diff --git a/browsers/edge/microsoft-browser-extension-policy-include.md b/browsers/edge/microsoft-browser-extension-policy-include.md new file mode 100644 index 0000000000..03aabcbbff --- /dev/null +++ b/browsers/edge/microsoft-browser-extension-policy-include.md @@ -0,0 +1 @@ +[Microsoft browser extention policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy) \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md index 7bd0c006f9..9bcd6e6ec8 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md +++ b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md @@ -101,7 +101,7 @@ reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v DownloadVe Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. Use this configuration option at your own risk. ## Out-of-date ActiveX control blocking on managed devices -Out-of-date ActiveX control blocking includes 4 new Group Policy settings that you can use to manage your web browser configuration, based on your domain controller. You can download the administrative templates, including the new settings, from the [Administrative templates (.admx) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=746579) page or the [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580) page, depending on your operating system. +Out-of-date ActiveX control blocking includes four new Group Policy settings that you can use to manage your web browser configuration, based on your domain controller. You can download the administrative templates, including the new settings, from the [Administrative templates (.admx) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=746579) page or the [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580) page, depending on your operating system. ### Group Policy settings Here’s a list of the new Group Policy info, including the settings, location, requirements, and Help text strings. All of these settings can be set in either the Computer Configuration or User Configuration scope, but Computer Configuration takes precedence over User Configuration. diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md index ea04329097..7cedb8e908 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md +++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md @@ -3,12 +3,14 @@ ms.localizationpriority: low ms.mktglfcycl: support ms.pagetype: security description: How to download and use the Internet Explorer 11 Blocker Toolkit to turn off the automatic delivery of IE11 through the Automatic Updates feature of Windows Update. -author: eross-msft +author: shortpatti +ms.author: pashort +ms.manager: elizapo ms.prod: ie11 ms.assetid: fafeaaee-171c-4450-99f7-5cc7f8d7ba91 title: What is the Internet Explorer 11 Blocker Toolkit? (Internet Explorer 11 for IT Pros) ms.sitesec: library -ms.date: 07/27/2017 +ms.date: 04/24/2018 --- @@ -24,14 +26,14 @@ ms.date: 07/27/2017 The Internet Explorer 11 Blocker Toolkit lets you turn off the automatic delivery of IE11 through the **Automatic Updates** feature of Windows Update. -**Important**
-The IE11 Blocker Toolkit doesn't stop users from manually installing IE11 from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?linkid=327753). Also, even if you've installed previous versions of the toolkit before, like for Internet Explorer 10, you still need to install this version to prevent the installation of IE11. +>[!IMPORTANT] +>The IE11 Blocker Toolkit does not stop users from manually installing IE11 from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?linkid=327753). Also, even if you have installed previous versions of the toolkit before, like for Internet Explorer 10, you still need to install this version to prevent the installation of IE11. - **To install the toolkit** +## Install the toolkit 1. Download the IE11 Blocker Toolkit from [Toolkit to Disable Automatic Delivery of Internet Explorer 11](https://go.microsoft.com/fwlink/p/?LinkId=327745). -2. Accept the license agreement and store the included 4 files on your local computer. +2. Accept the license agreement and store the included four files on your local computer. 3. Start an elevated Command Prompt by going to **Start**>**All Programs**>**Accessories**> right-clicking on **Command Prompt**, and then choosing **Run as Administrator**. @@ -44,9 +46,168 @@ Wait for the message, **Blocking deployment of IE11 on the local machine. The op For answers to frequently asked questions, see [Internet Explorer 11 Blocker Toolkit: Frequently Asked Questions](https://go.microsoft.com/fwlink/p/?LinkId=314063). -  - -  +## Automatic updates +Internet Explorer 11 makes browsing the web faster, easier, safer, and more reliable than ever. To help customers become more secure and up-to-date, Microsoft will distribute Internet Explorer 11 through Automatic Updates and the Windows Update and Microsoft Update sites. Internet Explorer 11 will be available for users of the 32-bit and 64-bit versions