diff --git a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md index 0be45f20c1..e624e6db2e 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md +++ b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md @@ -10,7 +10,6 @@ title: Deprecated document modes and Internet Explorer 11 (Internet Explorer 11 ms.sitesec: library --- - # Deprecated document modes and Internet Explorer 11 **Applies to:** @@ -25,8 +24,8 @@ Windows Internet Explorer 8 introduced document modes as a way to move from the This means that while Internet Explorer 11 will continue to support document modes, Microsoft Edge won’t. And because of that, it also means that if you want to use Microsoft Edge, you’re going to have to update your legacy webpages and apps to support modern features, browsers, and devices. -**Note**
-For specific details about the technologies and APIs that are no longer supported in Microsoft Edge, see [A break from the past, part 2: Saying goodbye to ActiveX, VBScript, attachEvent](https://go.microsoft.com/fwlink/p/?LinkId=615953). +>**Note**
+>For specific details about the technologies and APIs that are no longer supported in Microsoft Edge, see [A break from the past, part 2: Saying goodbye to ActiveX, VBScript, attachEvent](https://go.microsoft.com/fwlink/p/?LinkId=615953). ## What is document mode? Each release after Internet Explorer 8 has helped with the transition by introducing additional document modes that emulated previously supported versions, while also introducing support for features defined by industry standards. During this time, numerous websites and apps were updated to the latest and greatest industry standards, while many other sites and apps continued to simply rely on document modes to work properly. @@ -41,7 +40,8 @@ The compatibility improvements made in IE11 lets older websites just work in the ## Document mode selection flowchart This flowchart shows how IE11 works when document modes are used. -![Flowchart detailing how document modes are chosen in IE11](images/docmodeflow2.png) +![Flowchart detailing how document modes are chosen in IE11](images/docmode-decisions-sm.png)
+[Click this link to enlarge image](img-ie11-docmode-lg.md) ## Known Issues with Internet Explorer 8 document mode in Enterprise Mode The default document mode for Enterprise Mode is Internet Explorer 8. While this mode provides a strong emulation of that browser, it isn’t an exact match. For example, Windows Internet Explorer 9 fundamentally changed how document modes work with iframes and document modes can’t undo architectural changes. It’s also a known issue that Windows 10 supports GDI font rendering while using Enterprise Mode, but uses natural metrics once outside of Enterprise Mode. diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/docmode-decisions-lg.png b/browsers/internet-explorer/ie11-deploy-guide/images/docmode-decisions-lg.png new file mode 100644 index 0000000000..07a182461b Binary files /dev/null and b/browsers/internet-explorer/ie11-deploy-guide/images/docmode-decisions-lg.png differ diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/docmode-decisions-sm.png b/browsers/internet-explorer/ie11-deploy-guide/images/docmode-decisions-sm.png new file mode 100644 index 0000000000..c887d9c193 Binary files /dev/null and b/browsers/internet-explorer/ie11-deploy-guide/images/docmode-decisions-sm.png differ diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/docmodeflow2.png b/browsers/internet-explorer/ie11-deploy-guide/images/docmodeflow2.png deleted file mode 100644 index 63df4ea8ff..0000000000 Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/docmodeflow2.png and /dev/null differ diff --git a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md new file mode 100644 index 0000000000..77b1ad1227 --- /dev/null +++ b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md @@ -0,0 +1,11 @@ +--- +description: A full-sized view of how document modes are chosen in IE11. +title: Full-sized flowchart detailing how document modes are chosen in IE11 +--- + +Return to: [Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md)
+ +

+ Full-sized flowchart detailing how document modes are chosen in IE11 +

+ diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index 38959bbbb4..a1e744e8fe 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -1,7 +1,7 @@ # [Microsoft HoloLens](index.md) ## [HoloLens in the enterprise: requirements](hololens-requirements.md) ## [Set up HoloLens](hololens-setup.md) -## [Upgrade to Windows Holographic Enterprise](hololens-upgrade-enterprise.md) +## [Unlock Windows Holographic Enterprise features](hololens-upgrade-enterprise.md) ## [Enroll HoloLens in MDM](hololens-enroll-mdm.md) ## [Set up HoloLens in kiosk mode](hololens-kiosk.md) ## [Configure HoloLens using a provisioning package](hololens-provisioning.md) diff --git a/devices/hololens/hololens-upgrade-enterprise.md b/devices/hololens/hololens-upgrade-enterprise.md index ab3a5920df..c931421935 100644 --- a/devices/hololens/hololens-upgrade-enterprise.md +++ b/devices/hololens/hololens-upgrade-enterprise.md @@ -1,5 +1,5 @@ --- -title: Upgrade to Windows Holographic Enterprise (HoloLens) +title: Unlock Windows Holographic Enterprise features (HoloLens) description: HoloLens provides extra features designed for business when you upgrade to Windows Holographic Enterprise. ms.prod: w10 ms.mktglfcycl: manage @@ -8,7 +8,7 @@ ms.sitesec: library author: jdeckerMS --- -# Upgrade to Windows Holographic Enterprise +# Unlock Windows Holographic Enterprise features Microsoft HoloLens is available in the *Development Edition*, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the [Commercial Suite](https://developer.microsoft.com/windows/holographic/release_notes#introducing_microsoft_hololens_commercial_suite), which provides extra features designed for business. diff --git a/devices/hololens/index.md b/devices/hololens/index.md index 401b51e645..d279a9a072 100644 --- a/devices/hololens/index.md +++ b/devices/hololens/index.md @@ -21,7 +21,7 @@ author: jdeckerMS | --- | --- | | [HoloLens in the enterprise: requirements](hololens-requirements.md) | Lists requirements for general use, Wi-Fi, and device management | | [Set up HoloLens](hololens-setup.md) | How to set up HoloLens for the first time | -| [Upgrade to Windows Holographic Enterprise](hololens-upgrade-enterprise.md) | How to upgrade your Development Edition HoloLens to Windows Holographic Enterprise| +| [Unlock Windows Holographic Enterprise features](hololens-upgrade-enterprise.md) | How to upgrade your Development Edition HoloLens to Windows Holographic Enterprise| | [Enroll HoloLens in MDM](hololens-enroll-mdm.md) | Manage multiple HoloLens devices simultaneously using solutions like Microsoft InTune | | [Set up HoloLens in kiosk mode](hololens-kiosk.md) | Enable kiosk mode for HoloLens, which limits the user's ability to launch new apps or change the running app | | [Configure HoloLens using a provisioning package](hololens-provisioning.md) | Provisioning packages make it easy for IT administrators to configure HoloLens devices without imaging | diff --git a/devices/surface-hub/admin-group-management-for-surface-hub.md b/devices/surface-hub/admin-group-management-for-surface-hub.md index 0278b24569..7607199209 100644 --- a/devices/surface-hub/admin-group-management-for-surface-hub.md +++ b/devices/surface-hub/admin-group-management-for-surface-hub.md @@ -74,7 +74,7 @@ If your organization is using AD or Azure AD, we recommend you either domain joi |---------------------------------------------------|-----------------------------------------|-------| | Create a local admin account | None | The user name and password specified during first run | | Domain join to Active Directory (AD) | Your organization uses AD | Any AD user from a specific security group in your domain | -| Azure Active Directory (Azure AD) join the device | Your organization uses Azure AD Basic | Global administators only | +| Azure Active Directory (Azure AD) join the device | Your organization uses Azure AD Basic | Global administrators only | |   | Your organization uses Azure AD Premium or Enterprise Mobility Suite (EMS) | Global administrators and additional administrators | diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md index c82891ed56..76275e3ec8 100644 --- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md +++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md @@ -1620,7 +1620,7 @@ In the following cmdlets, `$strPolicy` is the name of the ActiveSync policy, and Note that in order to run the cmdlets, you need to set up a remote PowerShell session and: -- Your admin account must be remote-PowerShell-enabled. This allows the admin to use the PowerShell cmdlets that are needed by the script. (This permission can be set using set-user `$admin -RemotePowerShellEnabled $true`) +- Your admin account must be remote-PowerShell-enabled. This allows the admin to use the PowerShell cmdlets that are needed by the script. (This permission can be set using `set-user $admin -RemotePowerShellEnabled $true`) - Your admin account must have the "Reset Password" role if you plan to run the creation scripts. This allows the admin to change the password of the account, which is needed for the script. The Reset Password Role can be enabled using the Exchange Admin Center. Create the policy. @@ -1667,7 +1667,7 @@ This retrieves device information for every device that the account has been pro For a device account to automatically accept or decline meeting requests based on its availability, the **AutomateProcessing** attribute must be set to **AutoAccept**. This is recommended as to prevent overlapping meetings. ```PowerShell -Set-CalendarProcessing $ strRoomUpn -AutomateProcessing AutoAccept +Set-CalendarProcessing $strRoomUpn -AutomateProcessing AutoAccept ``` ### Accepting external meeting requests diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md index 7439819195..f974394314 100644 --- a/devices/surface-hub/change-history-surface-hub.md +++ b/devices/surface-hub/change-history-surface-hub.md @@ -18,6 +18,7 @@ This topic lists new and updated topics in the [Surface Hub Admin Guide]( surfac | New or changed topic | Description| | --- | --- | +| [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md) | Added information about Bluetooth accessories. | | [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) | Updated example procedures to include screenshots. | ## November 2016 diff --git a/devices/surface-hub/connect-and-display-with-surface-hub.md b/devices/surface-hub/connect-and-display-with-surface-hub.md index 28001227cc..895bb29632 100644 --- a/devices/surface-hub/connect-and-display-with-surface-hub.md +++ b/devices/surface-hub/connect-and-display-with-surface-hub.md @@ -13,7 +13,7 @@ localizationpriority: medium # Connect other devices and display with Surface Hub -You can connect other devices to your Microsoft Surface Hub to display content. This topic describes the Guest Mode, Replacement PC Mode, and Video Out functionality available through wired connections. +You can connect other devices to your Microsoft Surface Hub to display content. This topic describes the Guest Mode, Replacement PC Mode, and Video Out functionality available through wired connections, and also lists accessories that you can connect to Surface Hub using [Bluetooth](#bluetooth-accessories). ## Which method should I choose? @@ -470,3 +470,14 @@ Video Out port on the 84" Surface Hub +## Bluetooth accessories + +You can connect the following accessories to Surface Hub using Bluetooth: + +- Mice +- Keyboards +- Headsets +- Speakers + +>[!NOTE] +>After you connect a Bluetooth headset or speaker, you might need to change the [default microphone and speaker settings](local-management-surface-hub-settings.md). \ No newline at end of file diff --git a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md index ceb0a4bc73..f7ae7893c5 100644 --- a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md @@ -53,7 +53,7 @@ Use this procedure if you use Exchange on-prem. ```ps1 Set-ExecutionPolicy Unrestricted $cred=Get-Credential -Message "Please use your Office 365 admin credentials" - $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'https://outlook.office365.com/ps1-liveid/' -Credential $cred -Authentication Basic -AllowRedirection + $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'https://ps.outlook.com/powershell' -Credential $cred -Authentication Basic -AllowRedirection Import-PSSession $sess ``` diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md index 2d077cb622..40fdda11b1 100644 --- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md +++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md @@ -94,7 +94,7 @@ Once you've determined deployment rings for your Surface Hubs, configure update ## Use Windows Server Update Services -You can connect Surface Hub to your indows Server Update Services (WSUS) server to manage updates. Updates will be controlled through approvals or automatic deployment rules configured in your WSUS server, so new upgrades will not be deployed until you choose to deploy them. +You can connect Surface Hub to your Windows Server Update Services (WSUS) server to manage updates. Updates will be controlled through approvals or automatic deployment rules configured in your WSUS server, so new upgrades will not be deployed until you choose to deploy them. **To manually connect a Surface Hub to a WSUS server:** 1. Open **Settings** on your Surface Hub. diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md index 853813a012..571a848679 100644 --- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md @@ -103,7 +103,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow - You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability. - If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3). - Your tenant users must have Exchange mailboxes. - - Your Surface Hub account does require a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license. + - Your device account needs a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license. @@ -139,7 +139,8 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow - In the **Assign licenses** section, you need to select Skype for Business (Plan 2) or Skype for Business (Plan 3), depending on your licensing and what you've decided in terms of needing Enterprise Voice. You'll have to use a Plan 3 license if you want to use Enterprise Voice on your Surface Hub. - Click **Save** and you're done. ->**Note**: It's also possible to use the Windows Azure Active Directory Module for Windows PowerShell to run the cmdlets needed to assign one of these licenses, but that's not covered here. +>[!NOTE] +>It's also possible to use the Windows Azure Active Directory Module for Windows PowerShell to run the cmdlets needed to assign one of these licenses, but that's not covered here. For validation, you should be able to use any Skype for Business client (PC, Android, etc) to log in to this account. diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md index b3601e729a..5c29629a05 100644 --- a/devices/surface/change-history-for-surface.md +++ b/devices/surface/change-history-for-surface.md @@ -11,6 +11,13 @@ author: jdeckerMS This topic lists new and updated topics in the Surface documentation library. +## December 2016 + +|New or changed topic | Description | +| --- | --- | +|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added driver info for Surface Studio; updated info for Surface Book and Surface Pro 4 (Windows 10 .zip cumulative update), Surface Pro 3 (Windows8.1-KB2969817-x64.msu), and Surface 3 (UEFI Asset Tag management tool)| + + ## November 2016 |New or changed topic | Description | diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md index 8a5ff4b34e..f4d12836a2 100644 --- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md +++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md @@ -35,14 +35,21 @@ Recent additions to the downloads for Surface devices provide you with options t >**Note:**  A battery charge of 40% or greater is required before you install firmware to a Surface device. See [Microsoft Support article KB2909710](https://support.microsoft.com/en-us/kb/2909710) for more information. -  +## Surface Studio + +Download the following updates for [Surface Studio from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=54311). + +* SurfaceStudio_Win10_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 + ## Surface Book Download the following updates [for Surface Book from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49497). -- SurfaceBook\_Win10\_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 +- SurfaceBook_Win10_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 + +- SurfaceBook_Win10_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10 - Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1 @@ -51,7 +58,9 @@ Download the following updates [for Surface Book from the Microsoft Download Cen Download the following updates for [Surface Pro 4 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49498). -- SurfacePro4\_Win10\_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 +- SurfacePro4_Win10_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 + +- SurfacePro4_Win10_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10 - Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1 @@ -60,26 +69,22 @@ Download the following updates for [Surface Pro 4 from the Microsoft Download Ce Download the following updates [for Surface Pro 3 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=38826). -- SurfacePro3\_Win10\_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 +- SurfacePro3_Win10_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 -- SurfacePro3\_Win10\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10 +- SurfacePro3_Win10_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10 -- SurfacePro3\_xxxxxx.msi – Cumulative firmware and driver update package for Windows 8.1 Pro +- SurfacePro3_Win8x_xxxxxx.msi – Cumulative firmware and driver update package for Windows 8.1 Pro -- SurfacePro3\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 8.1 Pro +- SurfacePro3_Win8x_xxxxxx.zip – Cumulative firmware and driver update package for Windows 8.1 Pro - Surface Firmware Tool.msi – Firmware tools for UEFI management -- Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers - -- Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers - - Surface Pro 3 AssetTag.zip – UEFI Asset Tag management tool -- Surface Pro 3 Driver Set.ppkg – Deployment Asset Provisioning Package for Windows 10 - - Surface Pro 3 KB2978002.zip – Update for Quick Note-Taking Experience feature in Windows 8.1 +- Windows8.1-KB2969817-x64.msu – Fixes an issue that causes Surface devices to reboot twice after firmware updates are installed on all supported x64-based versions of Windows 8.1 + - Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1 ## Surface 3 @@ -87,15 +92,15 @@ Download the following updates [for Surface Pro 3 from the Microsoft Download Ce Download the following updates [for Surface 3 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49040). -- Surface3\_Win10\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10 +- Surface3_WiFi_Win10_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 -- Surface3\_Win8x\_xxxxxx.msi – Cumulative firmware and driver update package for Windows 8.1 Pro +- Surface3_WiFi_Win10_xxxxxx.zip – Cumulative firmware and driver update package for Windows 10 -- Surface3\_Win8x\_xxxxxx.zip – Cumulative firmware and driver update package for Windows 8.1 Pro +- Surface3_WiFi_Win8x_xxxxxx.msi – Cumulative firmware and driver update package for Windows 8.1 Pro -- Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers +- Surface3_WiFi_Win8x_xxxxxx.zip – Cumulative firmware and driver update package for Windows 8.1 Pro -- Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers +- Surface 3 AssetTag.zip – UEFI Asset Tag management tool - Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1 @@ -104,49 +109,43 @@ Download the following updates [for Surface 3 from the Microsoft Download Center Download the following updates [for AT&T 4G LTE versions of Surface 3 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49039). -- Surface3\_US1\_Win10\_xxxxxx.msi – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 10 +- Surface3_4GLTE-ATT_Win10_xxxxxx.msi – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 10 -- Surface3\_US1\_Win10\_xxxxxx.zip – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 10 +- Surface3_4GLTE-ATT_Win10_xxxxxx.zip – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 10 -- Surface3\_US1\_Win8x\_xxxxxx.msi – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 8.1 Pro +- Surface3_4GLTE-ATT_Win8x_xxxxxx.msi – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 8.1 Pro -- Surface3\_US1\_Win8x\_xxxxxx.zip – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 8.1 Pro +- Surface3_4GLTE-ATT_Win8x_xxxxxx.zip – Surface 3 LTE AT&T - Cumulative firmware and driver update for locked carrier dependent AT&T devices in the US, running Windows 8.1 Pro -- Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers - -- Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers +- Surface 3 AssetTag.zip – UEFI Asset Tag management tool - Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1 Download the following updates [for non-AT&T 4G LTE versions of Surface 3 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49037). -- Surface3\_NAG\_Win10\_xxxxxx.msi – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 10 +- Surface3_4GLTE-NorthAmericaUnlocked_Win10_xxxxxx.msi – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 10 -- Surface3\_NAG\_Win10\_xxxxxx.zip – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 10 +- Surface3_4GLTE-NorthAmericaUnlocked_Win10_xxxxxx.zip – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 10 -- Surface3\_NAG\_Win8x\_xxxxxx.msi – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 8.1 Pro +- Surface3_4GLTE-NorthAmericaUnlocked_Win8x_xxxxxx.msi – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 8.1 Pro -- Surface3\_NAG\_Win8x\_xxxxxx.zip – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 8.1 Pro +- Surface3_4GLTE-NorthAmericaUnlocked_Win8x_xxxxxx.zip – Surface 3 LTE North America - Cumulative firmware and driver update for unlocked carrier independent devices in the US, running Windows 8.1 Pro -- Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers - -- Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers +- Surface 3 AssetTag.zip – UEFI Asset Tag management tool - Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1 Download the following updates [for 4G LTE Surface 3 versions for regions outside North America from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=49041). -- Surface3\_ROW\_Win10\_xxxxxx.msi – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 10 +- Surface3_4GLTE-RestOfTheWorld_Win10_xxxxxx.msi – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 10 -- Surface3\_ROW\_Win10\_xxxxxx.zip – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 10 +- Surface3_4GLTE-RestOfTheWorld_Win10_xxxxxx.zip – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 10 -- Surface3\_ROW\_Win8x\_xxxxxx.msi – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 8.1 Pro +- Surface3_4GLTE-RestOfTheWorld_Win8x_xxxxxx.msi – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 8.1 Pro -- Surface3\_ROW\_Win8x\_xxxxxx.zip – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 8.1 Pro +- Surface3_4GLTE-RestOfTheWorld_Win8x_xxxxxx.zip – Surface 3 LTE rest of the world cumulative - Cumulative firmware and driver update for carrier independent devices outside of the US, as well as for Japan, running Windows 8.1 Pro -- Surface Ethernet Adapter.zip – x64 Ethernet adapter drivers - -- Surface Gigabit Ethernet Adapter.zip – x64 Ethernet adapter drivers +- Surface 3 AssetTag.zip – UEFI Asset Tag management tool - Wintab-xxxxx-64-bit.zip – Tablet driver update for all supported x64-based versions of Windows 8.1 diff --git a/education/windows/TOC.md b/education/windows/TOC.md index 8411e8ef7f..c2c0340c07 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -17,5 +17,6 @@ ## [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) ## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) ## [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md) +## [Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md) ## [Chromebook migration guide](chromebook-migration-guide.md) ## [Change history for Windows 10 for Education](change-history-edu.md) diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index 3ce92ed3d0..9fabe579b5 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -12,6 +12,11 @@ author: jdeckerMS This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation. +## December 2016 +| New or changed topic | Description | +| --- | --- | +| [Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md) | New. Learn how to opt-in to a free upgrade to Windows 10 Pro Education. | + ## November 2016 | New or changed topic | Description| diff --git a/education/windows/images/win-10-activated-enterprise-subscription-active.png b/education/windows/images/win-10-activated-enterprise-subscription-active.png new file mode 100644 index 0000000000..eb888b23b5 Binary files /dev/null and b/education/windows/images/win-10-activated-enterprise-subscription-active.png differ diff --git a/education/windows/images/win-10-activated-enterprise-subscription-not-active.png b/education/windows/images/win-10-activated-enterprise-subscription-not-active.png new file mode 100644 index 0000000000..e4ac7398be Binary files /dev/null and b/education/windows/images/win-10-activated-enterprise-subscription-not-active.png differ diff --git a/education/windows/images/win-10-connect-to-work-or-school.png b/education/windows/images/win-10-connect-to-work-or-school.png new file mode 100644 index 0000000000..844b08de56 Binary files /dev/null and b/education/windows/images/win-10-connect-to-work-or-school.png differ diff --git a/education/windows/images/win-10-lets-get-2.png b/education/windows/images/win-10-lets-get-2.png new file mode 100644 index 0000000000..0962cba642 Binary files /dev/null and b/education/windows/images/win-10-lets-get-2.png differ diff --git a/education/windows/images/win-10-not-activated-enterprise-subscription-active.png b/education/windows/images/win-10-not-activated-enterprise-subscription-active.png new file mode 100644 index 0000000000..5fedfe5d06 Binary files /dev/null and b/education/windows/images/win-10-not-activated-enterprise-subscription-active.png differ diff --git a/education/windows/images/win-10-not-activated-enterprise-subscription-not-active.png b/education/windows/images/win-10-not-activated-enterprise-subscription-not-active.png new file mode 100644 index 0000000000..84e39071db Binary files /dev/null and b/education/windows/images/win-10-not-activated-enterprise-subscription-not-active.png differ diff --git a/education/windows/images/win-10-pro-edu-activated-subscription-active.png b/education/windows/images/win-10-pro-edu-activated-subscription-active.png new file mode 100644 index 0000000000..d29fa0e0e5 Binary files /dev/null and b/education/windows/images/win-10-pro-edu-activated-subscription-active.png differ diff --git a/education/windows/images/win-10-pro-edu-not-activated-subscription-active.PNG b/education/windows/images/win-10-pro-edu-not-activated-subscription-active.PNG new file mode 100644 index 0000000000..8e9242c0ba Binary files /dev/null and b/education/windows/images/win-10-pro-edu-not-activated-subscription-active.PNG differ diff --git a/education/windows/images/win-10-set-up-work-or-school.png b/education/windows/images/win-10-set-up-work-or-school.png new file mode 100644 index 0000000000..7aeed81460 Binary files /dev/null and b/education/windows/images/win-10-set-up-work-or-school.png differ diff --git a/education/windows/images/windows-ad-connect.png b/education/windows/images/windows-ad-connect.png new file mode 100644 index 0000000000..195058f6f6 Binary files /dev/null and b/education/windows/images/windows-ad-connect.png differ diff --git a/education/windows/images/windows-choose-how.png b/education/windows/images/windows-choose-how.png new file mode 100644 index 0000000000..8e84535bfd Binary files /dev/null and b/education/windows/images/windows-choose-how.png differ diff --git a/education/windows/images/windows-connect-to-work-or-school.png b/education/windows/images/windows-connect-to-work-or-school.png new file mode 100644 index 0000000000..90e1b1131f Binary files /dev/null and b/education/windows/images/windows-connect-to-work-or-school.png differ diff --git a/education/windows/images/windows-lets-get-2.png b/education/windows/images/windows-lets-get-2.png new file mode 100644 index 0000000000..ef523d4af8 Binary files /dev/null and b/education/windows/images/windows-lets-get-2.png differ diff --git a/education/windows/images/windows-lets-get.png b/education/windows/images/windows-lets-get.png new file mode 100644 index 0000000000..582da1ab2d Binary files /dev/null and b/education/windows/images/windows-lets-get.png differ diff --git a/education/windows/images/windows-set-up-work-or-school.png b/education/windows/images/windows-set-up-work-or-school.png new file mode 100644 index 0000000000..cebd87cff8 Binary files /dev/null and b/education/windows/images/windows-set-up-work-or-school.png differ diff --git a/education/windows/images/windows-sign-in.png b/education/windows/images/windows-sign-in.png new file mode 100644 index 0000000000..3029d3ef2b Binary files /dev/null and b/education/windows/images/windows-sign-in.png differ diff --git a/education/windows/images/windows-who-owns.png b/education/windows/images/windows-who-owns.png new file mode 100644 index 0000000000..c3008869d2 Binary files /dev/null and b/education/windows/images/windows-who-owns.png differ diff --git a/education/windows/images/windows.png b/education/windows/images/windows.png new file mode 100644 index 0000000000..9b312d7844 Binary files /dev/null and b/education/windows/images/windows.png differ diff --git a/education/windows/images/wsfb_win10_pro_education_enabled_for_org.png b/education/windows/images/wsfb_win10_pro_education_enabled_for_org.png new file mode 100644 index 0000000000..ea3d582d79 Binary files /dev/null and b/education/windows/images/wsfb_win10_pro_education_enabled_for_org.png differ diff --git a/education/windows/images/wsfb_win10_pro_education_launch.png b/education/windows/images/wsfb_win10_pro_education_launch.png new file mode 100644 index 0000000000..4e7b741227 Binary files /dev/null and b/education/windows/images/wsfb_win10_pro_education_launch.png differ diff --git a/education/windows/images/wsfb_win10_pro_education_order_confirmation.png b/education/windows/images/wsfb_win10_pro_education_order_confirmation.png new file mode 100644 index 0000000000..e35bbf64d5 Binary files /dev/null and b/education/windows/images/wsfb_win10_pro_education_order_confirmation.png differ diff --git a/education/windows/images/wsfb_win10_pro_education_order_options.png b/education/windows/images/wsfb_win10_pro_education_order_options.png new file mode 100644 index 0000000000..eaf93ece33 Binary files /dev/null and b/education/windows/images/wsfb_win10_pro_education_order_options.png differ diff --git a/education/windows/images/wsfb_win10_pro_education_refund_confirmation.png b/education/windows/images/wsfb_win10_pro_education_refund_confirmation.png new file mode 100644 index 0000000000..4749dafc44 Binary files /dev/null and b/education/windows/images/wsfb_win10_pro_education_refund_confirmation.png differ diff --git a/education/windows/images/wsfb_win10_pro_education_refund_order.png b/education/windows/images/wsfb_win10_pro_education_refund_order.png new file mode 100644 index 0000000000..813cfce309 Binary files /dev/null and b/education/windows/images/wsfb_win10_pro_education_refund_order.png differ diff --git a/education/windows/images/wsfb_win10_pro_to proedu_upgrade_disable.png b/education/windows/images/wsfb_win10_pro_to proedu_upgrade_disable.png new file mode 100644 index 0000000000..92aeb8ed19 Binary files /dev/null and b/education/windows/images/wsfb_win10_pro_to proedu_upgrade_disable.png differ diff --git a/education/windows/images/wsfb_win10_pro_to proedu_upgrade_eligibility_page.png b/education/windows/images/wsfb_win10_pro_to proedu_upgrade_eligibility_page.png new file mode 100644 index 0000000000..177c6e36df Binary files /dev/null and b/education/windows/images/wsfb_win10_pro_to proedu_upgrade_eligibility_page.png differ diff --git a/education/windows/images/wsfb_win10_pro_to proedu_upgrade_email_global_admins.png b/education/windows/images/wsfb_win10_pro_to proedu_upgrade_email_global_admins.png new file mode 100644 index 0000000000..8044a4cc91 Binary files /dev/null and b/education/windows/images/wsfb_win10_pro_to proedu_upgrade_email_global_admins.png differ diff --git a/education/windows/images/wsfb_win10_pro_to proedu_upgrade_enable.png b/education/windows/images/wsfb_win10_pro_to proedu_upgrade_enable.png new file mode 100644 index 0000000000..420b44513f Binary files /dev/null and b/education/windows/images/wsfb_win10_pro_to proedu_upgrade_enable.png differ diff --git a/education/windows/images/wsfb_win10_pro_to proedu_upgrade_summary.png b/education/windows/images/wsfb_win10_pro_to proedu_upgrade_summary.png new file mode 100644 index 0000000000..a507f56694 Binary files /dev/null and b/education/windows/images/wsfb_win10_pro_to proedu_upgrade_summary.png differ diff --git a/education/windows/images/wsfb_win10_pro_to_proedu_email_upgrade_link.png b/education/windows/images/wsfb_win10_pro_to_proedu_email_upgrade_link.png new file mode 100644 index 0000000000..a30869b8ea Binary files /dev/null and b/education/windows/images/wsfb_win10_pro_to_proedu_email_upgrade_link.png differ diff --git a/education/windows/index.md b/education/windows/index.md index d64f4ca4cc..549abcd666 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -42,6 +42,13 @@ author: CelesteDG [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.

