diff --git a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md index 90479cad66..fde0bb2f8a 100644 --- a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md @@ -8,7 +8,7 @@ ms.sitesec: library author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 04/12/2018 +ms.date: 08/30/2018 ms.localizationpriority: medium --- @@ -145,17 +145,17 @@ To enable Skype for Business online, your tenant users must have Exchange mailbo | --- | --- | --- | --- | | Join a scheduled meeting | Skype for Business Standalone Plan 1 | E1, 3, 4, or 5 | Skype for Business Server Standard CAL | | Initiate an ad-hoc meeting | Skype for Business Standalone Plan 2 | E 1, 3, 4, or 5 | Skype for Business Server Standard CAL or Enterprise CAL | -| Initiate an ad-hoc meeting and dial out from a meeting to phone numbers | Skype for Business Standalone Plan 2 with PSTN Conferencing

**Note** PSTN consumption billing is optional | E1 or E3 with PSTN Conferencing, or E5| Skype for Business Server Standard CAL or Enterprise CAL | -| Give the room a phone number and make or receive calls from the room or join a dial-in conference using a phone number | Skype for Business Standalone Plan 2 with Cloud PBX and a PSTN Voice Calling plan | E1 or E3 with Cloud PBX and a PSTN Voice Calling plan, or E5 | Skype for Business Server Standard CAL or Plus CAL | +| Initiate an ad-hoc meeting and dial out from a meeting to phone numbers | Skype for Business Standalone Plan 2 with Audio Conferencing