of Windows 7 Service Pack 1 (SP1), and 64-bit version of Windows Server 2008 R2 SP1. This article provides an overview of the delivery process and options available for IT administrators to control how and when Internet Explorer 11 is deployed to their organization through Automatic Updates. +### Automatic delivery process +Internet Explorer 11 only downloads and installs if it’s available for delivery through Automatic Updates; and Automatic Updates only offer Internet Explorer 11 to users with local administrator accounts. User’s without local administrator accounts won’t be prompted to install the update and will continue using their current version of Internet Explorer. + +Internet Explorer 11 replaces Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10. If you decide you don’t want Internet Explorer 11, and you’re running Windows 7 SP1 or Windows Server 2008 R2 with SP1, you can uninstall it from the **View installed updates** section of the **Uninstall an update** page of the Control Panel.  + +### Internet Explorer 11 automatic upgrades + +Internet Explorer 11 is offered through Automatic Updates and Windows Update as an Important update. Users running Windows 7 SP1, who have chosen to download and install updates automatically through Windows Update, are automatically upgraded to Internet Explorer 11. + +Users who were automatically upgraded to Internet Explorer 11 can decide to uninstall Internet Explorer 11. However, Internet Explorer 11 will still appear as an optional update through Windows Update. + +### Options for blocking automatic delivery + +If you use Automatic Updates in your company, but want to stop your users from automatically getting Internet Explorer 11, do one of the following: + +- **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). + + >[!NOTE] + >The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](#faq). + +- **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [System Center 2012 Configuration Manager](http://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit. + +>[!NOTE] +>If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. + + +### Prevent automatic installation of Internet Explorer 11 with WSUS + +Internet Explorer 11 will be released to WSUS as an Update Rollup package. Therefore, if you’ve configured WSUS to “auto-approve” Update Rollup packages, it’ll be automatically approved and installed. To stop Internet Explorer 11 from being automatically approved for installation, you need to: + +1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**. + +2. Expand *ComputerName*, and then click **Options**. + +3. Click **Automatic Approvals**. + +4. Click the rule that automatically approves an update that is classified as Update Rollup, and then click **Edit.** + + >[!NOTE] + >If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else. + +5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section. + + >[!NOTE] + >The properties for this rule will resemble the following: + +6. Clear the **Update Rollup** check box, and then click **OK**. + +7. Click **OK** to close the **Automatic Approvals** dialog box. + +After the new Internet Explorer 11 package is available for download, you should manually synchronize the new package to your WSUS server, so that when you re-enable auto-approval it won’t be automatically installed. + +1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**. + +2. Expand *ComputerName*, and then click **Synchronizations**. + +3. Click **Synchronize Now**. + +4. Expand *ComputerName*, expand **Updates**, and then click **All Updates**. + +5. Choose **Unapproved** in the **Approval**drop down box. + +6. Check to make sure that Microsoft Internet Explorer 11 is listed as an unapproved update. + +>[!NOTE] +>There may be multiple updates, depending on the imported language and operating system updates. + +### Optional - Reset update rollups packages to auto-approve + +1. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**. + +2. Expand *ComputerName*, and then click **Options**. + +3. Click **Automatic Approvals**. + +4. Click the rule that automatically approves updates of different classifications, and then click **Edit**. + +5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section. + +6. Check the **Update Rollups** check box, and then click **OK**. + +7. Click **OK** to close the **Automatic Approvals** dialog box. + +>[!NOTE] +>Because auto-approval rules are only evaluated when an update is first imported into WSUS, turning this rule back on after the Internet Explorer 11 update has been imported and synchronized to the server won’t cause this update to be auto-approved. + +## Frequently Asked Questions  +Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit. + +### Automatic updates delivery process +**Q. What tools can I use to manage Windows Updates and Microsoft Updates in my company?