+ ## ![Deploy Windows 10 for education](images/windows.png) Upgrade + +
+

[Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md)
If you have an education tenant and use Windows 10 Pro in your schools now, find out how you can opt-in to a free upgrade to Windows 10 Pro Education.

+
+ + ## Related topics - [Try it out: virtual labs and how-to videos for Windows 10 Education](https://technet.microsoft.com/en-us/windows/dn610356) diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index 7d5f5d6c0e..2eb0b2849a 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -17,8 +17,8 @@ author: jdeckerMS Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test: -- A Microsoft Edge browser window opens, showing just the test and nothing else. -- The clipboard is cleared. +- Take a Test shows just the test and nothing else. +- Take a Test clears the clipboard. - Students aren’t able to go to other websites. - Students can’t open or access other apps. - Students can't share, print, or record their screens. diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md index 92667b4abd..5b6d36d46b 100644 --- a/education/windows/take-a-test-single-pc.md +++ b/education/windows/take-a-test-single-pc.md @@ -9,7 +9,7 @@ ms.pagetype: edu author: jdeckerMS --- -# Set up Take a Test on a single PC +# Set up Take a Test on a single PC **Applies to:** - Windows 10 @@ -17,8 +17,8 @@ author: jdeckerMS The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test: -- A Microsoft Edge browser window opens, showing just the test and nothing else. -- The clipboard is cleared. +- Take a Test shows just the test and nothing else. +- Take a Test clears the clipboard. - Students aren’t able to go to other websites. - Students can’t open or access other apps. - Students can't share, print, or record their screens. @@ -28,6 +28,7 @@ The **Take a Test** app in Windows 10, Version 1607, creates the right environme > [!TIP] > To exit **Take a Test**, press Ctrl+Alt+Delete. + ## How you use Take a Test ![Use test account or test url in Take a Test](images/take-a-test-flow.png) @@ -38,7 +39,7 @@ The **Take a Test** app in Windows 10, Version 1607, creates the right environme ## Set up a dedicated test account - + @@ -60,10 +61,10 @@ The **Take a Test** app in Windows 10, Version 1607, creates the right environme ## Provide link to test -Anything hosted on the web can be presented in a locked down manner, not just assessments. To lock down online content, just embed a URL with a specific prefix and devices will be locked down when users follow the link. We recommend using this method for lower stakes assessments. +Anything hosted on the web can be presented in a locked down manner, not just assessments. To lock down online content, just embed a URL with a specific prefix and devices will be locked down when users follow the link. We recommend using this method for lower stakes assessments. 1. Create a link to the test URL. Use **ms-edu-secureassessment:** before the URL and **!enforceLockdown** after the URL. -``` +``` ms-edu-secureassessment:!enforceLockdown ``` > [!NOTE] @@ -79,9 +80,3 @@ ms-edu-secureassessment:!enforceLockdown [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) [Take a Test app technical reference](take-a-test-app-technical.md) - - - - - - diff --git a/education/windows/windows-10-pro-to-pro-edu-upgrade.md b/education/windows/windows-10-pro-to-pro-edu-upgrade.md new file mode 100644 index 0000000000..3ad9a94f5a --- /dev/null +++ b/education/windows/windows-10-pro-to-pro-edu-upgrade.md @@ -0,0 +1,259 @@ +--- +title: Windows 10 Pro to Pro Education upgrade +description: Describes how IT Pros can opt into a Windows 10 Pro Education upgrade from the Windows Store for Business. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: edu +author: CelesteDG +--- + +# Upgrade Windows 10 Pro to Pro Education from Windows Store for Business + +Windows 10 Pro Education is a new offering in Windows 10 Anniversary Update (Windows 10, version 1607). This edition builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools by providing education-specific default settings. + +If you have an education tenant and use Windows 10 Pro in your schools now, global administrators can opt-in to a free upgrade to Windows 10 Pro Education through the Windows Store for Business. To take advantage of this offering, make sure you meet the [requirements for upgrade](#requirements-for-upgrade). + +Starting with Windows 10, version 1607, academic institutions can easily move from Windows 10 Pro to Windows 10 Pro Education—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10 Pro Education license, the operating system turns from Windows 10 Pro to Windows 10 Pro Education and all the appropriate Windows 10 Pro Education features are unlocked. When a license expires or is transferred to another user, the Windows 10 Pro Education device seamlessly steps back down to Windows 10 Pro. + +Previously, only schools or organizations purchasing devices as part of the Shape the Future K-12 program or with a Microsoft Volume Licensing Agreement could deploy Windows 10 Pro Education to their users. Now, if you have a Azure AD for your organization, you can take advantage of the Windows 10 Pro Education features. + +When you upgrade to Windows 10 Pro Education, you get the following benefits: + +- **Windows 10 Pro Education edition**. Devices currently running Windows 10 Pro, version 1607 can get Windows 10 Pro Education Current Branch (CB). This benefit does not include Long Term Service Branch (LTSB). +- **Support from one to hundreds of users**. The Windows 10 Pro Education program does not have a limitation on the number of licenses an organization can have. +- **Roll back to Windows 10 Pro at any time**. When a user leaves the domain or you turn off the setting to automatic upgrade to Windows 10 Pro Education, the device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 30 days). + +In summary, the Windows 10 Pro Education free upgrade through the Windows Store for Business is an upgrade offering that provides organizations easier, more flexible access to the benefits of Windows 10 Pro Education edition. + +## Compare Windows 10 Pro and Pro Education editions + +In Windows 10, version 1607, the Windows 10 Pro Education edition contains the same features as the Windows 10 Pro edition except for the following differences: + +- Cortana is removed from Windows 10 Pro Education +- Options to manage Windows 10 tips and tricks and Windows Store suggestions + +See [Windows 10 editions for education customers](windows-editions-for-education-customers.md) for more info about Windows 10 Pro Education and you can also [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare) to find out more about the features we support in other editions of Windows 10. + +## Requirements for upgrade + +Before you upgrade from Windows 10 Pro to Windows 10 Pro Education, make sure you meet these requirements: +- Devices must be: + - Running Windows 10 Pro, version 1607 + - Must be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices). + + If you haven't domain joined your devices already, [prepare for deployment of Windows 10 Pro Education licenses](#preparing-for-deployment-of-windows-10-pro-education-licenses). +- The user making the changes must be a member of the Azure AD global administrator group. +- The Azure AD tenant must be recognized as an education approved tenant. +- You must have a Windows Store for Business account. + +## Upgrade from Windows 10 Pro to Windows 10 Pro Education +Once you enable the setting to upgrade Windows 10 Pro to Windows 10 Pro Education, the upgrade will begin only after a user signs in to their device. The setting applies to the entire organization so you cannot select which users will receive the upgrade. + +**To turn on the automatic upgrade from Windows 10 Pro to Windows 10 Pro Education** +1. Sign in to [Windows Store for Business](https://businessstore.microsoft.com/en-us/Store/Apps) with your work or school account. + + If this is the first time you're signing into the Store, you'll be prompted to accept the Windows Store for Business Terms of Use. +2. Go to **Manage > Account information**. +3. In the **Account information** page, look for the **Automatic Windows 10 Pro Education upgrade** section and follow the link. + + You will see the following page informing you that your school is eligible for a free automatic upgrade from Windows 10 Pro to Windows 10 Pro Education. + + ![Eligible for free Windows 10 Pro to Windows 10 Pro Education upgrade](images/wsfb_win10_pro_to proedu_upgrade_eligibility_page.png) + + **Figure 1** - Upgrade Windows 10 Pro to Windows 10 Pro Education + +4. Select **I understand enabling this setting will impact all devices running Windows 10 Pro in my organization**. +5. Click **Send me email with a link to enable this upgrade** to receive an email with a link to the upgrade. + + ![Email with Windows 10 Pro to Pro Education upgrade link](images/wsfb_win10_pro_to_proedu_email_upgrade_link.png) + + **Figure 2** - Email notification with a link to enable the upgrade + +6. Click **Enable the automatic upgrade now** to turn on automatic upgrades. + + ![Enable the automatic upgrade](images/wsfb_win10_pro_to proedu_upgrade_enable.png). + + **Figure 3** - Enable the automatic upgrade + + Enabling the automatic upgrade also triggers an email message notifying all global administrators in your organization about the upgrade. It also contains a link that enables any global administrators to cancel the upgrade, if they choose. For more info about rolling back or canceling the upgrade, see [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro). + + ![Email informing other global admins about the upgrade](images/wsfb_win10_pro_to proedu_upgrade_email_global_admins.png). + + **Figure 4** - Notification email sent to all global administrators + +7. Click **Close** in the **Success** page. + + In the **Upgrade Windows 10 Pro to Windows 10 Pro Education** page, you will see a message informing you when the upgrade was enabled and the name of the admin who enabled the upgrade. + + ![Summary page about the upgrade](images/wsfb_win10_pro_to proedu_upgrade_summary.png) + + **Figure 5** - Details about the automatic upgrade + + +## Explore the upgrade experience + +So what will the users experience? How will they upgrade their devices? + +### For existing Azure AD domain joined devices +Existing Azure AD domain joined devices will be upgraded from Windows 10 Pro to Windows 10 Pro Education the next time the user logs in. That's it! No additional steps are needed. + +### For new devices that are not Azure AD domain joined +Now that you've turned on the setting to automatically upgrade Windows 10 Pro to Windows 10 Pro Education, the users are ready to upgrade their devices running Windows 10 Pro, version 1607 edition to Windows 10 Pro Education edition. + +#### Step 1: Join users’ devices to Azure AD + +Users can join a device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1607. + +**To join a device to Azure AD the first time the device is started** + +1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 6**. + + Who owns this PC? page in Windows 10 setup + + **Figure 6** - The “Who owns this PC?” page in initial Windows 10 setup + +2. On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 7**. + + Choose how you'll connect - page in Windows 10 setup + + **Figure 7** - The “Choose how you’ll connect” page in initial Windows 10 setup + +3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 8**. + + Let's get you signed in - page in Windows 10 setup + + **Figure 8** - The “Let’s get you signed in” page in initial Windows 10 setup + +Now the device is Azure AD joined to the company’s subscription. + +**To join a device to Azure AD when the device already has Windows 10 Pro, version 1607 installed and set up** + +1. Go to **Settings > Accounts > Access work or school**, as illustrated in **Figure 9**. + + Connect to work or school configuration + + **Figure 9** - Connect to work or school configuration in Settings + +2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 10**. + + Set up a work or school account + + **Figure 10** - Set up a work or school account + +3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 11**. + + Let's get you signed in - dialog box + + **Figure 11** - The “Let’s get you signed in” dialog box + +Now the device is Azure AD joined to the company’s subscription. + +#### Step 2: Sign in using Azure AD account + +Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 12**. The Windows 10 Pro Education license associated with the user will enable Windows 10 Pro Education edition capabilities on the device. + +Sign in, Windows 10 + +**Figure 12** - Sign in by using Azure AD account + +#### Step 3: Verify that Pro Education edition is enabled + +You can verify the Windows 10 Pro Education in **Settings > Update & Security > Activation**, as illustrated in **Figure 13**. + + + +**Figure 13** - Windows 10 Pro Education in Settings + +Windows 10 activated and subscription active + +If there are any problems with the Windows 10 Pro Education license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process. + +## Troubleshoot the user experience + +In some instances, users may experience problems with the Windows 10 Pro Education upgrade. The most common problems that users may experience are as follows: + +- The existing Windows 10 Pro, version 1607 operating system is not activated. + +- The Windows 10 Pro Education upgrade has lapsed or has been removed. + +Use the following figures to help you troubleshoot when users experience these common problems: + + + +**Figure 13** - Illustrates a device in a healthy state, where Windows 10 Pro, version 1607 is activated and the Windows 10 Pro Education upgrade is active. + +Windows 10 activated and subscription active + + + +**Figure 14** - Illustrates a device on which Windows 10 Pro, version 1607 is not activated, but the Windows 10 Pro Education upgrade is active. + +Windows 10 not activated and subscription active