**Note** PSTN consumption billing is optional | E1 or E3 with Audio Conferencing, or E5| Skype for Business Server Standard CAL or Enterprise CAL | +| Give the room a phone number and make or receive calls from the room or join a dial-in conference using a phone number | Skype for Business Standalone Plan 2 with Phone System and a PSTN Voice Calling plan | E1 or E3 with Phone System and a PSTN Voice Calling plan, or E5 | Skype for Business Server Standard CAL or Plus CAL | The following table lists the Office 365 plans and Skype for Business options. -| O365 Plan | Skype for Business | Cloud PBX | PSTN Conferencing | PSTN Calling | +| O365 Plan | Skype for Business | Phone System | Audio Conferencing | Calling Plans | | --- | --- | --- | --- | --- | | O365 Business Essentials | Included | | | | | O365 Business Premium | Included | | | | -| E1 | Included | Add-on | Add-on | Add-on (requires Cloud PBX add-on) | -| E3 | Included | Add-on | Add-on | Add-on (requires Cloud PBX add-on) | +| E1 | Included | Add-on | Add-on | Add-on (requires Phone System add-on) | +| E3 | Included | Add-on | Add-on | Add-on (requires Phone System add-on) | | E5 | Included | Included | Included | Add-on | 1. Start by creating a remote PowerShell session from a PC to the Skype for Business online environment. @@ -190,7 +190,7 @@ The following table lists the Office 365 plans and Skype for Business options. - Click **Licenses**. - - In **Assign licenses**, select Skype for Business (Plan 2) or Skype for Business (Plan 3), depending on your licensing and Enterprise Voice requirements. You'll have to use a Plan 3 license if you want to use Enterprise Voice on your Surface Hub. + - In **Assign licenses**, select Skype for Business (Plan 1) or Skype for Business (Plan 2), depending on your licensing and Enterprise Voice requirements. You'll have to use a Plan 2 license if you want to use Enterprise Voice on your Surface Hub. - Click **Save**. @@ -291,7 +291,8 @@ Use this procedure if you use Exchange online. - Type the password for this account. You'll need to retype it for verification. Make sure the **Password never expires** checkbox is the only option selected. - >**Important** Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account. + >[!IMPORTANT] + >Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account. ![Image showing password dialog box.](images/hybriddeployment-02a.png) diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md index c62abeb7fa..c599109f4c 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md @@ -107,7 +107,8 @@ If you have a single-forest on-premises deployment with Microsoft Exchange 2013  ## Disable anonymous email and IM - +>[!WARNING] +>This information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. Surface Hub uses a device account to provide email and collaboration services (IM, video, voice). This device account is used as the originating identity (the “from” party) when sending email, IM, and placing calls. As this account is not coming from an individual, identifiable user, it is deemed “anonymous” because it originated from the Surface Hub's device account. diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 65466b03e1..aed90a1771 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 08/21/2018 +ms.date: 08/27/2018 --- # EnterpriseModernAppManagement CSP @@ -127,8 +127,7 @@ Parameters:
  • User (optional): Specifies the SID of the particular user for whom to remove the package; only the package for the specified user can be removed.
    • - - + Supported operation is Execute. @@ -164,6 +163,39 @@ Required. Used for managing apps from the Microsoft Store. Supported operations are Get and Delete. +**AppManagement/AppStore/ReleaseManagement** +Added in Windows 10, next major version. Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization. + +> [!Note] +> ReleaseManagement settings only apply to updates through the Microsoft Store. + +**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_** +Added in Windows 10, next major version. Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app. + + +**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/ChannelId** +Added in Windows 10, next major version. Specifies the app channel ID. + +Value type is string. Supported operations are Add, Get, Replace, and Delete. + +**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/ReleaseManagementId** +Added in Windows 10, next major version. The IT admin can specify a release ID to indicate a specific release they would like the user or device to be on. + +Value type is string. Supported operations are Add, Get, Replace, and Delete. + +**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease** +Added in Windows 10, next major version. Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used. + +**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease/ChannelId** +Added in Windows 10, next major version. Returns the last user channel ID on the device. + +Value type is string. Supported operation is Get. + +**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease/ReleaseManagementId** +Added in Windows 10, next major version. Returns the last user release ID on the device. + +Value type is string. Supported operation is Get. + **.../****_PackageFamilyName_** Optional. Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. @@ -222,8 +254,6 @@ Required. Architecture of installed package. Value type is string. > [!Note] > Not applicable to XAP files. -  - Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/InstallLocation** @@ -231,7 +261,6 @@ Required. Install location of the app on the device. Value type is string. > [!Note] > Not applicable to XAP files. -   Supported operation is Get. diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md index fe58f406bd..cb7ad9e1c9 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/23/2018 +ms.date: 07/27/2018 --- # EnterpriseModernAppManagement DDF @@ -580,7 +580,7 @@ The XML below is for Windows 10, next major version. - ReleaseId + ReleaseManagementId @@ -642,7 +642,7 @@ The XML below is for Windows 10, next major version. - ReleaseId + ReleaseManagementId diff --git a/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png b/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png index 6c5472995b..b33a9020ec 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png and b/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png differ diff --git a/windows/client-management/mdm/networkproxy-csp.md b/windows/client-management/mdm/networkproxy-csp.md index fcc6d7386e..563f13334a 100644 --- a/windows/client-management/mdm/networkproxy-csp.md +++ b/windows/client-management/mdm/networkproxy-csp.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 08/08/2018 +ms.date: 08/29/2018 --- # NetworkProxy CSP @@ -31,44 +31,53 @@ The following diagram shows the NetworkProxy configuration service provider in t ![networkproxy csp](images/provisioning-csp-networkproxy.png) **./Vendor/MSFT/NetworkProxy** -The root node for the NetworkProxy configuration service provider..

    +The root node for the NetworkProxy configuration service provider.. **ProxySettingsPerUser** Added in Windows 10, version 1803. When set to 0, it enables proxy configuration as global, machine wide. +Supported operations are Add, Get, Replace, and Delete. + > [!Note] > Per user proxy configuration setting is not supported. **AutoDetect** -Automatically detect settings. If enabled, the system tries to find the path to a PAC script.

    -Valid values:

    +Automatically detect settings. If enabled, the system tries to find the path to a PAC script. + +Valid values:
    • 0 - Disabled
    • 1 (default) - Enabled
    -The data type is int. Supported operations are Get and Replace.

    + +The data type is int. Supported operations are Get and Replace. Starting in Window 10, version 1803, the Delete operation is also supported. **SetupScriptUrl** -Address to the PAC script you want to use.