** +A. We encourage anyone who wants full control over their company’s deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You can also use the more advanced configuration management tool, [System Center 2012 Configuration Manager](https://technet.microsoft.com/library/gg682041.aspx). + +**Q. How long does the blocker mechanism work?** +A. The Internet Explorer 11 Blocker Toolkit uses a registry key value to permanently turn off the automatic delivery of Internet Explorer 11. This behavior lasts as long as the registry key value isn’t removed or changed. + +**Q. Why should I use the Internet Explorer 11 Blocker Toolkit to stop delivery of Internet Explorer 11? Why can’t I just disable all of utomatic Updates?** +A. Automatic Updates provide you with ongoing critical security and reliability updates. Turning this feature off can leave your computers more vulnerable. Instead, we suggest that you use an update management solution, such as WSUS, to fully control your environment while leaving this feature running, managing how and when the updates get to your user’s computers. + +The Internet Explorer 11 Blocker Toolkit safely allows Internet Explorer 11 to download and install in companies that can’t use WSUS, Configuration Manager, or other update management solution. + +**Q. Why don’t we just block URL access to Windows Update or Microsoft Update?** +A. Blocking the Windows Update or Microsoft Update URLs also stops delivery of critical security and reliability updates for all of the supported versions of the Windows operating system; leaving your computers more vulnerable. + +### How the Internet Explorer 11 Blocker Toolkit works + +**Q. How should I test the Internet Explorer 11 Blocker Toolkit in my company?** +A. Because the toolkit only sets a registry key to turn on and off the delivery of Internet Explorer 11, there should be no additional impact or side effects to your environment. No additional testing should be necessary. + +**Q. What’s the registry key used to block delivery of Internet Explorer 11?** +A. HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Setup\\11.0 + +**Q. What’s the registry key name and values?** +The registry key name is **DoNotAllowIE11**, where: + +- A value of **1** turns off the automatic delivery of Internet Explorer 11 + using Automatic Updates and turns off the Express install option. + +- Not providing a registry key, or using a value of anything other than **1**, + lets the user install Internet Explorer 11 through Automatic Updates or a + manual update. + +**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from manually installing Internet Explorer 11?** +A. No. The Internet Explorer 11 Blocker Toolkit only stops computers from automatically installing Internet Explorer 11 through Automatic Updates. Users can still download and install Internet Explorer 11 from the Microsoft Download Center or from external media. + +**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from automatically upgrading to Internet Explorer 11?** +A. Yes. The Internet Explorer 11 Blocker Toolkit also prevents Automatic Updates from automatically upgrading a computer from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. + +**Q. How does the provided script work?** +A. The script accepts one of two command line options: + +- **Block:** Creates the registry key that stops Internet Explorer 11 from installing through Automatic Updates. + +- **Unblock:** Removes the registry key that stops Internet Explorer 11 from installing through Automatic Updates. + +**Q. What’s the ADM template file used for?** +A. The Administrative Template (.adm file) lets you import the new Group Policy environment and use Group Policy Objects to centrally manage all of the computers in your company. + +**Q. Is the tool localized?** +A. No. The tool isn’t localized, it’s only available in English (en-us). However, it does work, without any modifications, on any language edition of the supported operating systems. + +### Internet Explorer 11 Blocker Toolkit and other update services + +**Q. Does the Internet Explorer 11 blocking mechanism also block delivery of Internet Explorer 11 through update management solutions, like SUS?** +A. No. You can still deploy Internet Explorer 11 using one of the upgrade management solutions, even if the blocking mechanism is activated. The Internet Explorer 11 Blocker Toolkit is only intended for companies that don’t use upgrade management solutions. + +**Q. If WSUS is set to 'auto-approve' Update Rollup packages (this is not the default configuration), how do I stop Internet Explorer 11 from automatically installing throughout my company?