+ + +### Review requirements on devices + +Devices must be running Windows 10 Pro, version 1607, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements. + +**To determine if a device is Azure Active Directory joined** + +1. Open a command prompt and type **dsregcmd /status**. + +2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined. + +**To determine the version of Windows 10** + +- At a command prompt, type: + **winver** + + A popup window will display the Windows 10 version number and detailed OS build information. + + If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Pro Education when a user signs in, even if the user has been assigned a license. + +## Roll back Windows 10 Pro Education to Windows 10 Pro + +If your organization has the Windows 10 Pro to Windows 10 Pro Education upgrade enabled, and you decide to roll back to Windows 10 Pro or to cancel the upgrade, you can do this by: +- Logging into Windows Store for Business page and turning off the automatic upgrade. +- Selecting the link to turn off the automatic upgrade from the notification email sent to all global administrators. + +Once the automatic upgrade to Windows 10 Pro Education is turned off, the change is effective immediately. Devices that were upgraded will revert to Windows 10 Pro only after the license has been refreshed (every 30 days) and the next time the user signs in. This means that a user whose device was upgraded may not immediately see Windows 10 Pro Education rolled back to Windows 10 Pro for up to 30 days. However, users who haven't signed in during the time that an upgrade was enabled and then turned off will never see their device change from Windows 10 Pro. + +**To roll back Windows 10 Pro Education to Windows 10 Pro** +1. Log in to [Windows Store for Business](https://businessstore.microsoft.com/en-us/Store/Apps) with your school or work account, or follow the link from the notification email to turn off the automatic upgrade. +2. Select **Manage > Account information** and locate the section **Automatic Windows 10 Pro Education upgrade** and follow the link. +3. In the **Upgrade Windows 10 Pro to Windows 10 Pro Education** page, select **Turn off the automatic upgrade to Windows 10 Pro Education**. + + ![Turn off automatic upgrade to Windows 10 Pro Education](images/wsfb_win10_pro_to proedu_upgrade_disable.png) + + **Figure 15** - Link to turn off the automatic upgrade + +4. You will be asked if you're sure that you want to turn off automatic upgrades to Windows 10 Pro Education. Click **Yes**. +5. Click **Close** in the **Success** page. +6. In the **Upgrade Windows 10 Pro to Windows 10 Pro Education** page, you will see information on when the upgrade was disabled. + + If you decide later that you want to turn on automatic upgrades again, you can do this from the **Upgrade Windows 10 Pro to Windows 10 Pro Education**. + +## Preparing for deployment of Windows 10 Pro Education licenses + +If you have on-premises Active Directory Domain Services (AD DS) domains, users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Pro Education to users, you need to synchronize the identities in the on-premises AD DS domain with Azure AD. + +You need to synchronize these identities so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Pro Education). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. + +**Figure 16** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](http://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure. + +![Illustration of Azure Active Directory Connect](images/windows-ad-connect.png) + +**Figure 16** - On-premises AD DS integrated with Azure AD + +For more information about integrating on-premises AD DS domains with Azure AD, see these resources: +- [Integrating your on-premises identities with Azure Active Directory](http://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/) +- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/) + +## Related topics + +[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) + +[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md) + +[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare) diff --git a/windows/deploy/upgrade-analytics-get-started.md b/windows/deploy/upgrade-analytics-get-started.md index 8aaa283d61..f8f05c26b8 100644 --- a/windows/deploy/upgrade-analytics-get-started.md +++ b/windows/deploy/upgrade-analytics-get-started.md @@ -115,7 +115,9 @@ To ensure that user computers are receiving the most up to date data from Micros ## Run the Upgrade Analytics deployment script -To automate many of the steps outlined above and to troubleshoot data sharing issues, you can run the Upgrade Analytics deployment script, developed by Microsoft. +To automate many of the steps outlined above and to troubleshoot data sharing issues, you can run the [Upgrade Analytics deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409), developed by Microsoft. + +> The following guidance applies to version 11.11.16 or later of the Upgrade Analytics deployment script. If you are using an older version, please download the latest from [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409). The Upgrade Analytics deployment script does the following: @@ -125,7 +127,7 @@ The Upgrade Analytics deployment script does the following: 3. Checks whether the computer has a pending restart.   -4. Verifies that the latest version of KB package 10.0.x is installed (requires 10.0.14348 or subsequent releases). +4. Verifies that the latest version of KB package 10.0.x is installed (version 10.0.14348 or later is required, but version 10.0.14913 or later is recommended). 5. If enabled, turns on verbose mode for troubleshooting. @@ -135,17 +137,15 @@ The Upgrade Analytics deployment script does the following: To run the Upgrade Analytics deployment script: -1. Download the [Upgrade Analytics deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract UpgradeAnalytics.zip. The files in the Diagnostics folder are necessary only if you plan to run the script in troubleshooting mode. +1. Download the [Upgrade Analytics deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract UpgradeAnalytics.zip. Inside, there are two folders: Pilot and Deployment. The Pilot folder contains advanced logging that can help troubleshoot issues and is inteded to be run from an elevated command prompt. The Deployment folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly. Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization. 2. Edit the following parameters in RunConfig.bat: - 1. Provide a storage location for log information. Example: %SystemDrive%\\UADiagnostics + 1. Provide a storage location for log information. You can store log information on a remote file share or a local directory. If the script is blocked from creating the log file for the given path, it creates the log files in the drive with the Windows directory. Example: %SystemDrive%\\UADiagnostics - 2. You can store log information on a remote file share or a local directory. If the script is blocked from creating the log file for the given path, it creates the log files in the drive with the Windows directory. + 2. Input your commercial ID key. This can be found in your OMS workspace under Settings -> Connected Sources -> Windows Telemetry. - 3. Input your commercial ID key. - - 4. By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options: + 3. By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options: > *logMode = 0 log to console only* > @@ -153,9 +153,7 @@ To run the Upgrade Analytics deployment script: > > *logMode = 2 log to file only* -3. For troubleshooting, set isVerboseLogging to $true to generate log information that can help with diagnosing issues. By default, isVerboseLogging is set to $false. Ensure the Diagnostics folder is installed in the same directory as the script to use this mode. - -4. To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected: +3. To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected: > *IEOptInLevel = 0 Internet Explorer data collection is disabled* > @@ -165,9 +163,7 @@ To run the Upgrade Analytics deployment script: > > *IEOptInLevel = 3 Data collection is enabled for all sites* -5. Notify users if they need to restart their computers. By default, this is set to off. - -6. After you finish editing the parameters in RunConfig.bat, run the script as an administrator. +4. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system. The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered. @@ -197,8 +193,13 @@ The deployment script displays the following exit codes to let you know if it wa 19This machine doesn’t have the proper KBs installed. Make sure you have recent compatibility update KB downloaded. 20Error writing RequestAllAppraiserVersions registry key. 21Function – SetRequestAllAppraiserVersions: Unexpected failure. -22Error when running inventory scan. +22RunAppraiser failed with unexpected exception. 23Error finding system variable %WINDIR%. +24SetIEDataOptIn failed when writing IEDataOptIn to registry. +25SetIEDataOptIn failed with unexpected exception. +26The operating system is Server or LTSB SKU. The script does not support Server or LTSB SKUs. +27The script is not running under System account. The Upgrade Analytics configuration script must be run as system. +28Could not create log file at the specified logPath.
diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 22fdd718ec..d2069bccd2 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -32,14 +32,12 @@ ##### [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) #### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) #### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) +### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) +### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) +### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) ### [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) -#### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) #### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) #### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) -#### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) -#### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) -## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) -## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) ## [VPN technical guide](vpn-guide.md) ### [VPN connection types](vpn-connection-type.md) ### [VPN routing decisions](vpn-routing.md) @@ -741,10 +739,12 @@ ##### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) ##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) #### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md) +#### [Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md) #### [Configure SIEM tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md) ##### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md) ##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) ##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) +#### [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) #### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md) #### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) #### [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/access-this-computer-from-the-network.md b/windows/keep-secure/access-this-computer-from-the-network.md index 1cb598fcfd..0d93c1d879 100644 --- a/windows/keep-secure/access-this-computer-from-the-network.md +++ b/windows/keep-secure/access-this-computer-from-the-network.md @@ -1,5 +1,5 @@ --- -title: Access this computer from the network (Windows 10) +title: Access this computer from the network - security policy setting (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Access this computer from the network security policy setting. ms.assetid: f6767bc2-83d1-45f1-847c-54f5362db022 ms.prod: w10 @@ -9,7 +9,7 @@ ms.pagetype: security author: brianlic-msft --- -# Access this computer from the network +# Access this computer from the network - security policy setting **Applies to** - Windows 10 diff --git a/windows/keep-secure/accounts-guest-account-status.md b/windows/keep-secure/accounts-guest-account-status.md index f9054008ac..527a1357c4 100644 --- a/windows/keep-secure/accounts-guest-account-status.md +++ b/windows/keep-secure/accounts-guest-account-status.md @@ -1,5 +1,5 @@ --- -title: Accounts Guest account status (Windows 10) +title: Accounts Guest account status - security policy setting (Windows 10) description: Describes the best practices, location, values, and security considerations for the Accounts Guest account status security policy setting. ms.assetid: 07e53fc5-b495-4d02-ab42-5b245d10d0ce ms.prod: w10 @@ -9,7 +9,7 @@ ms.pagetype: security author: brianlic-msft --- -# Accounts: Guest account status +# Accounts: Guest account status - security policy setting **Applies to** - Windows 10 diff --git a/windows/keep-secure/accounts-rename-guest-account.md b/windows/keep-secure/accounts-rename-guest-account.md index aa06c480c3..c77030e875 100644 --- a/windows/keep-secure/accounts-rename-guest-account.md +++ b/windows/keep-secure/accounts-rename-guest-account.md @@ -1,5 +1,5 @@ --- -title: Accounts Rename guest account (Windows 10) +title: Accounts Rename guest account - security policy setting (Windows 10) description: Describes the best practices, location, values, and security considerations for the Accounts Rename guest account security policy setting. ms.assetid: 9b8052b4-bbb9-4cc1-bfee-ce25390db707 ms.prod: w10 @@ -9,7 +9,7 @@ ms.pagetype: security author: brianlic-msft --- -# Accounts: Rename guest account +# Accounts: Rename guest account - security policy setting **Applies to** - Windows 10 diff --git a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md index 3565476277..9176b41ff8 100644 --- a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md +++ b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md @@ -19,8 +19,8 @@ localizationpriority: high You can add apps to your Windows Information Protection (WIP) protected app list using the Microsoft Intune custom URI functionality and AppLocker. For more info about how to create a custom URI using Intune, [Windows 10 custom policy settings in Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkID=691330). ->**Important**
-Results can be unpredictable if you configure your policy using both the UI and the Custom URI method together. We recommend using a single method for each policy. +>[!IMPORTANT] +>Results can be unpredictable if you configure your policy using both the UI and the Custom URI method together. We recommend using a single method for each policy. ## Add Store apps 1. Go to the AppLocker UI by opening a command line window and running secpol.msc. The local security policy MMC snap-in opens showing the **Security Settings**. @@ -39,13 +39,15 @@ Results can be unpredictable if you configure your policy using both the UI and 5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules. - >**Note**
We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.

If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule. + >[!NOTE] + >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.

If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule. 6. In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules. 7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules. - >**Important**
Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy. + >[!IMPORTANT] + >Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy. 8. Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. @@ -85,16 +87,18 @@ After saving the policy, you’ll need to deploy it to your employee’s devices 5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules. - >**Important**
You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future. + >[!IMPORTANT] + >You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future. -

- >**Note**
We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.

If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.

Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed. + >[!NOTE] + >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.

If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.

Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed. 6. In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules. 7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules. - >**Important**
Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy. + >[!IMPORTANT] + >Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy. 8. Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. @@ -118,7 +122,10 @@ After saving the policy, you’ll need to deploy it to your employee’s devices After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic. -##Related topics +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). + +## Related topics - [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) - [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) - [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) diff --git a/windows/keep-secure/allow-log-on-locally.md b/windows/keep-secure/allow-log-on-locally.md index 3cbeacb088..9e4831a223 100644 --- a/windows/keep-secure/allow-log-on-locally.md +++ b/windows/keep-secure/allow-log-on-locally.md @@ -1,5 +1,5 @@ --- -title: Allow log on locally (Windows 10) +title: Allow log on locally - security policy setting (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Allow log on locally security policy setting. ms.assetid: d9e5e1f3-3bff-4da7-a9a2-4bb3e0c79055 ms.prod: w10 @@ -9,7 +9,7 @@ ms.pagetype: security author: brianlic-msft --- -# Allow log on locally +# Allow log on locally - security policy setting **Applies to** - Windows 10 diff --git a/windows/keep-secure/app-behavior-with-wip.md b/windows/keep-secure/app-behavior-with-wip.md index 55939649d4..bf932d459d 100644 --- a/windows/keep-secure/app-behavior-with-wip.md +++ b/windows/keep-secure/app-behavior-with-wip.md @@ -129,3 +129,6 @@ This table includes info about how enlightened apps might behave, based on your + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/keep-secure/back-up-files-and-directories.md b/windows/keep-secure/back-up-files-and-directories.md index 6f6a7b8805..f338698789 100644 --- a/windows/keep-secure/back-up-files-and-directories.md +++ b/windows/keep-secure/back-up-files-and-directories.md @@ -1,5 +1,5 @@ --- -title: Back up files and directories (Windows 10) +title: Back up files and directories - security policy setting (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Back up files and directories security policy setting. ms.assetid: 1cd6bdd5-1501-41f4-98b9-acf29ac173ae ms.prod: w10 @@ -9,7 +9,7 @@ ms.pagetype: security author: brianlic-msft --- -# Back up files and directories +# Back up files and directories - security policy setting **Applies to** - Windows 10 diff --git a/windows/keep-secure/bitlocker-basic-deployment.md b/windows/keep-secure/bitlocker-basic-deployment.md index b83692c713..fbc016705b 100644 --- a/windows/keep-secure/bitlocker-basic-deployment.md +++ b/windows/keep-secure/bitlocker-basic-deployment.md @@ -40,7 +40,7 @@ BitLocker encryption can be done using the following methods: ### Encrypting volumes using the BitLocker control panel -Encrypting volumes with the BitLocker control panel is how many users will utilize BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet. +Encrypting volumes with the BitLocker control panel (click **Start**, type **bitlocker**, click **Manage BitLocker**) is how many users will utilize BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet. To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the BitLocker Drive Encryption Wizard. BitLocker Drive Encryption Wizard options vary based on volume type (operating system volume or data volume). ### Operating system volume diff --git a/windows/keep-secure/bitlocker-frequently-asked-questions.md b/windows/keep-secure/bitlocker-frequently-asked-questions.md index 6e3ae93c32..5761c7318a 100644 --- a/windows/keep-secure/bitlocker-frequently-asked-questions.md +++ b/windows/keep-secure/bitlocker-frequently-asked-questions.md @@ -47,6 +47,8 @@ Yes, BitLocker supports multifactor authentication for operating system drives. ### What are the BitLocker hardware and software requirements? +For requirements, see [System requirements](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-overview#system-requirements). + > **Note:**  Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it is cannot be protected by BitLocker.   ### Why are two partitions required? Why does the system drive have to be so large? @@ -198,9 +200,9 @@ Any number of internal, fixed data drives can be protected with BitLocker. On so ## Key management -### What is the difference between a TPM owner password, recovery password, recovery key, password, PIN, enhanced PIN, and startup key? +### What is the difference between a recovery password, recovery key, PIN, enhanced PIN, and startup key? -There are multiple keys that can be generated and used by BitLocker. Some keys are required and some are optional protectors you can choose to use depending on the level of security you require. +For tables that list and describe elements such as a recovery password, recovery key, and PIN, see [BitLocker key protectors](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors) and [BitLocker authentication methods](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-authentication-methods). ### How can the recovery password and recovery key be stored? diff --git a/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md b/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md index e57e269aff..8a9e7b2ab7 100644 --- a/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md +++ b/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md @@ -14,7 +14,7 @@ author: brianlic-msft **Applies to** - Windows 10 -This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later. +This topic for the IT professional explains how to deploy BitLocker on Windows Server 2012 and later. For all Windows Server editions, BitLocker must be installed using Server Manager. However, you can still provision BitLocker before the server operating system is installed as part of your deployment. diff --git a/windows/keep-secure/bitlocker-overview.md b/windows/keep-secure/bitlocker-overview.md index 2921e55f01..89aea0f522 100644 --- a/windows/keep-secure/bitlocker-overview.md +++ b/windows/keep-secure/bitlocker-overview.md @@ -79,4 +79,4 @@ When installing the BitLocker optional component on a server you will also need | [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)| This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. | | [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.| -If you're looking for info on how to use it with Windows 10 IoT Core, see [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/win10/SB_BL.htm). \ No newline at end of file +If you're looking for info on how to use it with Windows 10 IoT Core, see [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/docs/securebootandbitlocker). \ No newline at end of file diff --git a/windows/keep-secure/change-the-system-time.md b/windows/keep-secure/change-the-system-time.md index e6f43e3f88..0ca13c1625 100644 --- a/windows/keep-secure/change-the-system-time.md +++ b/windows/keep-secure/change-the-system-time.md @@ -1,5 +1,5 @@ --- -title: Change the system time (Windows 10) +title: Change the system time - security policy setting (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Change the system time security policy setting. ms.assetid: f2f6637d-acbc-4352-8ca3-ec563f918e65 ms.prod: w10 @@ -9,7 +9,7 @@ ms.pagetype: security author: brianlic-msft --- -# Change the system time +# Change the system time - security policy setting **Applies to** - Windows 10 diff --git a/windows/keep-secure/change-the-time-zone.md b/windows/keep-secure/change-the-time-zone.md index 3eb72473a5..50067366d5 100644 --- a/windows/keep-secure/change-the-time-zone.md +++ b/windows/keep-secure/change-the-time-zone.md @@ -1,5 +1,5 @@ --- -title: Change the time zone (Windows 10) +title: Change the time zone - security policy setting (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Change the time zone security policy setting. ms.assetid: 3b1afae4-68bb-472f-a43e-49e300d73e50 ms.prod: w10 @@ -9,7 +9,7 @@ ms.pagetype: security author: brianlic-msft --- -# Change the time zone +# Change the time zone - security policy setting **Applies to** - Windows 10 diff --git a/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..19e99c915d --- /dev/null +++ b/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md @@ -0,0 +1,63 @@ +--- +title: Configure email notifications in Windows Defender ATP +description: Send email notifications to specified recipients to receive new alerts based on severity with Windows Defender ATP on Windows 10 Enterprise, Pro, and Education editions. +keywords: email notifications, configure alert notifications, windows defender atp notifications, windows defender atp alerts, windows 10 enterprise, windows 10 education +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- + +# Configure email notifications + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +You can configure Windows Defender ATP to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity. + +> [!NOTE] +> Only users with full access can configure email notifications. + +You can set the alert severity levels that trigger notifications. When you turn enable the email notifications feature, it’s set to high and medium alerts by default. + +You can also add or remove recipients of the email notification. New recipients get notified about alerts encountered after they are added. For more information about alerts, see [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md). + +The email notification includes basic information about the alert and a link to the portal where you can do further investigation. + +## Set up email notifications for alerts +The email notifications feature is turned off by default. Turn it on to start receiving email notifications. + +1. On the navigation pane, select **Preferences Setup** > **Email Notifications**. +2. Toggle the setting between **On** and **Off**. +3. Select the alert severity level that you’d like your recipients to receive: + - **High** – Select this level to send notifications for high-severity alerts. + - **Medium** – Select this level to send notifications for medium-severity alerts. + - **Low** - Select this level to send notifications for low-severity alerts. +4. In **Email recipients to notify on new alerts**, type the email address then select the + sign. +5. Click **Save preferences** when you’ve completed adding all the recipients. + +Check that email recipients are able to receive the email notifications by selecting **Send test email**. All recipients in the list will receive the test email. + +## Remove email recipients + +1. Select the trash bin icon beside the email address you’d like to remove. +2. Click **Save preferences**. + +## Troubleshoot email notifications for alerts +This section lists various issues that you may encounter when using email notifications for alerts. + +**Problem:** Intended recipients report they are not getting the notifications. + +**Solution:** Make sure that the notifications are not blocked by email filters: + +1. Check that the Windows Defender ATP email notifications are not sent to the Junk Email folder. Mark them as Not junk. +2. Check that your email security product is not blocking the email notifications from Windows Defender ATP. +3. Check your email application rules that might be catching and moving your Windows Defender ATP email notifications. diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index 8faa5dafdb..8b193b46c6 100644 --- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -51,6 +51,10 @@ You can use System Center Configuration Manager’s existing functionality to cr a. Choose a predefined device collection to deploy the package to. +> [!NOTE] +> Onboarding couldn't be completed during Out-Of-Box Experience (OOBE). Make sure users pass OOBE after running Windows installation or upgrading. + + ### Configure sample collection settings For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis. diff --git a/windows/keep-secure/create-a-pagefile.md b/windows/keep-secure/create-a-pagefile.md index a8c65abbab..804d32f022 100644 --- a/windows/keep-secure/create-a-pagefile.md +++ b/windows/keep-secure/create-a-pagefile.md @@ -1,5 +1,5 @@ --- -title: Create a pagefile (Windows 10) +title: Create a pagefile - security policy setting (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Create a pagefile security policy setting. ms.assetid: dc087897-459d-414b-abe0-cd86c8dccdea ms.prod: w10 @@ -9,7 +9,7 @@ ms.pagetype: security author: brianlic-msft --- -# Create a pagefile +# Create a pagefile - security policy setting **Applies to** - Windows 10 diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index 06392494c0..4bd92ff06f 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -19,8 +19,8 @@ If you don’t already have an EFS DRA certificate, you’ll need to create and The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices. ->**Important**
-If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).

If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy. +>[!IMPORTANT] +>If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).

If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy. **To manually create an EFS DRA certificate** @@ -36,13 +36,13 @@ If you already have an EFS DRA certificate for your organization, you can skip c The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. - >**Important**
- Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location. + >[!IMPORTANT] + >Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location. 4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager. - >**Note**
- To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic. + >[!NOTE] + >To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic. **To verify your data recovery certificate is correctly set up on a WIP client computer** @@ -73,7 +73,8 @@ If you already have an EFS DRA certificate for your organization, you can skip c **To quickly recover WIP-protected desktop data after unenrollment**
It's possible that you might revoke data from an unenrolled device only to later want to restore it all. This can happen in the case of a missing device being returned or if an unenrolled employee enrolls again. If the employee enrolls again using the original user profile, and the revoked key store is still on the device, all of the revoked data can be restored at once, by following these steps. ->**Important**
To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device. +>[!IMPORTANT] +>To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device. 1. Have your employee sign in to the unenrolled device, open a command prompt, and type: @@ -93,6 +94,9 @@ It's possible that you might revoke data from an unenrolled device only to later The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location. +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). + ## Related topics - [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) diff --git a/windows/keep-secure/create-applocker-default-rules.md b/windows/keep-secure/create-applocker-default-rules.md index 930d2bc4d7..6f5b802707 100644 --- a/windows/keep-secure/create-applocker-default-rules.md +++ b/windows/keep-secure/create-applocker-default-rules.md @@ -27,3 +27,7 @@ You can perform this task by using the Group Policy Management Console for an Ap 1. Open the AppLocker console. 2. Right-click the appropriate rule type for which you want to automatically generate default rules. You can automatically generate rules for executable, Windows Installer, script rules and Packaged app rules. 3. Click **Create Default Rules**. + +## Related topics + +- [Understanding AppLocker default rules](understanding-applocker-default-rules.md) diff --git a/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md b/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md index 45ed365fe2..64602d97ae 100644 --- a/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md +++ b/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md @@ -111,6 +111,10 @@ The final step to making your VPN configuration work with WIP, is to link your t 3. After you've picked all of the employees and groups that should get the policy, click **OK**. The policy is deployed to the selected users' devices. +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). + + diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 44bf2930a2..f0c94d6dba 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -44,10 +44,11 @@ During the policy-creation process in Intune, you can choose the apps you want t The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file. ->**Important**
WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. +>[!IMPORTANT] +>WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. ->**Note**
-If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. +>[!NOTE] +>If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. #### Add a store app rule to your policy For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list. @@ -76,8 +77,8 @@ If you don't know the publisher or product name, you can find them for both desk **To find the Publisher and Product Name values for Store apps without installing them** 1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*. - >**Note**
- If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. + >[!NOTE] + >If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. @@ -94,8 +95,10 @@ If you don't know the publisher or product name, you can find them for both desk 4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune. - >**Important**
- The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example: + >[!IMPORTANT] + >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`. + + For example: ```json { @@ -106,7 +109,8 @@ If you don't know the publisher or product name, you can find them for both desk **To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones** 1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature. - >**Note**
Your PC and phone must be on the same wireless network. + >[!NOTE] + >Your PC and phone must be on the same wireless network. 2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**. @@ -122,8 +126,10 @@ If you don't know the publisher or product name, you can find them for both desk 8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. - >**Important**
- The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example:
+ >[!IMPORTANT] + >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`. + + For example: ``` json { @@ -348,9 +354,9 @@ After you've added a protection mode to your apps, you'll need to decide where t There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). ->**Important** -- Every WIP policy should include policy that defines your enterprise network locations. -- Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations. +>[!IMPORTANT] +>Every WIP policy should include policy that defines your enterprise network locations.
+>Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations. **To define where your protected apps can find and send enterprise data on you network** @@ -465,6 +471,9 @@ After you've decided where your protected apps can access enterprise data on you 2. Click **Save Policy**. +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). + ## Related topics - [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) - [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md index 468b8308d4..350d5e1f54 100644 --- a/windows/keep-secure/create-wip-policy-using-sccm.md +++ b/windows/keep-secure/create-wip-policy-using-sccm.md @@ -20,8 +20,8 @@ localizationpriority: high System Center Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. ->**Important**
-If you previously created a WIP policy using System Center Configuration Manager version 1511 or 1602, you’ll need to recreate it using version 1606 or later. Editing a WIP policy created in version 1511 or 1602 is not supported in later versions and there is no migration path between older and newer WIP policies. +>[!IMPORTANT] +>If you previously created a WIP policy using System Center Configuration Manager version 1511 or 1602, you’ll need to recreate it using version 1606 or later. Editing a WIP policy created in version 1511 or 1602 is not supported in later versions and there is no migration path between older and newer WIP policies. ## Add a WIP policy After you’ve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy. @@ -62,8 +62,8 @@ During the policy-creation process in System Center Configuration Manager, you c The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file. ->**Important**
-WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. +>[!IMPORTANT] +>WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. #### Add a store app rule to your policy For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list. @@ -94,8 +94,8 @@ If you don't know the publisher or product name, you can find them for both desk 1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote. - >**Note**
- If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section. + >[!NOTE] + >If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section. 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. @@ -112,8 +112,9 @@ If you don't know the publisher or product name, you can find them for both desk 4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune. - >**Important**
- The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.

For example:

+ >[!IMPORTANT] + >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`. + >For example:

```json { @@ -124,8 +125,8 @@ If you don't know the publisher or product name, you can find them for both desk **To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones** 1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature. - >**Note**
- Your PC and phone must be on the same wireless network. + >[!NOTE] + >Your PC and phone must be on the same wireless network. 2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**. @@ -141,8 +142,9 @@ If you don't know the publisher or product name, you can find them for both desk 8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. - >**Important**
- The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.

For example:

+ >[!IMPORTANT] + >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`. + >For example:

```json { @@ -369,9 +371,9 @@ After you've added a protection mode to your apps, you'll need to decide where t There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). ->**Important**
-- Every WIP policy should include policy that defines your enterprise network locations. -- Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations. +>[!IMPORTANT] +>Every WIP policy should include policy that defines your enterprise network locations.
+>Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations. **To define where your protected apps can find and send enterprise data on you network** @@ -492,13 +494,15 @@ After you've finished configuring your policy, you can review all of your info o A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page. - ## Deploy the WIP policy After you’ve created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics: - [Operations and Maintenance for Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708224) - [How to Create Configuration Baselines for Compliance Settings in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708225) - [How to Deploy Configuration Baselines in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708226) +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). + ## Related topics - [System Center Configuration Manager and Endpoint Protection (Version 1606)](https://go.microsoft.com/fwlink/p/?LinkId=717372) - [TechNet documentation for Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=691623) diff --git a/windows/keep-secure/create-wmi-filters-for-the-gpo.md b/windows/keep-secure/create-wmi-filters-for-the-gpo.md index 3cbb5be9a5..80474a70be 100644 --- a/windows/keep-secure/create-wmi-filters-for-the-gpo.md +++ b/windows/keep-secure/create-wmi-filters-for-the-gpo.md @@ -51,7 +51,7 @@ First, create the WMI filter and configure it to look for a specified version (o select * from Win32_OperatingSystem where Version like "6.%" ``` - This query will return **true** for devices running at least Windows Vista and Windows Server 2008. To set a filter for just Windows 8 and Windows Server 2012, use "6.2%". To specify multiple versions, combine them with or, as shown in the following: + This query will return **true** for devices running at least Windows Vista and Windows Server 2008. To set a filter for just Windows 8 and Windows Server 2012, use "6.2%". For Windows 10 and Windows Server 2016, use "10.%". To specify multiple versions, combine them with or, as shown in the following: ``` syntax ... where Version like "6.1%" or Version like "6.2%" @@ -65,16 +65,16 @@ First, create the WMI filter and configure it to look for a specified version (o ... where ProductType="1" or ProductType="3" ``` - The following complete query returns **true** for all devices running Windows 8, and returns **false** for any server operating system or any other client operating system. + The following complete query returns **true** for all devices running Windows 10, and returns **false** for any server operating system or any other client operating system. ``` syntax - select * from Win32_OperatingSystem where Version like "6.2%" and ProductType="1" + select * from Win32_OperatingSystem where Version like "10.%" and ProductType="1" ``` - The following query returns **true** for any device running Windows Server 2012, except domain controllers: + The following query returns **true** for any device running Windows Server 2016, except domain controllers: ``` syntax - select * from Win32_OperatingSystem where Version like "6.2%" and ProductType="3" + select * from Win32_OperatingSystem where Version like "10.%" and ProductType="3" ``` 9. Click **OK** to save the query to the filter. diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index ce40f1c03f..a92cf8f9f5 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -123,7 +123,7 @@ To enforce processing of the group policy, you can run ```gpupdate /force```. If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems. -##### Add the virtualization-based security features +#### Add the virtualization-based security features Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped. @@ -156,7 +156,7 @@ You can do this by using either the Control Panel or the Deployment Image Servic > [!NOTE] > You can also add these features to an online image by using either DISM or Configuration Manager. -##### Enable virtualization-based security and Credential Guard +#### Enable virtualization-based security and Credential Guard 1. Open Registry Editor. 2. Enable virtualization-based security: @@ -195,10 +195,9 @@ Requirements for running Credential Guard in Hyper-V virtual machines - The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607. - The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10. - ### Remove Credential Guard -If you have to remove Credential Guard on a PC, you need to do the following: +If you have to remove Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool). 1. If you used Group Policy, disable the Group Policy setting that you used to enable Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**). 2. Delete the following registry settings: @@ -242,9 +241,10 @@ If you have to remove Credential Guard on a PC, you need to do the following: For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md). -**Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool** + +#### Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool -You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). +You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). ``` DG_Readiness_Tool_v2.0.ps1 -Disable -AutoReboot diff --git a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md index 112382f305..990e0ac396 100644 --- a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md @@ -56,10 +56,12 @@ Click the name of the machine to see details about that machine. For more inform You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md). ## Status -The **Status** tile informs you if the service is active and running and the unique number of machines (endpoints) reporting over the past 30 days. +The **Status** tile informs you if the service is active or if there are issues and the unique number of machines (endpoints) reporting to the service over the past 30 days. ![The Status tile shows an overall indicator of the service and the total number of machines reporting to the service](images/status-tile.png) +For more information on the service status, see [Check the Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md). + ## Machines reporting The **Machines reporting** tile shows a bar graph that represents the number of machines reporting alerts daily. Hover over individual bars on the graph to see the exact number of machines reporting in each day. diff --git a/windows/keep-secure/deploy-wip-policy-using-intune.md b/windows/keep-secure/deploy-wip-policy-using-intune.md index 075fba2473..c9977fec21 100644 --- a/windows/keep-secure/deploy-wip-policy-using-intune.md +++ b/windows/keep-secure/deploy-wip-policy-using-intune.md @@ -33,6 +33,9 @@ The added people move to the **Selected Groups** list on the right-hand pane. 3. After you've picked all of the employees and groups that should get the policy, click **OK**.

