the list and select **Approve...**. Your Management Profile would be displayed as **Verified**:  -2. Select the **Continue** button and complete the enrollment. +2. Select **Continue** and complete the enrollment. -You can enroll additional machines. Optionally, you can do it later, after system configuration and application package are provisioned. +You may now enroll additional devices. You can also enroll them later, after you have finished provisioning system configuration and application packages. -3. In Intune, open the **Manage > Devices > All devices** blade. You'll see your machine: +3. In Intune, open **Manage** > **Devices** > **All devices**. You'll see your device among those listed:  ## Create System Configuration profiles -1. In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**. -2. Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**. +1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**. +2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**. 3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above. 4. Select **OK**.  -5. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. -6. Repeat these steps with the second profile. -7. Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. -8. Select **Manage > Assignments**. In the Include tab, select **Assign to All Users & All devices**. +5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. +6. Repeat steps 1 through 5 for additional profiles. +7. Create a new profile one more time, give it a name, and upload the intune/WindowsDefenderATPOnboarding.xml file. +8. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. -After Intune changes are propagated to the enrolled machines, you'll see it on the **Monitor > Device status** blade: +Once the Intune changes are propagated to the enrolled devices, you'll see them listed under **Monitor** > **Device status**:  @@ -124,7 +124,7 @@ After Intune changes are propagated to the enrolled machines, you'll see it on t 2. Select **App type=Other/Line-of-business app**. 3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. 4. Select **Configure** and add the required information. -5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value. +5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any arbitrary value.  @@ -132,32 +132,30 @@ After Intune changes are propagated to the enrolled machines, you'll see it on t  -7. It will take a while to upload the package. After it's done, select the name and then go to **Assignments** and **Add group**. +7. It may take a few moments to upload the package. After it's done, select the package from the list and go to **Assignments** and **Add group**.  -8. Change **Assignment type=Required**. +8. Change **Assignment type** to **Required**. 9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.  -10. After some time the application will be published to all enrolled machines. You'll see it on the **Monitor > Device** install status blade: +10. After some time the application will be published to all enrolled devices. You'll see it listed on **Monitor** > **Device**, under **Device install status**:  -## Verify client machine state +## Verify client device state -1. After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences > Profiles**. +1. After the configuration profiles are deployed to your devices, open **System Preferences** > **Profiles** on your Mac device.   -2. Verify the three profiles listed there: +2. Verify that the following configuration profiles are present and installed. The **Management Profile** should be the Intune system profile. _Wdav-config_ and _wdav-kext_ are system configuration profiles that we added in Intune.:  -3. The **Management Profile** should be the Intune system profile. -4. wdav-config and wdav-kext are system configuration profiles that we added in Intune. -5. You should also see the Microsoft Defender icon in the top-right corner: +3. You should also see the Microsoft Defender icon in the top-right corner:  @@ -167,4 +165,4 @@ See [Logging installation issues](microsoft-defender-atp-mac-resources.md#loggin ## Uninstallation -See [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file +See [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md index 4770ec60ec..fd9c3d6b85 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md @@ -21,7 +21,7 @@ ms.topic: conceptual **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md) +[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) >[!IMPORTANT] >This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -36,15 +36,14 @@ In addition, for JAMF deployment, you need to be familiar with JAMF administrati Download the installation and onboarding packages from Windows Defender Security Center: -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. +1. In Windows Defender Security Center, go to **Settings > device Management > Onboarding**. +2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS or Android** and deployment method to **Mobile Device Management / Microsoft Intune**. +3. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.  -5. From a command prompt, verify that you have the two files. - Extract the contents of the .zip files: +5. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so: ```bash mavel-macmini:Downloads test$ ls -l @@ -62,19 +61,19 @@ Download the installation and onboarding packages from Windows Defender Security ## Create JAMF Policies -You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client machines. +You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client devices. ### Configuration Profile -The configuration profile contains one custom settings payload that includes: +The configuration profile contains a custom settings payload that includes: - Microsoft Defender ATP for Mac onboarding information -- Approved Kernel Extensions payload to enable the Microsoft kernel driver to run +- Approved Kernel Extensions payload, to enable running the Microsoft kernel driver -1. Upload jamf/WindowsDefenderATPOnboarding.plist as the Property List File. +To set the onboarding information, upload a property list file with the name, _jamf/WindowsDefenderATPOnboarding.plist_. - >[!NOTE] - > You must use exactly "com.microsoft.wdav.atp" as the Preference Domain. + >[!IMPORTANT] + > You must set the the Preference Domain as "com.microsoft.wdav.atp"  @@ -89,15 +88,15 @@ To approve the kernel extension: #### Configuration Profile's Scope -Configure the appropriate scope to specify the machines that will receive this configuration profile. +Configure the appropriate scope to specify the devices that will receive the configuration profile. -Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers. +Open **Computers** > **Configuration Profiles**, and select **Scope > Targets**. From there, select the devices you want to target.  Save the **Configuration Profile**. -Use the **Logs** tab to monitor deployment status for each enrolled machine. +Use the **Logs** tab to monitor deployment status for each enrolled device. ### Package @@ -116,50 +115,50 @@ Your policy should contain a single package for Microsoft Defender. Configure the appropriate scope to specify the computers that will receive this policy. -After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled machine. +After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled device. -## Client machine setup +## Client device setup -You need no special provisioning for a macOS computer beyond the standard JAMF Enrollment. +You'll need no special provisioning for a macOS computer, beyond the standard JAMF Enrollment. > [!NOTE] > After a computer is enrolled, it will show up in the Computers inventory (All Computers). -1. Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. +1. Open **Device Profiles**, from the **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's currently set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile.   -After some time, the machine's User Approved MDM status will change to Yes. +After a moment, the device's User Approved MDM status will change to **Yes**.  -You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned. +You may now enroll additional devices. You can also enroll them later, after you have finished provisioning system configuration and application packages. ## Deployment -Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected. +Enrolled client devices periodically poll the JAMF Server, and install new configuration profiles and policies as soon as they are detected. -### Status on server +### Status on the server -You can monitor the deployment status in the Logs tab: +You can monitor deployment status in the **Logs** tab: - **Pending** means that the deployment is scheduled but has not yet happened - **Completed** means that the deployment succeeded and is no longer scheduled  -### Status on client machine +### Status on client device -After the Configuration Profile is deployed, you'll see the profile on the machine in the **System Preferences > Profiles >** Name of Configuration Profile. +After the Configuration Profile is deployed, you'll see the profile on the device in **System Preferences > Profiles >**, under the name of the configuration profile.  -After the policy is applied, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. +After the policy is applied, you'll see the Microsoft Defender ATP icon in the macOS status bar in the top-right corner.  -You can monitor policy installation on a machine by following the JAMF's log file: +You can monitor policy installation on a device by following the JAMF log file: ```bash mavel-mojave:~ testuser$ tail -f /var/log/jamf.log @@ -182,22 +181,22 @@ orgId : "4751b7d4-ea75-4e8f-a1f5-6d640c65bc45" ... ``` -- **licensed**: This confirms that the machine has an ATP license. +- **licensed**: This confirms that the device has an ATP license. -- **orgid**: Your ATP org id, it will be the same for your organization. +- **orgid**: Your Microsoft Defender ATP org id; it will be the same for your organization. ## Check onboarding status -You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: +You can check that devices have been correctly onboarded by creating a script. For example, the following script checks enrolled devices for onboarding status: ```bash mdatp --health healthy ``` This script returns: -- 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service -- 1 if the machine is not onboarded -- 3 if the connection to the daemon cannot be established (daemon is not running) +- 0 if Microsoft Defender ATP is registered with the Microsoft Defender ATP service +- 1 if the device is not yet onboarded +- 3 if the connection to the daemon cannot be established—for example, if the daemon is not running ## Logging installation issues @@ -205,4 +204,4 @@ See [Logging installation issues](microsoft-defender-atp-mac-resources.md#loggin ## Uninstallation -See [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file +See [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index 7db036c1d0..694e2e86ce 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -21,7 +21,7 @@ ms.topic: conceptual **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp-mac.md) +[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) >[!IMPORTANT] >This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -41,7 +41,7 @@ If you can reproduce a problem, please increase the logging level, run the syste 2. Reproduce the problem -3. Run `mdatp --diagnostic --create` to backup Defender ATP's logs. The command will print out location with generated zip file. +3. Run `mdatp --diagnostic --create` to backup Microsoft Defender ATP's logs. The command will print out location with generated zip file. ```bash mavel-mojave:~ testuser$ mdatp --diagnostic --create @@ -152,6 +152,6 @@ In the Microsoft Defender ATP portal, you'll see two categories of information: ## Known issues - Not fully optimized for performance or disk space yet. -- Full Windows Defender ATP integration is not available yet. -- Mac devices that switch networks may appear multiple times in the APT portal. +- Full Microsoft Defender ATP integration is not available yet. +- Mac devices that switch networks may appear multiple times in the Microsoft Defender ATP portal. - Centrally managed uninstall via Intune is still in development. As an alternative, manually uninstall Microsoft Defender ATP for Mac from each client device. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 264d420897..c5f47ef87a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -17,36 +17,41 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Microsoft Defender ATP for Mac +# Microsoft Defender Advanced Threat Protection for Mac >[!IMPORTANT] ->This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. +>This topic relates to the pre-release version of Microsoft Defender Advanced Threat Protection (ATP) for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This topic describes how to install and use Microsoft Defender ATP for Mac. +This topic describes how to install and use Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac. ## What’s new in the public preview -We've been working hard through the private preview period, and we've heard your concerns. We've reduced the delay for when new Mac devices appear in the ATP console after they've been deployed. We've improved threat handling, and enhanced the user experience. We've also made numerous bug fixes. Other updates to Microsoft Defender ATP for Mac include: +Since opening the limited preview, we've been working non-stop to enhance the product, by listening to customer feedback. We've reduced the time it takes for devices to appear in Microsoft Defender Security Center, immediately following deployment. We've improved threat handling, enhanced the user experience, and fixed bugs. Other updates to Microsoft Defender ATP for Mac include: -- Full accessibility +- Enhanced accessibility - Improved performance -- Localization for 37 languages +- improved client product health monitoring +- Localization into 37 languages - Improved anti-tampering protections -- Feedback and samples can now be submitted via the GUI. +- Feedback and samples can now be submitted via the interface. - Product health can be queried with JAMF or the command line. - Admins can set their cloud preference for any location, not just for those in the US. ## Installing and configuring -There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. +There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. In general you'll need to take the following steps: -- Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal +- Ensure you have a Microsoft Defender ATP subscription and have access to the Microsoft Defender ATP Portal - Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: - - [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune.md) - - [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md) - - [Other MDM products](microsoft-defender-atp-mac-install-with-other-mdm.md) - - [Manual deployment](microsoft-defender-atp-mac-install-manually.md) + - Via the command line tool: + - [Manual deployment](microsoft-defender-atp-mac-install-manually.md) + - Via third party tools: + - [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune.md) + - [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md) + - [Other MDM products](microsoft-defender-atp-mac-install-with-other-mdm.md) + +Whichever method you choose, you will first need to visit the onboarding page in the Microsoft Defender ATP portal. ### Prerequisites @@ -69,7 +74,7 @@ After you've enabled the service, you may need to configure your network or fire The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an **allow** rule specifically for them: | Service | Description | URL | -| -------------- |:------------------------------------:| --------------------------------------------------------------------:| +| -------------- | ------------------------------------ | -------------------------------------------------------------------- | | ATP | Advanced threat protection service | `https://x.cp.wd.microsoft.com`, `https://cdn.x.cp.wd.microsoft.com` | To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/api/report` and `https://cdn.x.cp.wd.microsoft.com/ping` in a browser, or run the following command in Terminal: @@ -80,8 +85,7 @@ To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/ap OK https://cdn.x.cp.wd.microsoft.com/ping ``` -We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. -SIP is a built-in macOS security feature that prevents low-level tampering with the OS. +We recommend that you keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) enabled on client machines. SIP is a built-in macOS security feature that prevents low-level tampering with the OS, and is enabled by default. ## Resources diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index 16fceaea85..1d22390bfc 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -19,7 +19,7 @@ ms.author: v-anbic - Windows 10 -Tamper protection helps prevent malicious apps from changing important security settings. These settings include: +Tamper Protection helps prevent malicious apps from changing important security settings. These settings include: - Real-time protection - Cloud-delivered protection @@ -27,7 +27,7 @@ Tamper protection helps prevent malicious apps from changing important security - Behavior monitoring - Removing security intelligence updates -With tamper protection