** +A. You only need to change your settings if: + +- You use WSUS to manage updates and allow auto-approvals for Update Rollup installation. + + -and- + +- You have computers running either Windows 7 SP1 or Windows Server 2008 R2 (SP1) with Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 installed. + + -and- + +- You don’t want to upgrade your older versions of Internet Explorer to Internet Explorer 11 right now. + +If these scenarios apply to your company, see [Internet Explorer 11 delivery through automatic updates](https://technet.microsoft.com/microsoft-edge/dn449235) for more information on how to prevent automatic installation. diff --git a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md index 9d9574cd8a..d9b27be715 100644 --- a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md +++ b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md @@ -145,8 +145,62 @@ Group Policy settings can be set to open either IE or Internet Explorer for the |Always in IE11 |Links always open in IE. | |Always in Internet Explorer for the desktop |Links always open in Internet Explorer for the desktop. | + + +**Q. Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?** +Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard. + +IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. Select a language below and download IEAK 11 from the download center: +| | | | +|---------|---------|---------| +|[English](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) | +|[Arabic](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[Chinese (Simplified)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Chinese(Traditional)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) | +|[Czech](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Danish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Dutch](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) | +|[Finnish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[German](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Greek](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) | +|[Hebrew](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Hungarian](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Italian](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) | +|[Japanese](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Korean](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Polish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) | +|[Portuguese (Brazil)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) |[Portuguese (Portugal)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) |[Russian](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) | +|[Spanish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) |[Swedish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) |[Turkish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) | + + + +**Q. What are the different modes available for the Internet Explorer Customization Wizard?** +The IEAK Customization Wizard displays pages based on your licensing mode selection, either **Internal** or **External**. For more information on IEAK Customization Wizard modes, see [Determine the licensing version and features to use in IEAK 11](../ie11-ieak/licensing-version-and-features-ieak11.md). + +The following table displays which pages are available in IEAK 11, based on the licensing mode: + +| **Wizard Pages** | **External** | **Internal** | +|-------------------------------------------|--------------|--------------| +| Welcome to the IEAK | Yes | Yes | +| File Locations | Yes | Yes | +| Platform Selection | Yes | Yes | +| Language Selection | Yes | Yes | +| Package Type Selection | Yes | Yes | +| Feature Selection | Yes | Yes | +| Automatic Version Synchronization | Yes | Yes | +| Custom Components | Yes | Yes | +| Corporate Install | No | Yes | +| User Experience | No | Yes | +| Browser User Interface | Yes | Yes | +| Search Providers | Yes | Yes | +| Important URLs - Home page and Support | Yes | Yes | +| Accelerators | Yes | Yes | +| Favorites, Favorites Bar, and Feeds | Yes | Yes | +| Browsing Options | No | Yes | +| First Run Wizard and Welcome Page Options | Yes | Yes | +| Compatibility View | Yes | Yes | +| Connection Manager | Yes | Yes | +| Connection Settings | Yes | Yes | +| Automatic Configuration | No | Yes | +| Proxy Settings | Yes | Yes | +| Security and Privacy Settings | No | Yes | +| Add a Root Certificate | Yes | No | +| Programs | Yes | Yes | +| Additional Settings | No | Yes | +| Wizard Complete | Yes | Yes | + + ## Related topics - [Microsoft Edge - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760643) - [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md) -- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md) - +- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md) \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md b/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md index d8c5cb0595..3894e97e38 100644 --- a/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/before-you-create-custom-pkgs-ieak11.md @@ -2,25 +2,28 @@ ms.localizationpriority: low ms.mktglfcycl: plan description: A list of steps to follow before you start to create