The policy is deployed to the selected users' devices. +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). + ## Related topics - [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) - [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) diff --git a/windows/keep-secure/enlightened-microsoft-apps-and-wip.md b/windows/keep-secure/enlightened-microsoft-apps-and-wip.md index f6b1ea7f6e..f2e1b3c91c 100644 --- a/windows/keep-secure/enlightened-microsoft-apps-and-wip.md +++ b/windows/keep-secure/enlightened-microsoft-apps-and-wip.md @@ -78,4 +78,7 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li |Microsoft OneDrive |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** onedrive.exe
**App Type:** Desktop app| |Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** notepad.exe
**App Type:** Desktop app | |Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** mspaint.exe
**App Type:** Desktop app | -|Microsoft Remote Desktop |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** mstsc.exe
**App Type:** Desktop app | \ No newline at end of file +|Microsoft Remote Desktop |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** mstsc.exe
**App Type:** Desktop app | + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/keep-secure/guidance-and-best-practices-wip.md b/windows/keep-secure/guidance-and-best-practices-wip.md index b91386f0c0..10bf96e580 100644 --- a/windows/keep-secure/guidance-and-best-practices-wip.md +++ b/windows/keep-secure/guidance-and-best-practices-wip.md @@ -26,4 +26,7 @@ This section includes info about the enlightened Microsoft apps, including how t |[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |A list of all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. | |[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. | |[Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) |We've come up with a list of suggested testing scenarios that you can use to test WIP in your company. | -|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |The most common problems you might encounter while using Windows Information Protection (WIP). | \ No newline at end of file +|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |The most common problems you might encounter while using Windows Information Protection (WIP). | + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/keep-secure/images/atp-disableantispyware-regkey.png b/windows/keep-secure/images/atp-disableantispyware-regkey.png new file mode 100644 index 0000000000..ae3d800c69 Binary files /dev/null and b/windows/keep-secure/images/atp-disableantispyware-regkey.png differ diff --git a/windows/keep-secure/images/status-tile.png b/windows/keep-secure/images/status-tile.png index 8c4b1e3356..2ab17ccff1 100644 Binary files a/windows/keep-secure/images/status-tile.png and b/windows/keep-secure/images/status-tile.png differ diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md index 6fd27dc93a..90a54c7684 100644 --- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md +++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md @@ -20,9 +20,9 @@ redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hell You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10. >[!IMPORTANT] ->The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511. +>The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. Use the **Turn on PIN sign-in** setting to allow or deny the use of a convenience PIN for Windows 10, version 1607. > ->Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. +>Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. Learn more in the blog post [Changes to Convenience PIN/Windows Hello Behavior in Windows 10, version 1607](https://blogs.technet.microsoft.com/ash/2016/08/13/changes-to-convenience-pin-and-thus-windows-hello-behaviour-in-windows-10-version-1607/). > >Use **Windows Hello for Business** policy settings to manage PINs for Windows Hello for Business.   @@ -378,4 +378,4 @@ The PIN is managed using the same Windows Hello for Business policies that you c [Event ID 300 - Windows Hello successfully created](passport-event-300.md) [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) -  \ No newline at end of file +  diff --git a/windows/keep-secure/interactive-logon-require-smart-card.md b/windows/keep-secure/interactive-logon-require-smart-card.md index 2441b3c3e7..503713f8e7 100644 --- a/windows/keep-secure/interactive-logon-require-smart-card.md +++ b/windows/keep-secure/interactive-logon-require-smart-card.md @@ -1,5 +1,5 @@ --- -title: Interactive logon Require smart card (Windows 10) +title: Interactive logon Require smart card - security policy setting (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Require smart card security policy setting. ms.assetid: c6a8c040-cbc7-472d-8bc5-579ddf3cbd6c ms.prod: w10 @@ -9,7 +9,7 @@ ms.pagetype: security author: brianlic-msft --- -# Interactive logon: Require smart card +# Interactive logon: Require smart card - security policy setting **Applies to** - Windows 10 diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md index dc2429d6b3..c95ae45458 100644 --- a/windows/keep-secure/limitations-with-wip.md +++ b/windows/keep-secure/limitations-with-wip.md @@ -79,4 +79,7 @@ This table provides info about the most common problems you might encounter whil Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using WIP. We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.

For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking). - + + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/keep-secure/mandatory-settings-for-wip.md b/windows/keep-secure/mandatory-settings-for-wip.md index 0e1345c2ae..1c7ea0a9ff 100644 --- a/windows/keep-secure/mandatory-settings-for-wip.md +++ b/windows/keep-secure/mandatory-settings-for-wip.md @@ -17,8 +17,8 @@ localizationpriority: high This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. ->**Important**
-All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md), based on the tool you're using in your enterprise. +>[!IMPORTANT] +>All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md), based on the tool you're using in your enterprise. |Task |Description | @@ -28,4 +28,7 @@ All sections provided for more info appear in either the [Create a Windows Infor |Specify your corporate identity. |You must specify your corporate identity, usually expressed as your primary Internet domain (for example, contoso.com). For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics. | |Specify your Enterprise Network Domain Names. |You must specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics. | |Specify your Enterprise IPv4 or IPv6 Ranges. |Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics. | -|Include your Data Recovery Agent (DRA) certificate. |This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the **Create and verify an Encrypting File System (EFS) DRA certificate** section of the policy creation topics. | \ No newline at end of file +|Include your Data Recovery Agent (DRA) certificate. |This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the **Create and verify an Encrypting File System (EFS) DRA certificate** section of the policy creation topics. | + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md index 0fd2edc0d3..a3358422cb 100644 --- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -113,4 +113,4 @@ When Windows Defender is not the active antimalware in your organization and you ## Windows Defender Early Launch Antimalware (ELAM) driver is enabled If you're running Windows Defender as the primary antimalware product on your endpoints, the Windows Defender ATP agent will successfully onboard. -If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender ELAM driver is enabled. For more information on how to validate and enable the Windows Defender ELAM driver see, [Ensure the Windows Defender ELAM driver is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-windows-defender-elam-driver-is-enabled). +If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender ELAM driver is enabled. For more information, see [Ensure that Windows Defender is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-is-not-disabled-by-a-policy). diff --git a/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md index 9205bb0153..2a7a40abd6 100644 --- a/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md @@ -23,6 +23,7 @@ localizationpriority: high You need to onboard to Windows Defender ATP before you can use the service. +For more information, see [Onboard your Windows 10 endpoints to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be). ## In this section Topic | Description diff --git a/windows/keep-secure/overview-create-wip-policy.md b/windows/keep-secure/overview-create-wip-policy.md index f0ae686b47..1cb74baed7 100644 --- a/windows/keep-secure/overview-create-wip-policy.md +++ b/windows/keep-secure/overview-create-wip-policy.md @@ -23,4 +23,7 @@ Microsoft Intune and System Center Configuration Manager helps you create and de |------|------------| |[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Intune helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | |[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |System Center Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | -|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. | \ No newline at end of file +|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. | + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md index 31c04c1c61..c57a618f8e 100644 --- a/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -48,13 +48,13 @@ BitLocker helps prevent unauthorized access to data on lost or stolen computers - Encrypting the entire Windows operating system volume on the hard disk. - Verifying the boot process integrity. -The trusted platform module (TPM)is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline. +The trusted platform module (TPM) is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline. In addition, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable USB device, such as a flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented. On computers that do not have a TPM version 1.2 or higher, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation, and does not provide the pre-startup system integrity verification offered by BitLocker working with a TPM. -**BitLocker key protectors** +### BitLocker key protectors | Key protector | Description | | - | - | @@ -65,7 +65,7 @@ On computers that do not have a TPM version 1.2 or higher, you can still use Bi | Recovery password | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard, if the numbers on the normal keyboard are not responding you can always use the function keys (F1-F10) to input the numbers.| | Recovery key| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.|   -**BitLocker authentication methods** +### BitLocker authentication methods | Authentication method | Requires user interaction | Description | | - | - | - | diff --git a/windows/keep-secure/protect-enterprise-data-using-wip.md b/windows/keep-secure/protect-enterprise-data-using-wip.md index dc661d0dbd..a37553eb2c 100644 --- a/windows/keep-secure/protect-enterprise-data-using-wip.md +++ b/windows/keep-secure/protect-enterprise-data-using-wip.md @@ -93,7 +93,8 @@ WIP gives you a new way to manage data policy enforcement for apps and documents - **Helping prevent accidental data disclosure to removable media.** WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t. - **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable. - > **Note**
System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device. + >[!NOTE] + >For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager.
System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device. ## How WIP works WIP helps address your everyday challenges in the enterprise. Including: @@ -137,3 +138,7 @@ You can turn off all Windows Information Protection and restrictions, decrypting After deciding to use WIP in your enterprise, you need to: - [Create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md) + + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index a432c98385..ac0409286d 100644 --- a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -93,7 +93,7 @@ This section is an overview that describes different parts of the end-to-end sec | Number | Part of the solution | Description | | - | - | - | -| **1** | Windows 10-based device | The first time a Windows 10-based device is powered on, the out-of-box experience (OOBE) screen is displayed. During setup, the device can be automatically registered into Azure Active Directory (AD) and enrolled in MDM.
A Windows 10-based device with TPM 2.0 can report health status at any time by using the Health Attestation Service available with all editions of Windows 10.| +| **1** | Windows 10-based device | The first time a Windows 10-based device is powered on, the out-of-box experience (OOBE) screen is displayed. During setup, the device can be automatically registered into Azure Active Directory (AD) and enrolled in MDM.
A Windows 10-based device with TPM can report health status at any time by using the Health Attestation Service available with all editions of Windows 10.| | **2** | Identity provider | Azure AD contains users, registered devices, and registered application of organization’s tenant. A device always belongs to a user and a user can have multiple devices. A device is represented as an object with different attributes like the compliance status of the device. A trusted MDM can update the compliance status.
Azure AD is more than a repository. Azure AD is able to authenticate users and devices and can also authorize access to managed resources. Azure AD has a conditional access control engine that leverages the identity of the user, the location of the device and also the compliance status of the device when making a trusted access decision.| | **3**|Mobile device management| Windows 10 has MDM support that enables the device to be managed out-of-box without deploying any agent.
MDM can be Microsoft Intune or any third-party MDM solution that is compatible with Windows 10.| | **4** | Remote health attestation | The Health Attestation Service is a trusted cloud service operated by Microsoft that performs a series of health checks and reports to MDM what Windows 10 security features are enabled on the device.
Security verification includes boot state (WinPE, Safe Mode, Debug/test modes) and components that manage security and integrity of runtime operations (BitLocker, Device Guard).| @@ -125,7 +125,7 @@ Windows 10 supports features to help prevent sophisticated low-level malware li Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=733948). - Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0. TPM 2.0 is required for device health attestation. + Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0. TPM 2.0 provides a major revision to the capabilities over TPM 1.2: @@ -202,8 +202,6 @@ Windows 10 supports features to help prevent sophisticated low-level malware li During each subsequent boot, the same components are measured, which allows comparison of the measurements against an expected baseline. For additional security, the values measured by the TPM can be signed and transmitted to a remote server, which can then perform the comparison. This process, called *remote device health attestation*, allows the server to verify health status of the Windows device. - Health attestation requires the presence of TPM 2.0. On Windows 10, TPM 2.0 also requires UEFI firmware. - Although Secure Boot is a proactive form of protection, health attestation is a reactive form of boot protection. Health attestation ships disabled in Windows and is enabled by an antimalware or an MDM vendor. Unlike Secure Boot, health attestation will not stop the boot process and enter remediation when a measurement does not work. But with conditional access control, health attestation will help to prevent access to high-value assets. ### Virtualization-based security @@ -317,7 +315,7 @@ MDM solutions are becoming prevalent as a light-weight device management technol ### Device health attestation -Device health attestation leverages the TPM 2.0 to provide cryptographically strong and verifiable measurements of the chain of software used to boot the device. +Device health attestation leverages the TPM to provide cryptographically strong and verifiable measurements of the chain of software used to boot the device. For Windows 10-based devices, Microsoft introduces a new public API that will allow MDM software to access a remote attestation service called Windows Health Attestation Service. A health attestation result, in addition with other elements, can be used to allow or deny access to networks, apps, or services, based on whether devices prove to be healthy. @@ -366,7 +364,7 @@ The following table details the hardware requirements for both virtualization-ba

Support for the IOMMU in Windows 10 enhances system resiliency against DMA attacks.

-

Trusted Platform Module (TPM) 2.0

+

Trusted Platform Module (TPM)

Required to support health attestation and necessary for additional key protections for virtualization-based security.