    -The data type is string. Supported operations are Get and Replace.

    +Address to the PAC script you want to use. + +The data type is string. Supported operations are Get and Replace. Starting in Window 10, version 1803, the Delete operation is also supported. **ProxyServer** -Node for configuring a static proxy for Ethernet and Wi-Fi connections. The same proxy server is used for all protocols - including HTTP, HTTPS, FTP, and SOCKS. These settings do not apply to VPN connections.

    -Supported operation is Get.

    +Node for configuring a static proxy for Ethernet and Wi-Fi connections. The same proxy server is used for all protocols - including HTTP, HTTPS, FTP, and SOCKS. These settings do not apply to VPN connections. + +Supported operation is Get. **ProxyAddress** -Address to the proxy server. Specify an address in the format <server>[“:”<port>]. 

    -The data type is string. Supported operations are Get and Replace.

    +Address to the proxy server. Specify an address in the format <server>[“:”<port>].  + +The data type is string. Supported operations are Get and Replace. Starting in Window 10, version 1803, the Delete operation is also supported. **Exceptions** -Addresses that should not use the proxy server. The system will not use the proxy server for addresses beginning with what is specified in this node. Use semicolons (;) to separate entries. 

    -The data type is string. Supported operations are Get and Replace.

    +Addresses that should not use the proxy server. The system will not use the proxy server for addresses beginning with what is specified in this node. Use semicolons (;) to separate entries.  + +The data type is string. Supported operations are Get and Replace. Starting in Window 10, version 1803, the Delete operation is also supported. **UseProxyForLocalAddresses** -Specifies whether the proxy server should be used for local (intranet) addresses. 

    -Valid values:

    +Specifies whether the proxy server should be used for local (intranet) addresses.  +Valid values:
    • 0 (default) - Do not use proxy server for local addresses
    • 1 - Use proxy server for local addresses
    -The data type is int. Supported operations are Get and Replace.

    + +The data type is int. Supported operations are Get and Replace. Starting in Window 10, version 1803, the Delete operation is also supported. diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index f86a13b620..d02371d2dc 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -10,7 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 08/14/2018 +ms.date: 08/27/2018 --- # What's new in MDM enrollment and management @@ -1419,6 +1419,11 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • Privacy/DisablePrivacyExperience
  • Privacy/UploadUserActivities
  • Security/RecoveryEnvironmentAuthentication
    • +
  • System/AllowDeviceNameInDiagnosticData
    • +
  • System/ConfigureMicrosoft365UploadEndpoint
    • +
  • System/DisableDeviceDelete
    • +
  • System/DisableDiagnosticDataViewer
    • +
  • Storage/RemovableDiskDenyWriteAccess
  • TaskManager/AllowEndTask
  • Update/EngagedRestartDeadlineForFeatureUpdates
  • Update/EngagedRestartSnoozeScheduleForFeatureUpdates
    • @@ -1457,7 +1462,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s [BitLocker CSP](bitlocker-csp.md) -

    Added a new node AllowStandardUserEncryption in Windows 10, next major version.

    +

    Added a new node AllowStandardUserEncryption in Windows 10, next major version. Added support for Windows 10 Pro.

    [DevDetail CSP](devdetail-csp.md) @@ -1768,6 +1773,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware +[BitLocker CSP](bitlocker-csp.md) +

    Added support for Windows 10 Pro starting in the next major version.

    + + [Office CSP](office-csp.md)

    Added FinalStatus setting in Windows 10, next major version.