your custom browser installation packages. -author: eross-msft +author: shortpatti +ms.author: pashort +ms.manager: elizapo ms.prod: ie11 ms.assetid: 6ed182b0-46cb-4865-9563-70825be9a5e4 title: Before you start using IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) ms.sitesec: library -ms.date: 07/27/2017 +ms.date: 04/24/2018 --- # Before you start using IEAK 11 -Go through this list, making sure you’ve answered all of the questions before you run Internet Explorer Administration Kit 11 (IEAK 11) and the Customization Wizard. + +Before you run IEAK 11 and the Customization Wizard, make sure you have met the following requirements: - Have you determined which licensing version of the Internet Explorer Administration Kit 11 to install? For info, see [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md). - Do you meet the necessary hardware and software requirements? See [Hardware and software requirements for IEAK 11](hardware-and-software-reqs-ieak11.md). -- Have you gotten all of the URLs you’ll need so you can customize your **Home**, **Search**, and **Support** pages? See [Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard](important-urls-home-page-and-support-ieak11-wizard.md). +- Have you gotten all of the URLs needed to customize your **Home**, **Search**, and **Support** pages? See [Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard](important-urls-home-page-and-support-ieak11-wizard.md). -- Have you reviewed the security features, determining how you want to set up and manage them? See [Security features and IEAK 11](security-and-ieak11.md). +- Have you reviewed the security features to determine how to set up and manage them? See [Security features and IEAK 11](security-and-ieak11.md). - Have you created a test lab, where you can run the test version of your browser package to make sure it runs properly? diff --git a/browsers/internet-explorer/ie11-ieak/index.md b/browsers/internet-explorer/ie11-ieak/index.md index fcabf300fc..b0edeae7c4 100644 --- a/browsers/internet-explorer/ie11-ieak/index.md +++ b/browsers/internet-explorer/ie11-ieak/index.md @@ -12,15 +12,50 @@ ms.date: 07/27/2017 # Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide + +The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment. + Use this guide to learn about the several options and processes you'll need to consider while you're using the Internet Explorer Administration Kit 11 (IEAK 11) to customize, deploy, and manage Internet Explorer 11 for your employee's devices. -**Important**
-Because this content isn't intended to be a step-by-step guide, not all of the steps are necessary. +>[!IMPORTANT} +>Because this content isn't intended to be a step-by-step guide, not all of the steps are necessary. ## IEAK 11 users -IEAK 11 includes programs and tools that enterprises can use to customize, deploy, and administer Internet Explorer 11 for employee devices, while Internet service and content providers can use the same programs and tools to customize, deploy, and administer Internet Explorer 11 for customers. +Internet Explorer Administration Kit (IEAK) helps corporations, Internet service providers (ISPs), Internet content providers (ICPs), and independent software vendors (ISVs) to deploy and manage web-based solutions. + +IEAK 10 and newer includes the ability to install using one of the following installation modes: +- Internal +- External + +>[!NOTE] +>IEAK 11 works in network environments, with or without Microsoft Active Directory service. + +### Corporations +IEAK helps corporate administrators establish version control, centrally distribute and manage browser installation, configure automatic connection profiles, and customize large portions of Internet Explorer, including features, security, communications settings, and other important functionality. + +Corporate administrators install IEAK using Internal mode (for Internet Explorer 10 or newer) or Corporate mode (for Internet Explorer 9 or older). + +### Internet service providers +IEAK helps ISPs customize, deploy and distribute, add third-party add-ons, search providers, and custom components, as well as include web slices and accelerators all as part of a custom Internet Explorer installation package. + +ISPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Service Provider (ISP) mode (for Internet Explorer 9 or older). + +### Internet content providers +IEAK helps ICPs customize the appearance of Internet Explorer and its Setup program, including letting you add your company name or specific wording to the Title bar, set up a customer support webpage, set up the user home page and search providers, add links to the Favorites and the Explorer bars, add optional components, web slices and accelerators, and determine which compatibility mode Internet Explorer should use. + +ICPs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older) + +### Independent software vendors +IEAK helps ISVs distribute (and redistribute) a custom version of Internet Explorer that can include custom components, programs, and controls (like the web browser control) that you create for your users. ISVs can also determine home pages, search providers, and add websites to the Favorites bar. + +ISVs install IEAK using External mode (for Internet Explorer 10 or newer) or Internet Content Provider (ICP) mode (for Internet Explorer 9 or older). + +## Included technology +IEAK 11 includes the following technology: +- **Internet Explorer Customization Wizard.