@@ -380,7 +378,7 @@ As of today, many organizations only consider devices to be compliant with compa The biggest challenge with rootkits is that they can be undetectable to the client. Because they start before antimalware, and they have system-level privileges, they can completely disguise themselves while continuing to access system resources. As a result, traditional computers infected with rootkits appear to be healthy, even with antimalware running. -As previously discussed, the health attestation feature of Windows 10 uses the TPM 2.0 hardware component to securely record a measurement of every boot-related component, including firmware, Windows 10 kernel, and even early boot drivers. Because, health attestation leverages the hardware-based security capabilities of TPM, the log of all boot measured components remains out of the reach of any malware. +As previously discussed, the health attestation feature of Windows 10 uses the TPM hardware component to securely record a measurement of every boot-related component, including firmware, Windows 10 kernel, and even early boot drivers. Because, health attestation leverages the hardware-based security capabilities of TPM, the log of all boot measured components remains out of the reach of any malware. By attesting a trusted boot state, devices can prove that they are not running low-level malware that could spoof later compliance checks. TPM-based health attestation provides a reliable anchor of trust for assets that contain high-value data. @@ -404,7 +402,7 @@ This is the most secure approach available for Windows 10-based devices to dete A relying party like an MDM can inspect the report generated by the remote health attestation service. ->**Note:**  To use the health attestation feature of Windows 10, the device must be equipped with a discrete or firmware TPM 2.0. There is no restriction on any particular edition of Windows 10. +>**Note:**  To use the health attestation feature of Windows 10, the device must be equipped with a discrete or firmware TPM. There is no restriction on any particular edition of Windows 10.   Windows 10 supports health attestation scenarios by allowing applications access to the underlying health attestation configuration service provider (CSP) so that applications can request a health attestation token. The measurement of the boot sequence can be checked at any time locally by an antimalware or an MDM agent. @@ -418,7 +416,7 @@ Health attestation logs the measurements in various TPM Platform Configuration R ![figure 6](images/hva-fig6-logs.png) -When starting a device equipped with a TPM, a measurement of different components is performed. This includes firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw measurements are stored in the TPM PCR registers while the details of all events (executable path, authority certification, and so on) are available in the TCG log. +When starting a device equipped with TPM, a measurement of different components is performed. This includes firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw measurements are stored in the TPM PCR registers while the details of all events (executable path, authority certification, and so on) are available in the TCG log. ![figure 7](images/hva-fig7-measurement.png) @@ -438,7 +436,7 @@ The number of retained logs may be set with the registry **REG\_DWORD** value **   The following process describes how health boot measurements are sent to the health attestation service: -1. The client (a Windows 10-based device with a TPM 2.0) initiates the request with the remote device health attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-provisioned in the client. +1. The client (a Windows 10-based device with TPM) initiates the request with the remote device health attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-provisioned in the client. 2. The client then sends the TCG log, the AIK signed data (PCR values, boot counter) and the AIK certificate information. 3. The remote device heath attestation service then: @@ -457,7 +455,7 @@ The device health attestation solution involves different components that are TP ### Trusted Platform Module -*It’s all about TPM 2.0 and endorsement certificates.* This section describes how PCRs (that contain system configuration data), endorsement key (EK) (that act as an identity card for TPM), SRK (that protect keys) and AIKs (that can report platform state) are used for health attestation reporting. +This section describes how PCRs (that contain system configuration data), endorsement key (EK) (that act as an identity card for TPM), SRK (that protect keys) and AIKs (that can report platform state) are used for health attestation reporting. In a simplified manner, the TPM is a passive component with limited resources. It can calculate random numbers, RSA keys, decrypt short data, store hashes taken when booting the device. @@ -492,7 +490,7 @@ For certain devices that use firmware-based TPM produced by Intel or Qualcomm, t Because the endorsement certificate is unique for each device and does not change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows 10 issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service. ->**Note:**  Before the device can report its health using the TPM 2.0 attestation functions, an AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK. +>**Note:**  Before the device can report its health using the TPM attestation functions, an AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.   The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations. diff --git a/windows/keep-secure/remove-computer-from-docking-station.md b/windows/keep-secure/remove-computer-from-docking-station.md index ee3b81a7d3..1823951ae4 100644 --- a/windows/keep-secure/remove-computer-from-docking-station.md +++ b/windows/keep-secure/remove-computer-from-docking-station.md @@ -1,5 +1,5 @@ --- -title: Remove computer from docking station (Windows 10) +title: Remove computer from docking station - security policy setting (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Remove computer from docking station security policy setting. ms.assetid: 229a385a-a862-4973-899a-413b1b5b6c30 ms.prod: w10 @@ -9,7 +9,7 @@ ms.pagetype: security author: brianlic-msft --- -# Remove computer from docking station +# Remove computer from docking station - security policy setting **Applies to** - Windows 10 diff --git a/windows/keep-secure/requirements-for-deploying-applocker-policies.md b/windows/keep-secure/requirements-for-deploying-applocker-policies.md index e3b6c29aa7..874036e3b6 100644 --- a/windows/keep-secure/requirements-for-deploying-applocker-policies.md +++ b/windows/keep-secure/requirements-for-deploying-applocker-policies.md @@ -24,7 +24,7 @@ The following requirements must be met or addressed before you deploy your AppLo ### Deployment plan -An AppLocker policy deployment plan is the result of investigating which applications are required and necessary in your organization, which apps are optional, and which apps are forbidden. To develop this plan, see [AppLocker Design Guide](applocker-policies-design-guide.md). The following table is an example of the data you need to collect and the decisions you need to make to successfully deploy AppLocker policies on the supported operating systems (as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). +An AppLocker policy deployment plan is the result of investigating which applications are required and necessary in your organization, which apps are optional, and which apps are forbidden. To develop this plan, see [AppLocker Design Guide](applocker-policies-design-guide.md). The following table is an example of the data you need to collect and the decisions you need to make to successfully deploy AppLocker policies on the supported operating systems (as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md)). diff --git a/windows/keep-secure/restore-files-and-directories.md b/windows/keep-secure/restore-files-and-directories.md index e8bb7e6f85..bf78f4ff41 100644 --- a/windows/keep-secure/restore-files-and-directories.md +++ b/windows/keep-secure/restore-files-and-directories.md @@ -1,5 +1,5 @@ --- -title: Restore files and directories (Windows 10) +title: Restore files and directories - security policy setting (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Restore files and directories security policy setting. ms.assetid: c673c0fa-6f49-4edd-8c1f-c5e8513f701d ms.prod: w10 @@ -9,7 +9,7 @@ ms.pagetype: security author: brianlic-msft --- -# Restore files and directories +# Restore files and directories - security policy setting **Applies to** - Windows 10 diff --git a/windows/keep-secure/select-types-of-rules-to-create.md b/windows/keep-secure/select-types-of-rules-to-create.md index 00ae11caf5..35f8ffd6b2 100644 --- a/windows/keep-secure/select-types-of-rules-to-create.md +++ b/windows/keep-secure/select-types-of-rules-to-create.md @@ -55,7 +55,7 @@ In the Woodgrove Bank example, the line-of-business app for the Bank Tellers bus ### Determine how to allow system files to run -Because AppLocker rules build a list of allowed apps, a rule or rules must be created to allow all Windows files to run. AppLocker provides a means to ensure system files are properly considered in your rule collection by generating the default rules for each rule collection. You can use the default rules as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run. When a default rule is created, it is denoted with "(Default rule)" in its name as it appears in the rule collection. +Because AppLocker rules build a list of allowed apps, a rule or rules must be created to allow all Windows files to run. AppLocker provides a means to ensure system files are properly considered in your rule collection by generating the default rules for each rule collection. You can use the default rules (listed in [AppLocker default rules](working-with-applocker-rules.md#applocker-default-rules)) as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run. When a default rule is created, it is denoted with "(Default rule)" in its name as it appears in the rule collection. You can also create a rule for the system files based on the path condition. In the preceding example, for the Bank Tellers group, all Windows files reside under C:\\Windows and can be defined with the path rule condition type. This will permit access to these files whenever updates are applied and the files change. If you require additional application security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. The Windows folder contains a Temp subfolder to which the Users group is given the following permissions: diff --git a/windows/keep-secure/service-status-windows-defender-advanced-threat-protection.md b/windows/keep-secure/service-status-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..6c8623a564 --- /dev/null +++ b/windows/keep-secure/service-status-windows-defender-advanced-threat-protection.md @@ -0,0 +1,54 @@ +--- +title: Check the Windows Defender ATP service status +description: Check Windows Defender ATP service status, see if the service is experiencing issues and review previous issues that have been resolved. +keywords: dashboard, service, issues, service status, current issues, status history, summary of impact, preliminary root cause, resolution, resolution time, expected resolution time +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- + +# Check the Windows Defender Advanced Threat Protection service status + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +The **Service health** provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service status is healthy or if there are current issues. If there are issues, you'll see details related to the issue such as when the issue was detected, what the preliminary root cause is, and the expected resolution time. + +You'll also see information on historical issues that have been resolved and details such as the date and time when the issue was resolved. When there are no issues on the service, you'll see a healthy status. + +You can view details on the service status by clicking the tile from the **Dashboard** or selecting the **Service health** menu from the navigation pane. + +The **Service health** details page has the following tabs: + +- **Current issues** +- **Status History** + +## Current issues +The **Current issues** tab shows the current state of the Windows Defender ATP service. When the service is running smoothly a healthy service status is shown. If there are issues seen, the following service details are shown to help you gain better insight about the issue: + +- Date and time for when the issue was detected +- A short description of the issue +- Update time +- Summary of impact +- Preliminary root cause +- Next steps +- Expected resolution time + +Updates on the progress of an issue is reflected on the page as the issue gets resolved. You'll see updates on information such as an updated estimate resolution time or next steps. + +When an issue is resolved, it gets recorded in the **Status history** tab. + +## Status history +The **Status history** tab reflects all the historical issues that were seen and resolved. You'll see details of the resolved issues along with the other information that were included while it was being resolved. + +### Related topic +- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/shut-down-the-system.md b/windows/keep-secure/shut-down-the-system.md index 0c4f6b24a7..4cde410c2d 100644 --- a/windows/keep-secure/shut-down-the-system.md +++ b/windows/keep-secure/shut-down-the-system.md @@ -1,5 +1,5 @@ --- -title: Shut down the system (Windows 10) +title: Shut down the system - security policy setting (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Shut down the system security policy setting. ms.assetid: c8e8f890-153a-401e-a957-ba6a130304bf ms.prod: w10 @@ -9,7 +9,7 @@ ms.pagetype: security author: brianlic-msft --- -# Shut down the system +# Shut down the system - security policy setting **Applies to** - Windows 10 diff --git a/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md b/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md index 83e27c9e00..348aa4eb2d 100644 --- a/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md +++ b/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md @@ -1,5 +1,5 @@ --- -title: Shutdown Clear virtual memory pagefile (Windows 10) +title: Shutdown Clear virtual memory pagefile - security policy setting (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Shutdown Clear virtual memory pagefile security policy setting. ms.assetid: 31400078-6c56-4891-a6df-6dfb403c4bc9 ms.prod: w10 @@ -9,7 +9,7 @@ ms.pagetype: security author: brianlic-msft --- -# Shutdown: Clear virtual memory pagefile +# Shutdown: Clear virtual memory pagefile - security policy setting **Applies to** - Windows 10 diff --git a/windows/keep-secure/testing-scenarios-for-wip.md b/windows/keep-secure/testing-scenarios-for-wip.md index 45737291cf..cca0a2fa52 100644 --- a/windows/keep-secure/testing-scenarios-for-wip.md +++ b/windows/keep-secure/testing-scenarios-for-wip.md @@ -163,4 +163,7 @@ You can try any of the processes included in these scenarios, but you should foc -
\ No newline at end of file + + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/keep-secure/tools-to-use-with-applocker.md b/windows/keep-secure/tools-to-use-with-applocker.md index 5d2d69ff81..a5346774ab 100644 --- a/windows/keep-secure/tools-to-use-with-applocker.md +++ b/windows/keep-secure/tools-to-use-with-applocker.md @@ -24,7 +24,7 @@ The following tools can help you administer the application control policies cre - **Generate Default Rules tool** - AppLocker includes default rules for each rule collection accessed through the Local Security Policy snap-in. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For info about how to use this tool, see [Create AppLocker default rules](create-applocker-default-rules.md). + AppLocker includes default rules for each rule collection accessed through the Local Security Policy snap-in. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For info about how to use this tool, see [Create AppLocker default rules](create-applocker-default-rules.md). For a list of the default rules, see [AppLocker default rules](working-with-applocker-rules.md#applocker-default-rules). - **Automatically Generate AppLocker Rules wizard** diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index e3c1d51f68..1cb5843937 100644 --- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -65,7 +65,7 @@ Event ID | Error Type | Resolution steps 5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```. 10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```.
Verify that the script was ran as an administrator. 15 | Failed to start SENSE service |Check the service status (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights). -15 | Failed to start SENSE service | If the message of the error is: System error 577 has occurred. You need to enable the Windows Defender ELAM driver, see [Ensure the Windows Defender ELAM driver is enabled](#ensure-the-windows-defender-elam-driver-is-enabled) for instructions. +15 | Failed to start SENSE service | If the message of the error is: System error 577 has occurred. You need to enable the Windows Defender ELAM driver, see [Ensure that Windows Defender is not disabled by a policy](#ensure-that-windows-defender-is-not-disabled-by-a-policy) for instructions. 30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). 35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location
```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.
The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). 40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). @@ -124,7 +124,7 @@ If the deployment tools used does not indicate an error in the onboarding proces - [Ensure the telemetry and diagnostics service is enabled](#ensure-the-telemetry-and-diagnostics-service-is-enabled) - [Ensure the service is set to start](#ensure-the-service-is-set-to-start) - [Ensure the endpoint has an Internet connection](#ensure-the-endpoint-has-an-internet-connection) -- [Ensure the Windows Defender ELAM driver is enabled](#ensure-the-windows-defender-elam-driver-is-enabled) +- [Ensure that Windows Defender is not disabled by a policy](#ensure-that-windows-defender-is-not-disabled-by-a-policy) ### View agent onboarding errors in the endpoint event log @@ -222,98 +222,31 @@ To ensure that sensor has service connectivity, follow the steps described in th If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic. -### Ensure the Windows Defender ELAM driver is enabled -If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. +### Ensure that Windows Defender is not disabled by a policy +**Problem**: The Windows Defender ATP service does not start after onboarding. -**Check the ELAM driver status:** +**Symptom**: Onboarding successfully completes, but you see error 577 when trying to start the service. -1. Open a command-line prompt on the endpoint: +**Solution**: If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy. - a. Click **Start**, type **cmd**, and select **Command prompt**. +- Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are set to ```0``` or that the settings are cleared: -2. Enter the following command, and press Enter: - ``` - sc qc WdBoot - ``` - If the ELAM driver is enabled, the output will be: + - ```DisableAntiSpyware``` + - ```DisableAntiVirus``` - ``` - [SC] QueryServiceConfig SUCCESS + For example, in Group Policy: - SERVICE_NAME: WdBoot - TYPE : 1 KERNEL_DRIVER - START_TYPE : 0 BOOT_START - ERROR_CONTROL : 1 NORMAL - BINARY_PATH_NAME : \SystemRoot\system32\drivers\WdBoot.sys - LOAD_ORDER_GROUP : Early-Launch - TAG : 0 - DISPLAY_NAME : Windows Defender Boot Driver - DEPENDENCIES : - SERVICE_START_NAME : - ``` - If the ELAM driver is disabled the output will be: - ``` - [SC] QueryServiceConfig SUCCESS + ``` + ``` +- After clearing the policy, run the onboarding steps again on the endpoint. - SERVICE_NAME: WdBoot - TYPE : 1 KERNEL_DRIVER - START_TYPE : 0 DEMAND_START - ERROR_CONTROL : 1 NORMAL - BINARY_PATH_NAME : \SystemRoot\system32\drivers\WdBoot.sys - LOAD_ORDER_GROUP : _Early-Launch - TAG : 0 - DISPLAY_NAME : Windows Defender Boot Driver - DEPENDENCIES : - SERVICE_START_NAME : - ``` +- You can also check the following registry key values to verify that the policy is disabled: -#### Enable the ELAM driver + 1. Open the registry ```key HKEY_LOCAL_MACHINE\ SOFTWARE\Policies\Microsoft\Windows Defender```. + 2. Find the value ```DisableAntiSpyware```. + 3. Ensure that the value is set to 0. -1. Open an elevated PowerShell console on the endpoint: - - a. Click **Start**, type **powershell**. - - b. Right-click **Command prompt** and select **Run as administrator**. - -2. Run the following PowerShell cmdlet: - - ```text - 'Set-ExecutionPolicy -ExecutionPolicy Bypass’ - ``` -3. Run the following PowerShell script: - - ```text - Add-Type @' - using System; - using System.IO; - using System.Runtime.InteropServices; - using Microsoft.Win32.SafeHandles; - using System.ComponentModel; - - public static class Elam{ - [DllImport("Kernel32", CharSet=CharSet.Auto, SetLastError=true)] - public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle); - - public static void InstallWdBoot(string path) - { - Console.Out.WriteLine("About to call create file on {0}", path); - var stream = File.Open(path, FileMode.Open, FileAccess.Read, FileShare.Read); - var handle = stream.SafeFileHandle; - - Console.Out.WriteLine("About to call InstallELAMCertificateInfo on handle {0}", handle.DangerousGetHandle()); - if (!InstallELAMCertificateInfo(handle)) - { - Console.Out.WriteLine("Call failed."); - throw new Win32Exception(Marshal.GetLastWin32Error()); - } - Console.Out.WriteLine("Call successful."); - } - } - '@ - - $driverPath = $env:SystemRoot + "\System32\Drivers\WdBoot.sys" - [Elam]::InstallWdBoot($driverPath) - ``` + ![Image of registry key for Windows Defender](images/atp-disableantispyware-regkey.png) diff --git a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md index fd485e8645..4cb0a35b53 100644 --- a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md @@ -46,6 +46,7 @@ U.S. region: - winatpfeedback.windows.com - winatpmanagement.windows.com - winatponboarding.windows.com +- winatpservicehealth.windows.com EU region: @@ -57,11 +58,18 @@ EU region: - winatpfeedback.windows.com - winatpmanagement.windows.com - winatponboarding.windows.com +- winatpservicehealth.windows.com ### Windows Defender ATP service shows event or error logs in the Event Viewer See the topic [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) for a list of event IDs that are reported by the Windows Defender ATP service. The topic also contains troubleshooting steps for event errors. +### Windows Defender ATP service fails to start after a reboot and shows error 577 + +If onboarding endpoints successfully completes but Windows Defender ATP does not start after a reboot and shows error 577, check that Windows Defender is not disabled by a policy. + +For more information, see [Ensure that Windows Defender is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-is-not-disabled-by-a-policy). + ### Related topic - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md b/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md index d927f73825..8621397fcd 100644 --- a/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md +++ b/windows/keep-secure/trusted-platform-module-services-group-policy-settings.md @@ -71,6 +71,7 @@ For information how to enforce or ignore the default and local lists of blocked - [Ignore the default list of blocked TPM commands](#bkmk-tpmgp-idlb) - [Ignore the local list of blocked TPM commands](#bkmk-tpmgp-illb) + ### Ignore the default list of blocked TPM commands This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands. diff --git a/windows/keep-secure/understanding-applocker-default-rules.md b/windows/keep-secure/understanding-applocker-default-rules.md index b0aa99f22e..f0b744d7ad 100644 --- a/windows/keep-secure/understanding-applocker-default-rules.md +++ b/windows/keep-secure/understanding-applocker-default-rules.md @@ -42,5 +42,4 @@ These permissions settings are applied to this folder for app compatibility. How ## Related topics - [How AppLocker works](how-applocker-works-techref.md) -  -  +- [Create AppLocker default rules](create-applocker-default-rules.md) \ No newline at end of file diff --git a/windows/keep-secure/understanding-applocker-rule-collections.md b/windows/keep-secure/understanding-applocker-rule-collections.md index b8adef234c..bfe5fd07ce 100644 --- a/windows/keep-secure/understanding-applocker-rule-collections.md +++ b/windows/keep-secure/understanding-applocker-rule-collections.md @@ -33,3 +33,5 @@ For info about how to enable the DLL rule collection, see [Enable the DLL rule c ## Related topics - [How AppLocker works](how-applocker-works-techref.md) +- [Understanding AppLocker default rules](understanding-applocker-default-rules.md) + diff --git a/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md index 17fe40b6a1..0fa2a8f258 100644 --- a/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md +++ b/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md @@ -61,7 +61,7 @@ The following table compares the features and functions of Software Restriction

Enforcement mode

SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file are allowed to run by default.

-

SRP can also be configured in the “allow list mode” such that the by default all files are blocked and administrators need to create allow rules for files that they want to allow.

+

SRP can also be configured in the “allow list mode” so that by default all files are blocked and administrators need to create allow rules for files that they want to allow.

AppLocker by default works in the “allow list mode” where only those files are allowed to run for which there is a matching allow rule.