set to **On**, you can still change these settings in the Windows Security app. The following apps and methods can't change these settings: +With Tamper Protection set to **On**, you can still change these settings in the Windows Security app. The following apps and methods can't change these settings: - Mobile device management (MDM) apps like Intune - Enterprise configuration management apps like System Center Configuration Manager (SCCM) @@ -36,11 +36,11 @@ With tamper protection set to **On**, you can still change these settings in the - Group Policy - Other Windows Management Instrumentation (WMI) apps -The tamper protection setting doesn't affect how third party antivirus apps register with the Windows Security app. +The Tamper Protection setting doesn't affect how third party antivirus apps register with the Windows Security app. -On computers running Windows 10 Enterprise E5, users can't change the tamper protection setting. +On computers running Windows 10 Enterprise E5, users can't change the Tamper Protection setting. -Tamper protection is On by default. If you set tamper protection to **Off**, you will see a yellow warning in the Windows Security app under **Virus & threat protection**. +Tamper Protection is set to **On** by default. If you set Tamper Protection to **Off**, you will see a yellow warning in the Windows Security app under **Virus & Threat Protection**. ## Configure tamper protection @@ -49,4 +49,8 @@ Tamper protection is On by default. If you set tamper protection to **Off**, you 3. Set **Tamper Protection** to **On** or **Off**. >[!NOTE] ->If your computer is running Windows 10 Enterprise E5, you can't change the tamper protection settings from within Windows Security App. \ No newline at end of file +>Tamper Protection blocks attempts to modify Windows Defender Antivirus settings through the registry. +> +>To help ensure that Tamper Protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. +> +>Once you’ve made this update, Tamper Protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index 8b71416a15..ac99737410 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -13,10 +13,13 @@ ### [Types of devices](types-of-devices.md) ###Use WDAC with custom policies #### [Create an initial default policy](create-initial-default-policy.md) +#### [Create path-based rules](create-path-based-rules.md) #### [Microsoft recommended block rules](microsoft-recommended-block-rules.md) ### [Audit WDAC policies](audit-windows-defender-application-control-policies.md) ### [Merge WDAC policies](merge-windows-defender-application-control-policies.md) +### [Deploy multiple WDAC policies](deploy-multiple-windows-defender-application-control-policies.md) ### [Enforce WDAC policies](enforce-windows-defender-application-control-policies.md) +### [Allow COM object registration](allow-com-object-registration-in-windows-defender-application-control-policy.md) ### [Deploy WDAC with a managed installer](use-windows-defender-application-control-with-managed-installer.md) ### [Deploy WDAC with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md) ### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md new file mode 100644 index 0000000000..c33eca6f6f --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md @@ -0,0 +1,78 @@ +--- +title: Allow COM object registration in a Windows Defender Application Control policy (Windows 10) +description: You can allow COM object registration in a Windows Defender Application Control policy. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: mdsakibMSFT +ms.date: 05/21/2019 +--- + +# Allow COM object registration in a Windows Defender Application Control policy + +**Applies to:** + +- Windows 10 +- Windows Server 2016 + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +The [Microsoft Component Object Model (COM)](https://docs.microsoft.com/windows/desktop/com/the-component-object-model) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM specifies an object model and programming requirements that enable COM objects to interact with other objects. + +### COM object configurability in WDAC policy + +Prior to the Windows 10 1903 update, Windows Defender Application Control (WDAC) enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy. + +### Get COM object GUID + +Get GUID of application to allow in one of the following ways: +- Finding block event in Event Viewer (Application and Service Logs > Microsoft > Windows > AppLocker > MSI and Script) and extracting GUID +- Creating audit policy (using New-CIPolicy –Audit), potentially with specific provider, and use info from block events to get GUID + +### Author policy setting to allow or deny COM object GUID + +Three elements: +- Provider: platform on which code is running (values are Powershell, WSH, IE, VBA, MSI, or a wildcard “AllHostIds”) +- Key: GUID for the program you with to run, in the format Key="{33333333-4444-4444-1616-161616161616}" +- ValueName: needs to be set to "EnterpriseDefinedClsId" + +One attribute: +- Value: needs to be “true” for allow and “false” for deny + - Note that deny only works in base policies, not supplemental +- The setting needs to be placed in the order of ASCII values (first by Provider, then Key, then ValueName) + +### Examples + +Example 1: Allows registration of all COM object GUIDs in any provider + +```xml +
+ - [Path-Based Rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
This brings WDAC to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker. - - [Allow COM Object Registration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md): Previously, WDAC enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy. + - [Allow COM Object Registration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, WDAC enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy. ### Identity Protection