** This wizard guides you through the process of creating custom browser packages. After these packages are installed on your user's desktop, the user receives customized versions of Internet Explorer 11, with the settings and options you selected through the wizard. +- **Windows Installer (MSI).** IEAK 11 supports creating an MSI wrapper for your custom Internet Explorer 11 packages, enabling you to use Active Directory to deploy the package to your user's PC. +- **IEAK Help.** IEAK 11 Help includes many conceptual and procedural topics, which you can view from the **Index**, **Contents**, or **Search** tabs. You also have the option to print any topic, or the entire Help library. -IEAK 11 works in network environments, with or without Microsoft Active Directory service. ## Naming conventions IE11 and IEAK 11 offers differing experiences between Windows 7 and Windows 8.1 Update and newer versions of the Windows operating system: diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md index 8e6a48df9f..0ad5bcf30e 100644 --- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md @@ -14,10 +14,13 @@ ms.date: 05/02/2018 # Determine the licensing version and features to use in IEAK 11 -You must pick a version of IEAK 11 to run during installation, either **External** or **Internal**, based on your license agreement. Your version selection decides the options you can pick from, the steps you’ll have to follow to deploy your Internet Explorer 11 package, and how you’ll manage the browser after deployment. +In addition to the Software License Terms for the Internet Explorer Administration Kit 11 (IEAK 11) (IEAK 11, the "software"), these Guidelines further define how you may and may not use the software to create versions of Internet Explorer 11 with optional customizations (the "customized browser") for internal use and distribution in accordance with the IEAK 11 Software License Terms. IEAK 11 is for testing purposes only and is not intended to be used in a production environment. -- **External Distribution as an Internet Service Provider (ISP), Internet Content Provider (ICP), or Developer.** If you’re an ISP or an ICP, your license agreement also says that you have to show the Internet Explorer logo on your packaging and promotional goods, as well as on your website.

-**Important**
Original Equipment Manufacturers (OEMs) that install IEAK 11 as part of a Windows product, under an OEM license agreement with Microsoft, must use their appropriate Windows OEM Preinstallation document (OPD) as the guide for allowable customizations. +During installation, you must pick a version of IEAK 11, either **External** or **Internal**, based on your license agreement. Your version selection decides the options you can chose, the steps you follow to deploy your Internet Explorer 11 package, and how you manage the browser after deployment. + +- **External Distribution as an Internet Service Provider (ISP), Internet Content Provider (ICP), or Developer.** If you are an ISP or an ICP, your license agreement also states that you must show the Internet Explorer logo on your packaging and promotional goods, as well as on your website. + >[!IMPORTANT] + >Original Equipment Manufacturers (OEMs) that install IEAK 11 as part of a Windows product, under an OEM license agreement with Microsoft, must use their appropriate Windows OEM Preinstallation document (OPD) as the guide for allowable customizations. - **Internal Distribution via a Corporate Intranet.** This version is for network admins that plan to directly deploy IE11 into a corporate environment. @@ -52,3 +55,48 @@ You must pick a version of IEAK 11 to run during installation, either **Externa |Additional settings |Not available | |Wizard complete |Wizard complete | +## Customization guidelines + +Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software. + +- **External Distribution** + This mode is available to anyone who wants to create a customized browser for distribution outside their company (for example, websites, magazines, retailers, non-profit organizations, independent hardware vendors, independent software vendors, Internet service providers, Internet content providers, software developers, and marketers). + +- **Internal Distribution** + This mode is available to companies for the creation and distribution of a