diff --git a/windows/keep-secure/using-event-viewer-with-applocker.md b/windows/keep-secure/using-event-viewer-with-applocker.md index 1b1b80e64f..7a3b0f4f8d 100644 --- a/windows/keep-secure/using-event-viewer-with-applocker.md +++ b/windows/keep-secure/using-event-viewer-with-applocker.md @@ -46,7 +46,7 @@ The following table contains information about the events that you can use to de | 8005| Information| *<File name> * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.| | 8006 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only ** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules ** enforcement mode were enabled. | | 8007 | Error| *<File name> * was not allowed to run.| Access to *<file name> * is restricted by the administrator. Applied only when the **Enforce rules ** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run.| -| 8007| Error| AppLocker disabled on the SKU.| Added in Windows Server 2012 and Windows 8.| +| 8008| Error| AppLocker disabled on the SKU.| Added in Windows Server 2012 and Windows 8.| | 8020| Information| Packaged app allowed.| Added in Windows Server 2012 and Windows 8.| | 8021| Information| Packaged app audited.| Added in Windows Server 2012 and Windows 8.| | 8022| Information| Packaged app disabled.| Added in Windows Server 2012 and Windows 8.| diff --git a/windows/keep-secure/windows-defender-advanced-threat-protection.md b/windows/keep-secure/windows-defender-advanced-threat-protection.md index 7a77dece05..169cf8daa0 100644 --- a/windows/keep-secure/windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/windows-defender-advanced-threat-protection.md @@ -21,6 +21,8 @@ localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-abovefoldlink1) +> >For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy). Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks. diff --git a/windows/keep-secure/windows-defender-block-at-first-sight.md b/windows/keep-secure/windows-defender-block-at-first-sight.md index 8abf7c0806..a31f43f6ee 100644 --- a/windows/keep-secure/windows-defender-block-at-first-sight.md +++ b/windows/keep-secure/windows-defender-block-at-first-sight.md @@ -30,6 +30,9 @@ It is enabled by default when certain pre-requisite settings are also enabled. I When a Windows Defender client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean. +> [!NOTE] +> The Block at first sight feature only use the cloud protection backend for executable files that are downloaded from the Internet, or originating from the Internet zone. A hash value of the EXE file is checked via the cloud backend to determine if this is a previously undetected file. + If the cloud backend is unable to make a determination, the file will be locked by Windows Defender while a copy is uploaded to the cloud. Only after the cloud has received the file will Windows Defender release the lock and let the file run. The cloud will perform additional analysis to reach a determination, blocking all future encounters of that file. In many cases this process can reduce the response time to new malware from hours to seconds. diff --git a/windows/keep-secure/working-with-applocker-rules.md b/windows/keep-secure/working-with-applocker-rules.md index 9c528133ef..26270475b6 100644 --- a/windows/keep-secure/working-with-applocker-rules.md +++ b/windows/keep-secure/working-with-applocker-rules.md @@ -123,7 +123,7 @@ When you choose the file hash rule condition, the system computes a cryptographi ## AppLocker default rules -AppLocker allows you to generate default rules for each rule collection. +AppLocker includes default rules, which are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For background, see [Understanding AppLocker default rules](understanding-applocker-default-rules.md), and for steps, see [Create AppLocker default rules](create-applocker-default-rules.md). Executable default rule types include: diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md index 54af0df920..0da55403a3 100644 --- a/windows/manage/TOC.md +++ b/windows/manage/TOC.md @@ -2,6 +2,7 @@ ## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md) ## [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) ## [Update Windows 10 in the enterprise](waas-update-windows-10.md) +### [Quick guide to Windows as a service](waas-quick-start.md) ### [Overview of Windows as a service](waas-overview.md) ### [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) ### [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) diff --git a/windows/manage/administrative-tools-in-windows-10.md b/windows/manage/administrative-tools-in-windows-10.md index 0166bbda73..a7d5203f8a 100644 --- a/windows/manage/administrative-tools-in-windows-10.md +++ b/windows/manage/administrative-tools-in-windows-10.md @@ -26,13 +26,10 @@ The tools in the folder might vary depending on which edition of Windows you are These tools were included in previous versions of Windows and the associated documentation for each tool should help you use these tools in Windows 10. The following list links to documentation for each tool. -**Tip**   -If the content that is linked to a tool in the following list doesn't provide the information you need to use that tool, send us a comment by using the **Was this page helpful?** feature on this **Administrative Tools in Windows 10** page. Details about the information you want for a tool will help us plan future content. -   - [Component Services]( https://go.microsoft.com/fwlink/p/?LinkId=708489) -- [Computer Management](https://go.microsoft.com/fwlink/p/?LinkId=708490) +- [Computer Management](https://support.microsoft.com/kb/308423) - [Defragment and Optimize Drives](https://go.microsoft.com/fwlink/p/?LinkId=708488) - [Disk Cleanup](https://go.microsoft.com/fwlink/p/?LinkID=698648) - [Event Viewer](https://go.microsoft.com/fwlink/p/?LinkId=708491) @@ -49,7 +46,8 @@ If the content that is linked to a tool in the following list doesn't provide th - [Windows Firewall with Advanced Security](https://go.microsoft.com/fwlink/p/?LinkId=708503) - [Windows Memory Diagnostic]( https://go.microsoft.com/fwlink/p/?LinkId=708507) -  +>[!TIP]   +>If the content that is linked to a tool in the following list doesn't provide the information you need to use that tool, send us a comment by using the **Was this page helpful?** feature on this **Administrative Tools in Windows 10** page. Details about the information you want for a tool will help us plan future content.    diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index 50f89c5dea..b42a844ee5 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -12,6 +12,15 @@ author: jdeckerMS This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). +>If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history). + +## December 2016 + +| New or changed topic | Description | +| --- | --- | +| [Quick guide to Windows as a service](waas-quick-start.md) | New | +| [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Added video demonstration of the latest in modern management for Windows 10 | + ## November 2016 | New or changed topic | Description | diff --git a/windows/manage/customize-and-export-start-layout.md b/windows/manage/customize-and-export-start-layout.md index 87f206380e..102272ce54 100644 --- a/windows/manage/customize-and-export-start-layout.md +++ b/windows/manage/customize-and-export-start-layout.md @@ -17,9 +17,7 @@ localizationpriority: high - Windows 10 -**Looking for consumer information?** - -- [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) +>**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) The easiest method for creating a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test computer and then export the layout. @@ -29,7 +27,8 @@ When a full Start layout is applied, the users cannot pin, unpin, or uninstall a When [a partial Start layout](#configure-a-partial-start-layout) is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. -**Note**  Partial Start layout is only supported on Windows 10, version 1511 and later. +>[!NOTE] +>Partial Start layout is only supported on Windows 10, version 1511 and later.   @@ -50,7 +49,7 @@ To prepare a Start layout for export, you simply customize the Start layout on a 1. Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users’ computers (Windows 10 Enterprise or Windows 10 Education). Install all apps and services that the Start layout should display. - 2. Create a new user account that you will use to customize the Start layout. +2. Create a new user account that you will use to customize the Start layout. **To customize Start** diff --git a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md b/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md index 80e8f90299..1608edb2f8 100644 --- a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md @@ -17,16 +17,14 @@ localizationpriority: high - Windows 10 -**Looking for consumer information?** - -- [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) +>**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) In Windows 10 Enterprise and Windows 10 Education, you can use a Group Policy Object (GPO) to deploy a customized Start and taskbar layout to users in a domain. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead. This topic describes how to update Group Policy settings to display a customized Start and taskbar layout when the users sign in. By creating a domain-based GPO with these settings, you can deploy a customized Start and taskbar layout to users in a domain. -**Warning**   -When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. When you apply a taskbar layout, users will still be able to pin and unpin apps, and change the order of pinned apps. +>[!WARNING]   +>When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. When you apply a taskbar layout, users will still be able to pin and unpin apps, and change the order of pinned apps.   @@ -46,15 +44,15 @@ Three features enable Start and taskbar layout control: - The [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkID=620879) cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. - **Note**   - To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet. + >[!NOTE]   + >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet. - [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include `` or create an .xml file just for the taskbar configuration. - In Group Policy, you use the **Start Layout** settings for the **Start Menu and Taskbar** administrative template to set a Start and taskbar layout from an .xml file when the policy is applied. -**Note**   -To learn how customize Start to include your line-of-business apps when you deploy Windows 10, see [Customize the Windows 10 Start layout]( https://go.microsoft.com/fwlink/p/?LinkId=620863). +>[!NOTE]   +>To learn how customize Start to include your line-of-business apps when you deploy Windows 10, see [Customize the Windows 10 Start layout]( https://go.microsoft.com/fwlink/p/?LinkId=620863).   @@ -76,12 +74,11 @@ For information about deploying GPOs in a domain, see [Working with Group Policy You can use the Local Group Policy Editor to provide a customized Start and taskbar layout for any user who signs in on the local computer. To display the customized Start and taskbar layout for any user who signs in, configure **Start Layout** policy settings for the **Start Menu and Taskbar** administrative template. You can use the **Start Menu and Taskbar** administrative template in **User Configuration** or **Computer Configuration**. -**Note**   -This procedure applies the policy settings on the local computer only. For information about deploying the Start and taskbar layout to users in a domain, see [Use Group Policy to deploy a customized Start layout in a domain](#bkmk-domaingpodeployment). +>[!NOTE]   +>This procedure applies the policy settings on the local computer only. For information about deploying the Start and taskbar layout to users in a domain, see [Use Group Policy to deploy a customized Start layout in a domain](#bkmk-domaingpodeployment). +> +>This procedure creates a Local Group Policy that applies to all users on the computer. To configure Local Group Policy that applies to a specific user or group on the computer, see [Step-by-Step Guide to Managing Multiple Local Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=620881). The guide was written for Windows Vista and the procedures still apply to Windows 10. -This procedure creates a Local Group Policy that applies to all users on the computer. To configure Local Group Policy that applies to a specific user or group on the computer, see [Step-by-Step Guide to Managing Multiple Local Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=620881). The guide was written for Windows Vista and the procedures still apply to Windows 10. - -  This procedure adds the customized Start and taskbar layout to the user configuration, which overrides any Start layout settings in the local computer configuration when a user signs in on the computer. @@ -107,10 +104,10 @@ This procedure adds the customized Start and taskbar layout to the user configur 3. Optionally, enter a comment to identify the Start and taskbar layout. - **Important**   - If you disable Start Layout policy settings that have been in effect and then re-enable the policy, users will not be able to make changes to Start, however the layout in the .xml file will not be reapplied unless the file has been updated. In Windows PowerShell, you can update the timestamp on a file by running the following command: + >[!IMPORTANT]   + >If you disable Start Layout policy settings that have been in effect and then re-enable the policy, users will not be able to make changes to Start, however the layout in the .xml file will not be reapplied unless the file has been updated. In Windows PowerShell, you can update the timestamp on a file by running the following command: - `(ls ).LastWriteTime = Get-Date` + >`(ls ).LastWriteTime = Get-Date`   diff --git a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md index aca87ef5cc..8ec42b3218 100644 --- a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md +++ b/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md @@ -58,12 +58,15 @@ When you build a provisioning package, you may include sensitive information in 3. Name your project, and click **Next**. -4. Choose **Common to all Windows desktop editions** and click **Next**. +4. Choose **All Windows desktop editions** and click **Next**. 5. On **New project**, click **Finish**. The workspace for your package opens. 6. Expand **Runtime settings** > **Start**, and click **StartLayout**. + >[!TIP] + >If **Start** is not listed, check the type of settings you selected in step 4. You must create the project using settings for **All Windows desktop editions**. + 7. Specify the path and file name of the Start layout .xml that you created with the [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet. 8. On the **File** menu, select **Save.** diff --git a/windows/manage/distribute-offline-apps.md b/windows/manage/distribute-offline-apps.md index c1bc0b3a20..74afc0928b 100644 --- a/windows/manage/distribute-offline-apps.md +++ b/windows/manage/distribute-offline-apps.md @@ -18,7 +18,7 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can download apps and their licenses to deploy within their network, or on devices that are not connected to the Internet. ISVs or devs can opt-in their apps for offline licensing when they submit them to the Windows Dev Center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in the Windows Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store. +Offline licensing is a new licensing option for Windows 10 Store for Business. With offline licenses, organizations can download apps and their licenses to deploy within their network, or on devices that are not connected to the Internet. ISVs or devs can opt-in their apps for offline licensing when they submit them to the Windows Dev Center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in the Windows Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store. ## Why offline-licensed apps? diff --git a/windows/manage/index.md b/windows/manage/index.md index ac66e4c102..e9e8ac3329 100644 --- a/windows/manage/index.md +++ b/windows/manage/index.md @@ -14,6 +14,9 @@ author: jdeckerMS Learn about managing and updating Windows 10. +>[!NOTE] +>Information for Windows 10 Enterprise also applies to Windows 10 IoT Enterprise, and information for Windows 10 Mobile Enterprise also applies to Windows 10 IoT Mobile. For information about managing devices running Windows 10 IoT Core, see [Windows 10 IoT Core Commercialization](https://www.windowsforiotdevices.com/). + ## In this section diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 08bc3dd3db..c7c8415926 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -237,7 +237,8 @@ In Windows 10, version 1507 and Windows 10, version 1511, when you enable the ** - For **Remote port**, choose **All ports**. -If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. Fiddler is a network proxy and Windows Firewall does not block proxy traffic. You should use a network traffic analyzer, such as WireShark or Message Analyzer. + +If your organization tests network traffic, do not use a network proxy as Windows Firewall does not block proxy traffic. Instead, use a network traffic analyzer. Based on your needs, there are many network traffic analyzers available at no cost. ### 2.2 Cortana and Search MDM policies diff --git a/windows/manage/manage-windows-10-in-your-organization-modern-management.md b/windows/manage/manage-windows-10-in-your-organization-modern-management.md index 0d3374fbca..e0852318ad 100644 --- a/windows/manage/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/manage/manage-windows-10-in-your-organization-modern-management.md @@ -18,6 +18,10 @@ Your organization might have considered bringing in Windows 10 devices and downg Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as System Center Configuration Manager, Microsoft Intune, or other third-party products. This “managed diversity” enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster. +This six-minute video demonstrates how users can bring in a new retail device and be up and working with their personalized settings and a managed experience in a few minutes, without being on the corporate network. It also demonstrates how IT can apply policies and configurations to ensure device compliance. + + + This topic offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. The topic covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle: - [Deployment and Provisioning](#deployment-and-provisioning) diff --git a/windows/manage/waas-branchcache.md b/windows/manage/waas-branchcache.md index 4cd0ab6f1c..ec1296a2ef 100644 --- a/windows/manage/waas-branchcache.md +++ b/windows/manage/waas-branchcache.md @@ -15,6 +15,7 @@ localizationpriority: high - Windows 10 +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it’s easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode. diff --git a/windows/manage/waas-configure-wufb.md b/windows/manage/waas-configure-wufb.md index 1ef0609987..c6e756d31b 100644 --- a/windows/manage/waas-configure-wufb.md +++ b/windows/manage/waas-configure-wufb.md @@ -16,6 +16,8 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for both Windows 10, version 1511, and Windows 10, version 1607. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx). >[!IMPORTANT] diff --git a/windows/manage/waas-delivery-optimization.md b/windows/manage/waas-delivery-optimization.md index 8ceceeea1e..e912602db5 100644 --- a/windows/manage/waas-delivery-optimization.md +++ b/windows/manage/waas-delivery-optimization.md @@ -15,6 +15,7 @@ localizationpriority: high - Windows 10 +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) Delivery Optimization is a self-organizing distributed cache solution for businesses looking to reduce bandwidth consumption for operating system updates, operating system upgrades, and applications by allowing clients to download those elements from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers. You can use Delivery Optimization in conjunction with stand-alone Windows Update, Windows Server Update Services (WSUS), and Windows Update for Business. This functionality is similar to BranchCache in other systems, such as System Center Configuration Manager. diff --git a/windows/manage/waas-deployment-rings-windows-10-updates.md b/windows/manage/waas-deployment-rings-windows-10-updates.md index 2b546c090f..a94ad97953 100644 --- a/windows/manage/waas-deployment-rings-windows-10-updates.md +++ b/windows/manage/waas-deployment-rings-windows-10-updates.md @@ -16,6 +16,8 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + For Windows as a service, maintenance is ongoing and iterative. Deploying previous versions of Windows required organizations to build sets of users to roll out the changes in phases. Typically, these users ranged (in order) from the most adaptable and least risky to the least adaptable or riskiest. With Windows 10, a similar methodology exists, but construction of the groups is a little different. Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades. They are simply a method by which to separate machines into a deployment timeline. With Windows 10, you construct deployment rings a bit differently in each servicing tool, but the concepts remain the same. Each deployment ring should reduce the risk of issues derived from the deployment of the feature updates by gradually deploying the update to entire departments. As previously mentioned, consider including a portion of each department’s employees in several deployment rings. diff --git a/windows/manage/waas-integrate-wufb.md b/windows/manage/waas-integrate-wufb.md index da82744267..d00083ad6c 100644 --- a/windows/manage/waas-integrate-wufb.md +++ b/windows/manage/waas-integrate-wufb.md @@ -16,6 +16,8 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager. ## Integrate Windows Update for Business with Windows Server Update Services diff --git a/windows/manage/waas-manage-updates-configuration-manager.md b/windows/manage/waas-manage-updates-configuration-manager.md index 040c2ade5d..12f1bf2fed 100644 --- a/windows/manage/waas-manage-updates-configuration-manager.md +++ b/windows/manage/waas-manage-updates-configuration-manager.md @@ -16,6 +16,7 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10. Unlike other servicing tools, Configuration Manager has capabilities that extend beyond servicing, such as application deployment, antivirus management, software metering, and reporting, and provides a secondary deployment method for LTSB clients. Configuration Manager can effectively control bandwidth usage and content distribution through a combination of BranchCache and distribution points. Microsoft encourages organizations currently using Configuration Manager for Windows update management to continue doing so for Windows 10 client computers. diff --git a/windows/manage/waas-manage-updates-wsus.md b/windows/manage/waas-manage-updates-wsus.md index 9494fe7514..1185ebcf25 100644 --- a/windows/manage/waas-manage-updates-wsus.md +++ b/windows/manage/waas-manage-updates-wsus.md @@ -15,6 +15,7 @@ localizationpriority: high - Windows 10 +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that System Center Configuration Manager provides. @@ -24,7 +25,7 @@ When you choose WSUS as your source for Windows updates, you use Group Policy to ## Requirements for Windows 10 servicing with WSUS -To be able to use WSUS to manage and deploy Windows 10 feature updates, you must have WSUS 4.0, which is available in the Windows Server 2012 R2 and Windows Server 2012 operating systems. In addition to WSUS 4.0, you must install the [KB3095113](https://support.microsoft.com/kb/3095113) and [KB3148812](https://support.microsoft.com/kb/3159706) patches on the WSUS server. +To be able to use WSUS to manage and deploy Windows 10 feature updates, you must have WSUS 4.0, which is available in the Windows Server 2012 R2 and Windows Server 2012 operating systems. In addition to WSUS 4.0, you must install the [KB3095113](https://support.microsoft.com/kb/3095113) and [KB3159706](https://support.microsoft.com/kb/3159706) patches on the WSUS server. ## WSUS scalability diff --git a/windows/manage/waas-manage-updates-wufb.md b/windows/manage/waas-manage-updates-wufb.md index 3ee1f252a4..5abdf4a34b 100644 --- a/windows/manage/waas-manage-updates-wufb.md +++ b/windows/manage/waas-manage-updates-wufb.md @@ -16,6 +16,8 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings. Using Group Policy or MDM solutions such as Intune, you can control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines. Specifically, Windows Update for Business allows for: diff --git a/windows/manage/waas-mobile-updates.md b/windows/manage/waas-mobile-updates.md index 9ec59b8a28..a746f90a29 100644 --- a/windows/manage/waas-mobile-updates.md +++ b/windows/manage/waas-mobile-updates.md @@ -16,6 +16,7 @@ localizationpriority: high - Windows 10 Mobile - [Windows 10 IoT Mobile](https://www.microsoft.com/en-us/WindowsForBusiness/windows-iot) +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) >[!TIP] >If you're not familiar with the Windows 10 servicing or release branches, read [Servicing branches](waas-overview.md#servicing-branches) first. diff --git a/windows/manage/waas-optimize-windows-10-updates.md b/windows/manage/waas-optimize-windows-10-updates.md index ba22acf24f..2792edeed4 100644 --- a/windows/manage/waas-optimize-windows-10-updates.md +++ b/windows/manage/waas-optimize-windows-10-updates.md @@ -15,6 +15,7 @@ localizationpriority: high - Windows 10 +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) When considering your content distribution strategy for Windows 10, think about enabling a form of peer-to-peer content sharing to reduce bandwidth issues during updates. Windows 10 offers two peer-to-peer options for update content distribution: Delivery Optimization and BranchCache. These technologies can be used with several of the servicing tools for Windows 10. diff --git a/windows/manage/waas-overview.md b/windows/manage/waas-overview.md index bc4a03c412..1d04eb0c3a 100644 --- a/windows/manage/waas-overview.md +++ b/windows/manage/waas-overview.md @@ -17,13 +17,15 @@ localizationpriority: high - Windows 10 Mobile - Windows 10 IoT Mobile +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. ## Building Prior to Windows 10, Microsoft released new versions of Windows every few years. This traditional deployment schedule imposed a training burden on users because the feature revisions were often significant. That schedule also meant waiting long periods without new features — a scenario that doesn’t work in today’s rapidly changing world, a world in which new security, management, and deployment capabilities are necessary to address challenges. Windows as a service will deliver smaller feature updates two to three times per year to help address these issues. -In the past, when Microsoft developed new versions of Windows, it typically released technical previews near the end of the process, whehn Windows was nearly ready to ship. With Windows 10, new features will be delivered to the [Windows Insider community](https://insider.windows.com/) as soon as possible — during the development cycle, through a process called *flighting* — so that organizations can see exactly what Microsoft is developing and start their testing