    @@ -1814,6 +1823,11 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
  • Privacy/AllowCrossDeviceClipboard
  • Privacy/DisablePrivacyExperience
  • Privacy/UploadUserActivities
    • +
  • System/AllowDeviceNameInDiagnosticData
    • +
  • System/ConfigureMicrosoft365UploadEndpoint
    • +
  • System/DisableDeviceDelete
    • +
  • System/DisableDiagnosticDataViewer
    • +
  • Storage/RemovableDiskDenyWriteAccess
  • Update/UpdateNotificationLevel

    • Start/DisableContextMenus - added in Windows 10, version 1803.

    diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index df68eeee47..867679cd08 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 08/10/2018 +ms.date: 08/29/2018 --- # Policy CSP - Update @@ -715,6 +715,8 @@ The following list shows the supported values: For Quality Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled. +The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks. + Value type is integer. Default is 7 days. Supported values range: 2-30. @@ -781,6 +783,8 @@ ADMX Info: For Feature Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled. +The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks. + Value type is integer. Default is 7 days. Supported values range: 2-30. @@ -1503,6 +1507,11 @@ The following list shows the supported values: For Quality Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. +The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks. + +> [!Note] +> This policy is related to the default values for Update/EngagedRestartTransitionSchedule (default - 3 days) and Update/EngagedRestartSnoozeSchedule (default - 7 days). The default values for these two policies will be used unless these are set to other values. + Value type is integer. Default is 14. Supported value range: 2 - 30. @@ -1757,11 +1766,11 @@ ADMX Info: -For Quality Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. +For Quality Updates, this policy specifies the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. -Value type is integer. +Value type is integer. Default value is 7 days. -Supported value range: 0 - 30. +Supported value range: 0 - 30. If you disable or do not configure this policy, the default behaviors will be used. @@ -1822,7 +1831,7 @@ ADMX Info: For Feature Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. -Value type is integer. +Value type is integer. Default value is 7 days. Supported value range: 0 - 30. @@ -3324,6 +3333,8 @@ ADMX Info: Added in Windows 10, version 1703. For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at ScheduledInstallTime. +When you set this policy along with Update/ActiveHoursStart, Update/ActiveHoursEnd, and ShareCartPC, it will defer all the update processes (scan, download, install, and reboot) to a time after Active Hours. After a buffer period after ActiveHoursEnd, the device will wake up several times to complete the processes. All processes are blocked before ActiveHoursStart. + ADMX Info: diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index 9314464f11..2cb51a98c1 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 08/09/2018 +ms.date: 08/29/2018 --- # Policy DDF file @@ -20,6 +20,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Policy* You can download the DDF files from the links below: - [Download the Policy DDF file for Windows 10, version 1803](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all.xml) +- [Download the Policy DDF file for Windows 10, version 1803 release C](http://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all_1809C_release.xml) - [Download the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml) - [Download the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml) - [Download the Policy DDF file for Windows 10, version 1607](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607.xml) diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md index 09a31768aa..aaf7da1a9a 100644 --- a/windows/configuration/windows-spotlight.md +++ b/windows/configuration/windows-spotlight.md @@ -58,15 +58,18 @@ To turn off Windows Spotlight locally, go to **Settings** > **Personalization Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mobile device management (MDM) settings to help you manage Windows Spotlight on enterprise computers. +>[!NOTE] +>These policies are in the **User Configuration \Policies\Administrative Templates\Windows Components\Cloud Content** path in the Group Policy Management Console, and in the **User Configuration \Administrative Templates\Windows Components\Cloud Content** path in the Local Group Policy Editor. + | Group Policy | MDM | Description | Applies to | | --- | --- | --- | --- | -| **User Configuration\Administrative Templates\Windows Components\Cloud Content\Do not suggest third-party content in Windows spotlight** | **Experience/Allow ThirdParty Suggestions In Windows Spotlight** | Enables enterprises to restrict suggestions to Microsoft apps and services | Windows 10 Pro, Enterprise, and Education, version 1607 and later | -| **User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows Spotlight features** | **Experience/Allow Windows Spotlight** | Enables enterprises to completely disable all Windows Spotlight features in a single setting | Windows 10 Enterprise