customized browser only to their employees over a corporate intranet. + +The table below identifies which customizations you may or may not perform based on the mode you selected. + +| **Feature Name** | **External Distribution** | **Internal Distribution** | +|---------------------------------|----------------------|-------------------| +| **Custom Components** | Yes | Yes | +| **Title Bar** | Yes | Yes | +| **Favorites** | One folder, containing any number of links. | Any number of folders/links. | +| **Search Provider URLs** | Yes | Yes | +| **Search Guide URL** | No | Yes | +| **Online Support URL** | Yes | Yes | +| **Web Slice** | Suggested maximum five Web Slices. | Any number of Web Slices. | +| **Accelerator** | Search provider Accelerator must be the same as the search provider set for the Search Toolbox. We recommend that Any number of Accelerators/Accelerator Categories. Feature Name External Internal Accelerator category not exceed seven total categories, and each Accelerator category must be unique. We recommend each Accelerator category not have more than two Accelerators. The Accelerator display name should follow the syntax of verb + noun, such as "Map with Bing." | Any number of Accelerators/Accelerator Categories. | +| **Homepage URLs** | Can add a maximum of three. | Unlimited. | +| **First Run Wizard and Welcome Page Options** | Cannot remove Internet Explorer 11 First Run wizard. Can customize **Welcome** page. | Customizable. | +| **RSS Feeds** | One folder, containing any number of links. | Any number of folders/links. | +| **Browsing Options** | No | Yes | +| **Security and Privacy Settings** | No | Can add any number of sites. | +| **Corporate Options** (Latest Updates, Default Browser, Uninstall Info, Additional Settings) | No | Yes | +| **User Experience** (Setup/Restart) | No | Yes | +| **User Agent String** | Yes | Yes | +| **Compatibility View** | Yes | Yes | +| **Connection Settings and Manage** | Yes | Yes | + + +Support for some of the Internet Explorer settings on the wizard pages varies depending on your target operating system. For more information, see [Internet Explorer Customization Wizard 11 options](https://docs.microsoft.com/internet-explorer/ie11-ieak/ieak11-wizard-custom-options). + +## Distribution guidelines + +Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software. + +- **External Distribution** + You shall use commercially reasonable efforts to maintain the quality of (i) any non-Microsoft software distributed with Internet Explorer 11, and (ii) any media used for distribution (for example, optical media, flash drives), at a level that meets or exceeds the highest industry standards. If you distribute add-ons with Internet Explorer 11, those add-ons must comply with the [!INCLUDE [microsoft-browser-extension-policy-include](../../edge/microsoft-browser-extension-policy-include.md)]. + +- **Internal Distribution - corporate intranet** + The software is solely for use by your employees within your company's organization and affiliated companies through your corporate intranet. Neither you nor any of your employees may permit redistribution of the software to or for use by third parties other than for third parties such as consultants, contractors, and temporary staff accessing your corporate intranet. \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md index c762eb1d5a..f23e871f87 100644 --- a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md @@ -2,7 +2,8 @@ ms.localizationpriority: low ms.mktglfcycl: support description: Info about some of the known issues using the Internet Exporer Customization Wizard and a custom Internet Explorer install package. -author: eross-msft +author: shortpatti +ms.author: pashort ms.prod: ie11 ms.assetid: 9e22cc61-6c63-4cab-bfdf-6fe49db945e4 title: Troubleshoot custom package and IEAK 11 problems (Internet Explorer Administration Kit 11 for IT Pros) @@ -14,8 +15,8 @@ ms.date: 07/27/2017 # Troubleshoot custom package and IEAK 11 problems While the Internet Explorer Customization Wizard has been around for quite a while, there are still some known issues that you might encounter while deploying or managing your custom IE install package. -## I can’t locate some of the wizard pages -The most common reasons you won’t see certain pages is because: +## I am unable to locate some of the wizard pages +The most common reasons you will not see certain pages is because: - **Your licensing agreement with Microsoft.** Your licensing agreement determines whether you install the **Internal** or **External** version of the Internet Explorer Customization Wizard, and there are different features available for each version. For info about which features are available for each version, see [Determine the licensing version and features to use in IEAK 11](licensing-version-and-features-ieak11.md). @@ -23,7 +24,7 @@ The most common reasons you won’t see certain pages is because: - **Your choice of features.