as soon as possible. +In the past, when Microsoft developed new versions of Windows, it typically released technical previews near the end of the process, when Windows was nearly ready to ship. With Windows 10, new features will be delivered to the [Windows Insider community](https://insider.windows.com/) as soon as possible — during the development cycle, through a process called *flighting* — so that organizations can see exactly what Microsoft is developing and start their testing as soon as possible. Microsoft also depends on receiving feedback from organizations throughout the development process so that it can make adjustments as quickly as possible rather than waiting until after release. For more information about the Windows Insider Program and how to sign up, see the section [Windows Insider](#windows-insider). @@ -66,7 +68,7 @@ With Windows 10, Microsoft will package new features into feature updates that c Monthly updates in previous Windows versions were often overwhelming because of the sheer number of updates available each month. Many organizations selectively chose which updates they wanted to install and which they didn’t, and this created countless scenarios in which organizations deployed essential security updates but picked only a subset of nonsecurity fixes. -In Windows 10, rather than receiving several updates each month and trying to figure out which the organization needs, which ultimately causes platform fragmentation, administrators will see one cumulative monthly update that supersedes the previous month’s update, containing both security and nonsecurity fixes. This approach makes patching simpler and ensures that customers’ devices are more closely aligned with the testing done at Microsoft, reducing unexpected issues resulting from patching. The left side of Figure 1 provides an example of Windows 7 machines in an enterprise and what their current patch level might look like. On the right is what Microsoft’s test environment PCs contain. This drastic difference is the basis for many compatibility issues and system anomalies related to Windows updates. +In Windows 10, rather than receiving several updates each month and trying to figure out which the organization needs, which ultimately causes platform fragmentation, administrators will see one cumulative monthly update that supersedes the previous month’s update, containing both security and nonsecurity fixes. This approach makes patching simpler and ensures that customers’ devices are more closely aligned with the testing done at Microsoft, reducing unexpected issues resulting from patching. The left side of Figure 1 provides an example of Windows 7 devices in an enterprise and what their current patch level might look like. On the right is what Microsoft’s test environment PCs contain. This drastic difference is the basis for many compatibility issues and system anomalies related to Windows updates. **Figure 1** @@ -76,7 +78,7 @@ In Windows 10, rather than receiving several updates each month and trying to fi ## Servicing branches -To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing branches to allow customers to designate how aggressively their individual machines are updated. For example, an organization may have test machines that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers three servicing branches for Windows 10: Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB). In addition, the Windows Insider Program provides IT pros and other interested parties with prerelease Windows builds that they can test and ultimately provide feedback on to Microsoft. For details about the versions in each servicing branch, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). +To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing branches to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers three servicing branches for Windows 10: Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB). In addition, the Windows Insider Program provides IT pros and other interested parties with prerelease Windows builds that they can test and ultimately provide feedback on to Microsoft. For details about the versions in each servicing branch, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). The concept of servicing branches is new, but organizations can use the same management tools they used to manage updates and upgrades in previous versions of Windows. For more information about the servicing tool options for Windows 10 and their capabilities, see [Servicing tools](#servicing-tools). @@ -88,7 +90,7 @@ The concept of servicing branches is new, but organizations can use the same man In the CB servicing model, feature updates are available as soon as Microsoft releases them. Windows 10 version 1511 had few servicing tool options to delay CB feature updates, limiting the use of the CB servicing branch. Windows 10 version 1607, however, includes more servicing tools that can delay CB feature updates for up to 180 days. The CB servicing model is ideal for pilot deployments and testing of Windows 10 feature updates and for users such as developers who need to work with the latest features immediately. -When Microsoft officially releases a feature update for Windows 10, that update is marked for CB, making it available to any PC not configured to defer feature updates so that those machines can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft System Center Configuration Manager, or Windows Update for Business, however, can defer CB feature updates to selective machines by withholding their approval and deployment. In this scenario, the content available for CB will be available but not necessarily immediately mandatory, depending on the policy of the management system. Only one CB build of Windows is supported at a time, so those clients not on the most current build will not receive quality updates (after a 60 day grace period) until the most current feature update has been installed. For more details about Windows 10 servicing tools, see [Servicing tools](#servicing-tools). +When Microsoft officially releases a feature update for Windows 10, that update is marked for CB, making it available to any PC not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft System Center Configuration Manager, or Windows Update for Business, however, can defer CB feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for CB will be available but not necessarily immediately mandatory, depending on the policy of the management system. Only one CB build of Windows is supported at a time, so those clients not on the most current build will not receive quality updates (after a 60 day grace period) until the most current feature update has been installed. For more details about Windows 10 servicing tools, see [Servicing tools](#servicing-tools). ### Current Branch for Business @@ -103,7 +105,7 @@ Basically, CBB is a configuration state, meaning that if a computer has the **De ### Long-term Servicing Branch -Specialized systems—such as PCs that control medical equipment, point-of-sale systems, and ATMs—often require a longer servicing option because of their purpose. These devices typically perform a single important task and don’t need feature updates as frequently as other machines in the organization. It’s more important that these devices be kept as stable and secure as possible than up to date with user interface changes. The LTSB servicing model prevents Windows 10 Enterprise LTSB devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date. With this in mind, quality updates are still immediately available to Windows 10 Enterprise LTSB clients, but customers can choose to defer them by using one of the servicing tools mentioned in the section Servicing tools. +Specialized systems—such as PCs that control medical equipment, point-of-sale systems, and ATMs—often require a longer servicing option because of their purpose. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. It’s more important that these devices be kept as stable and secure as possible than up to date with user interface changes. The LTSB servicing model prevents Windows 10 Enterprise LTSB devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date. With this in mind, quality updates are still immediately available to Windows 10 Enterprise LTSB clients, but customers can choose to defer them by using one of the servicing tools mentioned in the section Servicing tools. >[!NOTE] >LTSB is not intended for deployment on most or all the PCs in an organization; it should be used only for special-purpose devices. As a general guideline, a PC with Microsoft Office installed is a general-purpose device, typically used by an information worker, and therefore it is better suited for the CB or CBB servicing branch. @@ -120,7 +122,7 @@ LTSB is available only in the Windows 10 Enterprise LTSB edition. This build of ### Windows Insider -For many IT pros, gaining visibility into feature updates early—before they’re available to the CB servicing branch—can be both intriguing and valuable for future end user communications as well as provide additional prestaging for CB machines. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft. Also, as flighted builds get closer to their release to CB, organizations can test their deployment on test machines for compatibility validation. +For many IT pros, gaining visibility into feature updates early—before they’re available to the CB servicing branch—can be both intriguing and valuable for future end user communications as well as provide additional prestaging for CB machines. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft. Also, as flighted builds get closer to their release to CB, organizations can test their deployment on test devices for compatibility validation. Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program and provide feedback on any issues they encounter. For information about how to sign up for the Windows Insider Program and enroll test devices, go to [https://insider.windows.com](https://insider.windows.com). @@ -170,6 +172,7 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma ## Related topics - [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Quick guide to Windows as a service](waas-quick-start.md) - [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) diff --git a/windows/manage/waas-quick-start.md b/windows/manage/waas-quick-start.md new file mode 100644 index 0000000000..5c19c64019 --- /dev/null +++ b/windows/manage/waas-quick-start.md @@ -0,0 +1,76 @@ +--- +title: Quick guide to Windows as a service (Windows 10) +description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerMS +localizationpriority: high +--- + +# Quick guide to Windows as a service + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile +- Windows 10 IoT Mobile + +Windows as a service is a new concept, introduced with the release of Windows 10. While [an extensive set of documentation](waas-update-windows-10.md) is available explaining all the specifics and nuances, here is a quick guide to the most important concepts. + +## Definitions + +Some new terms have been introduced as part of Windows as a service, so you should know what these terms mean. +- **Feature updates** will be released two to three times per year. As the name suggests, these will add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years. +- **Quality updates** are released monthly, delivering both security and non-security fixes. These are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update. +- **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. +- **Servicing branches** allow organizations to choose when to deploy new features. Current Branch (CB) deploys the fastest, soon after a feature update is released. Current Branch for Business (CBB) defers the installation of the same feature update by about four months, until that feature update is considered ready for broad deployment. Long Term Servicing Branch (LTSB) is different, used only for specialized devices (which typically don’t run Office) such as those that control medical equipment or ATM machines that need to be kept stable and secure. +- **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization. + +See [Overview of Windows as a service](waas-overview.md) for more information. + +## Key Concepts + +New feature update releases are initially considered **Current Branch (CB) releases**; organizations will use these for pilot deployments to ensure compatibility with existing apps and infrastructure. After about four months, the feature update will be declared as **Current Branch for Business (CBB)**, indicating that it is ready for broad deployment. + +Each Windows 10 feature update (which initially begins as CB and then is declared as CBB) will be serviced with quality updates for a minimum of 18 months after it is released. The total length of time can be longer, as there will be two CBB releases serviced at all times. There will be a minimum of 60 days advanced notice (a grace period) after a CBB declaration occurs before an older feature update is no longer serviced. + +Windows 10 Enterprise LTSB is a separate **Long Term Servicing Branch (LTSB)** version. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years. + +See [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) for more information. + +## Staying up to date + +The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of tools management and patching tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Windows Upgrade Analytics](https://www.microsoft.com/en-us/WindowsForBusiness/upgrade-analytics), a free tool to streamline Windows upgrade projects, is another important tool to help. + +Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps and CBB has been declared, broad deployment can begin. + +This process repeats with each new feature update, two to three times per year. These are small deployment projects, compared to the big projects that were necessary with the old three-to-five-year Windows release cycles. + +Additional technologies such as BranchCache and Delivery Optimization, both peer-to-peer distribution tools, can help with the distribution of the feature update installation files. + +See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) and [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) for more information. + + + + +## Related topics + +- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) +- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) +- [Configure Windows Update for Business](waas-configure-wufb.md) +- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) +- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) +- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) +- [Manage device restarts after updates](waas-restart.md) + + + + + + + + diff --git a/windows/manage/waas-restart.md b/windows/manage/waas-restart.md index 5b184619ac..84f1227699 100644 --- a/windows/manage/waas-restart.md +++ b/windows/manage/waas-restart.md @@ -16,6 +16,8 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + You can use Group Policy settings or mobile device management (MDM) to configure when devices will restart after a Windows 10 update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both. ## Schedule update installation diff --git a/windows/manage/waas-servicing-branches-windows-10-updates.md b/windows/manage/waas-servicing-branches-windows-10-updates.md index 64dd552067..2986743565 100644 --- a/windows/manage/waas-servicing-branches-windows-10-updates.md +++ b/windows/manage/waas-servicing-branches-windows-10-updates.md @@ -16,6 +16,8 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + >[!TIP] >If you're not familiar with the Windows 10 servicing or release branches, read [Servicing branches](waas-overview.md#servicing-branches) first. @@ -125,7 +127,7 @@ During the life of a device, it may be necessary or desirable to switch between - + @@ -151,7 +153,7 @@ During the life of a device, it may be necessary or desirable to switch between - + diff --git a/windows/manage/waas-servicing-strategy-windows-10-updates.md b/windows/manage/waas-servicing-strategy-windows-10-updates.md index 7f025259f0..9b24e35dad 100644 --- a/windows/manage/waas-servicing-strategy-windows-10-updates.md +++ b/windows/manage/waas-servicing-strategy-windows-10-updates.md @@ -16,6 +16,8 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + In the past, traditional Windows deployments tended to be large, lengthy, and expensive. Windows 10 offers a new approach to deploying both quality and feature updates, making the process much simpler and therefore the planning much more straightforward. With Windows as a service, the methodology around updating Windows has completely changed, moving away from major upgrades every few years to iterative updates twice per year. Each iteration contains a smaller subset of changes so that they won’t seem like substantial differences, like they do today. Figure 1 shows the level of effort needed for traditional Windows deployments versus servicing Windows 10 and how it is now spread evenly over time versus spiking every few years. **Figure 1** diff --git a/windows/manage/waas-update-windows-10.md b/windows/manage/waas-update-windows-10.md index 2db778dd7b..8fc28b33a7 100644 --- a/windows/manage/waas-update-windows-10.md +++ b/windows/manage/waas-update-windows-10.md @@ -16,6 +16,8 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + Windows as a service provides a new way to think about building, deploying, and servicing the Windows operating system. The Windows as a service model is focused on continually providing new capabilities and updates while maintaining a high level of hardware and software compatibility. Deploying new versions of Windows is simpler than ever before: Microsoft releases new features two to three times per year rather than the traditional upgrade cycle where new features are only made available every few years. Ultimately, this model replaces the need for traditional Windows deployment projects, which can be disruptive and costly, and spreads the required effort out into a continuous updating process, reducing the overall effort required to maintain Windows 10 devices in your environment. In addition, with the Windows 10 operating system, organizations have the chance to try out “flighted” builds of Windows as Microsoft develops them, gaining insight into new features and the ability to provide continual feedback about them. >[!TIP] @@ -25,6 +27,7 @@ Windows as a service provides a new way to think about building, deploying, and | Topic | Description| | --- | --- | +| [Quick guide to Windows as a service](waas-quick-start.md) | Provides a brief summary of the key points for the new servicing model for Windows 10. | | [Overview of Windows as a service](waas-overview.md) | Explains the differences in building, deploying, and servicing Windows 10; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools. | | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) | Explains the decisions you need to make in your servicing strategy. | | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | Explains how to make use of servicing branches and update deferrals to manage Windows 10 updates. | diff --git a/windows/manage/waas-wufb-group-policy.md b/windows/manage/waas-wufb-group-policy.md index b4be859791..50eb03bd68 100644 --- a/windows/manage/waas-wufb-group-policy.md +++ b/windows/manage/waas-wufb-group-policy.md @@ -15,6 +15,7 @@ localizationpriority: high - Windows 10 +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) Using Group Policy to manage Windows Update for Business is simple and familiar: use the same Group Policy Management Console (GPMC) you use to manage other device and user policy settings in your environment. Before configuring the Windows Update for Business Group Policy settings, consider a [deployment strategy](waas-servicing-strategy-windows-10-updates.md) for updates and feature updates in your environment. diff --git a/windows/manage/waas-wufb-intune.md b/windows/manage/waas-wufb-intune.md index cd84826deb..6b1c630072 100644 --- a/windows/manage/waas-wufb-intune.md +++ b/windows/manage/waas-wufb-intune.md @@ -16,6 +16,7 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) You can use Intune to configure Windows Update for Business even if you don’t have on-premises infrastructure when you use Intune in conjunction with Azure AD. Before configuring Windows Update for Business, consider a [deployment strategy](waas-servicing-strategy-windows-10-updates.md) for updates and feature updates in your environment. diff --git a/windows/manage/windows-10-start-layout-options-and-policies.md b/windows/manage/windows-10-start-layout-options-and-policies.md index 53a6cf10b4..85a835748e 100644 --- a/windows/manage/windows-10-start-layout-options-and-policies.md +++ b/windows/manage/windows-10-start-layout-options-and-policies.md @@ -21,7 +21,8 @@ localizationpriority: high Organizations might want to deploy a customized Start and taskbar configuration to devices running Windows 10 Enterprise or Windows 10 Education. A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. -> **Note:** Taskbar configuration is available starting in Windows 10, version 1607. +>[!NOTE] +>Taskbar configuration is available starting in Windows 10, version 1607. ## Start options @@ -67,12 +68,12 @@ The following table lists the different parts of Start and any applicable policy - + - + diff --git a/windows/manage/windows-store-for-business-overview.md b/windows/manage/windows-store-for-business-overview.md index 6f8d654f82..bf514619ee 100644 --- a/windows/manage/windows-store-for-business-overview.md +++ b/windows/manage/windows-store-for-business-overview.md @@ -211,56 +211,162 @@ For more information, see [Manage settings in the Store for Business](../manage/ ## Supported markets - Store for Business is currently available in these markets. -|Country or locale|Paid apps|Free apps| -|-----------------|---------|---------| -|Argentina|X|X| -|Australia|X|X| -|Austria|X|X| -|Belgium (Dutch, French)|X|X| -|Brazil| |X| -|Canada (English, French)|X|X| -|Chile|X|X| -|Columbia|X|X| -|Croatia|X|X| -|Czech Republic|X|X| -|Denmark|X|X| -|Finland|X|X| -|France|X|X| -|Germany|X|X| -|Greece|X|X| -|Hong Kong SAR|X|X| -|Hungary|X|X| -|India| |X| -|Indonesia|X|X| -|Ireland|X|X| -|Italy|X|X| -|Japan|X|X| -|Malaysia|X|X| -|Mexico|X|X| -|Netherlands|X|X| -|New Zealand|X|X| -|Norway|X|X| -|Philippines|X|X| -|Poland|X|X| -|Portugal|X|X| -|Romania|X|X| -|Russia| |X| -|Singapore|X|X| -|Slovakia|X|X| -|South Africa|X|X| -|Spain|X|X| -|Sweden|X|X| -|Switzerland (French, German)|X|X| -|Taiwan| |X| -|Thailand|X|X| -|Turkey|X|X| -|Ukraine| |X| -|United Kingdom|X|X| -|United States|X|X| -|Vietnam|X|X| +
Current Branch for BusinessNot directly possible, because Windows Insider Program machines are automatically upgraded to the Current Branch release at the end of the development cycle.Not directly possible, because Windows Insider Program devices are automatically upgraded to the Current Branch release at the end of the development cycle.
Long-Term Servicing Branch
Current BranchDisable the Defer upgrade setting, or move the PC to a target group or flight that will receive the latest Current Branch release.Disable the Defer upgrade setting, or move the device to a target group or flight that will receive the latest Current Branch release.
Long-Term Servicing Branch
Recently addednot applicable Settings > Personalization > Start > Show recently added apps
Pinned foldersnot applicable Settings > Personalization > Start > Choose which folders appear on Start
+ + + + + + + + + +
Support for free and paid apps
+
    +
  • Algeria
    • +
  • Angola
    • +
  • Argentina
    • +
  • Australia
    • +
  • Austria
    • +
  • Bahamas
    • +
  • Bahrain
    • +
  • Bangladesh
    • +
  • Barbados
    • +
  • Belgium
    • +
  • Belize
    • +
  • Bermuda
    • +
  • Bolivia
    • +
  • Botswana
    • +
  • Brunei Darussalam
    • +
  • Bulgaria
    • +
  • Cameroon
    • +
  • Canada
    • +
  • Cape Verde
    • +
  • Cayman Islands
    • +
  • Chile
    • +
  • Colombia
    • +
  • Costa Rica
    • +
  • Côte D'ivoire
    • +
  • Croatia
    • +
  • Curçao
    • +
  • Cyprus
    • +
  • Czech Republic
    • +
  • Denmark
    • +
+ 		+
    +
  • Dominican Republic
    • +
  • Ecuador
    • +
  • Egypt
    • +
  • El Salvador
    • +
  • Estonia
    • +
  • Faroe Islands
    • +
  • Fiji
    • +
  • Finland
    • +
  • France
    • +
  • Germany
    • +
  • Ghana
    • +
  • Greece
    • +
  • Guatemala
    • +
  • Honduras
    • +
  • Hong Kong
    • +
  • Hungary
    • +
  • Iceland
    • +
  • Indonesia
    • +
  • Iraq
    • +
  • Ireland
    • +
  • Israel
    • +
  • Italy
    • +
  • Jamaica
    • +
  • Japan
    • +
  • Jordan
    • +
  • Kenya
    • +
  • Kuwait
    • +
  • Latvia
    • +
  • Lebanon
    • +
+ 		+
    +
  • Libya
    • +
  • Liechtenstein
    • +
  • Lithuania
    • +
  • Luxembourg
    • +
  • Malaysia
    • +
  • Malta
    • +
  • Mexico
    • +
  • Mongolia
    • +
  • Montenegro
    • +
  • Morocco
    • +
  • Namibia
    • +
  • Netherlands
    • +
  • New Zealand
    • +
  • Nicaragua
    • +
  • Nigeria
    • +
  • Norway
    • +
  • Oman
    • +
  • Pakistan
    • +
  • Palestinian Territory
    • +
  • Panama
    • +
  • Paraguay
    • +
  • Peru
    • +
  • Philippines
    • +
  • Poland
    • +
  • Portugal
    • +
  • Puerto Rico
    • +
  • Qatar
    • +
  • Romania
    • +
  • Rwanda
    • +
+ 		+
    +
  • Saint Kitts and Nevis
    • +
  • Saudi Arabia
    • +
  • Senegal
    • +
  • Serbia
    • +
  • Singapore
    • +
  • Slovakia
    • +
  • Slovenia
    • +
  • South Africa
    • +
  • Spain
    • +
  • Sweden
    • +
  • Switzerland
    • +
  • Tanzania
    • +
  • Thailand
    • +
  • Trinidad and Tobago
    • +
  • Tunisia
    • +
  • Turkey
    • +
  • Uganda
    • +
  • United Arab Emirates
    • +
  • United Kingdom
    • +
  • United States
    • +
  • Uruguay
    • +
  • Viet Nam
    • +
  • Virgin Islands, U.S.
    • +
  • Zambia
    • +
  • Zimbabwe
     
     
     
     
    • + +
+
+ + + + + + + + +
Support for free apps only
+
    +
  • Brazil
    • +
  • India
    • +
  • Russia
    • +
  • Taiwan
    • +
  • Ukraine
    • +
+
+ ## ISVs and the Store for Business diff --git a/windows/manage/working-with-line-of-business-apps.md b/windows/manage/working-with-line-of-business-apps.md index f16e66fee9..e6fff0c3bc 100644 --- a/windows/manage/working-with-line-of-business-apps.md +++ b/windows/manage/working-with-line-of-business-apps.md @@ -12,7 +12,6 @@ localizationpriority: high # Working with line-of-business apps - **Applies to** - Windows 10