and Education, version 1607 and later | -| **User Configuration\Administrative Templates\Windows Components\Cloud Content\Configure Spotlight on lock screen** | **Experience/Configure Windows Spotlight On Lock Screen** | Specifically controls the use of the dynamic Windows Spotlight image on the lock screen, and can be enabled or disabled | Windows 10 Enterprise and Education, version 1607 and later | -| **Administrative Templates \ Windows Components \ Cloud Content \ Turn off the Windows Spotlight on Action Center** | **Experience/Allow Windows Spotlight On Action Center** | Turn off Suggestions from Microsoft that show after each clean install, upgrade, or on an on-going basis to introduce users to what is new or changed | Windows 10 Enterprise and Education, version 1703 | -| **User Configuration \ Administrative Templates \ Windows Components \ Cloud Content \ Do not use diagnostic data for tailored experiences** | **Experience/Allow Tailored Experiences With Diagnostic Data** | Prevent Windows from using diagnostic data to provide tailored experiences to the user | Windows 10 Pro, Enterprise, and Education, version 1703 | -| **User Configuration \ Administrative Templates \ Windows Components \ Cloud Content \ Turn off the Windows Welcome Experience** | **Experience/Allow Windows Spotlight Windows Welcome Experience** | Turn off the Windows Spotlight Windows Welcome experience which helps introduce users to Windows, such as launching Microsoft Edge with a web page highlighting new features | Windows 10 Enterprise and Education, version 1703 | -**User Configuration \ Administrative Templates \ Windows Components \ Cloud Content \ Turn off the Windows Spotlight on Settings** | **Experience/Allow Windows Spotlight on Settings** | Turn off the Windows Spotlight in the Settings app. | Windows 10 Enterprise and Education, version 1803 | +| **Do not suggest third-party content in Windows spotlight** | **Experience/Allow ThirdParty Suggestions In Windows Spotlight** | Enables enterprises to restrict suggestions to Microsoft apps and services | Windows 10 Pro, Enterprise, and Education, version 1607 and later | +| **Turn off all Windows Spotlight features** | **Experience/Allow Windows Spotlight** | Enables enterprises to completely disable all Windows Spotlight features in a single setting | Windows 10 Enterprise and Education, version 1607 and later | +| **Configure Spotlight on lock screen** | **Experience/Configure Windows Spotlight On Lock Screen** | Specifically controls the use of the dynamic Windows Spotlight image on the lock screen, and can be enabled or disabled | Windows 10 Enterprise and Education, version 1607 and later | +| **Turn off the Windows Spotlight on Action Center** | **Experience/Allow Windows Spotlight On Action Center** | Turn off Suggestions from Microsoft that show after each clean install, upgrade, or on an on-going basis to introduce users to what is new or changed | Windows 10 Enterprise and Education, version 1703 | +| **Do not use diagnostic data for tailored experiences** | **Experience/Allow Tailored Experiences With Diagnostic Data** | Prevent Windows from using diagnostic data to provide tailored experiences to the user | Windows 10 Pro, Enterprise, and Education, version 1703 | +| **Turn off the Windows Welcome Experience** | **Experience/Allow Windows Spotlight Windows Welcome Experience** | Turn off the Windows Spotlight Windows Welcome experience which helps introduce users to Windows, such as launching Microsoft Edge with a web page highlighting new features | Windows 10 Enterprise and Education, version 1703 | +**Turn off the Windows Spotlight on Settings** | **Experience/Allow Windows Spotlight on Settings** | Turn off the Windows Spotlight in the Settings app. | Windows 10 Enterprise and Education, version 1803 | diff --git a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md index d58b132f4f..72a7d46264 100644 --- a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md +++ b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md @@ -21,7 +21,7 @@ Configurable code integrity policies and HVCI are very powerful protections that Using configurable code integrity to restrict devices to only authorized apps has these advantages over other solutions: -1. onfigurable code integrity policy is enforced by the Windows kernel itself. As such, the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run. +1. Configurable code integrity policy is enforced by the Windows kernel itself. As such, the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run. 2. Configurable code integrity allows customers to set application control policy not only over code running in user mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows. 3. Customers can protect the configurable code integrity policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker with administrative privledge, or malicious software that managed to gain administrative privilege, to alter the application control policy. 4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is significantly diminished. Why is this relevant? That’s because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable code integrity or any other application control solution.