** Depending on what you selected from the **Feature Selection** page of the wizard, you might not see all of the pages. You need to make sure that the features you want to customize are all checked. For more information, see [Use the Feature Selection page in the IEAK 11 Wizard](feature-selection-ieak11-wizard.md). -## Internet Explorer Setup fails on employee devices +## Internet Explorer Setup fails on user's devices Various issues can cause problems during Setup, including missing files, trust issues, or URL monikers. You can troubleshoot these issues by reviewing the Setup log file, located at `IE11\_main.log` from the **Windows** folder (typically, `C:\Windows`). The log file covers the entire Setup process from the moment IE11Setup.exe starts until the last .cab file finishes, providing error codes that you can use to help determine the cause of the failure. ### Main.log file codes @@ -61,18 +62,60 @@ To address connection issues (for example, as a result of server problems) where Where `` represents the folder location where you stored IE11setup.exe. -## Employees can’t uninstall IE -If you can’t uninstall IE using **Uninstall or change a program** in the Control Panel, it could be because the uninstall information isn’t on the computer. To fix this issue, you should: +## Users cannot uninstall IE +If you cannot uninstall IE using **Uninstall or change a program** in the Control Panel, it could be because the uninstall information is not on the computer. To fix this issue, you should: 1. Review the uninstall log file, IE11Uninst.log, located in the `C:\Windows` folder. This log file covers the entire uninstallation process, including every file change, every registry change, and any dialog boxes that are shown. 2. Try to manually uninstall IE. Go to the backup folder, `:\Windows\$ie11$`, and run the uninstall file, `Spunist.exe`.   +## The Internet Explorer Customization Wizard 11 does not work with user names that user double-byte character sets +The customization wizard does not work with user names that use double-byte character sets, such as Chinese or Japanese. To fix this, set the **TEMP** and **TMP** environmental variables to a path that does not use these characters (for example, C:\temp). + +1. Open **System Properties**, click the **Advanced** tab, and then click **Environmental Variables**. +2. Click Edit, and then modify the **TEMP** and **TMP** environmental variables to a non-user profile directory.   +## Unicode characters are not supported in IEAK 11 path names +While Unicode characters, such as Emoji, are supported for organization names and other branding items, you must not use Unicode characters in any paths associated with running the Internet Explorer Customization Wizard 11. This includes paths to your IEAK 11 installation and to the storage location for your custom packages after they're built. + +## Internet Explorer branding conflicts when using both Unattend and IEAK 11 to customize Internet Explorer settings +Using both Unattend settings and an IEAK custom package to modify a user's version of Internet Explorer 11 might cause a user to lose personalized settings during an upgrade. For example, many manufacturers configure Internet Explorer using Unattend settings. If a user purchases a laptop, and then signs up for Internet service, their Internet Service Provider (ISP) might provide a version of Internet Explorer that has been branded (for example, with a custom homepage for that ISP) using Internet Explorer Customization Wizard 11. If that user later upgrades to a new version of Internet Explorer, the Unattend settings from the laptop manufacturer will be reapplied, overwriting any settings that the user configured for themselves (such as their homepage). +## IEAK 11 does not correctly apply the Delete all existing items under Favorites, Favorites Bar and Feeds option +The Internet Explorer Customization Wizard 11 does not correctly apply the **Delete all existing items under Favorites**, **Favorites Bar and Feeds** option, available on the **Browsing Options** page. +Selecting to include this feature in your customized Internet Explorer package enables the deletion of existing items in the **Favorites** and **Favorites Bar** areas, but it doesn't enable deletion in the **Feeds** area. In addition, this setting adds a new favorite, titled “Web Slice Gallery” to the **Favorites Bar**. +## F1 does not activate Help on Automatic Version Synchronization page +Pressing the **F1** button on the **Automatic Version Synchronization** page of the Internet Explorer Customization Wizard 11 does not display the **Help** page. Clicking the **Help** button enables you to open the Help system and view information about this page. +## Certificate installation does not work on IEAK 11 +IEAK 11 doesn't install certificates added using the Add a Root Certificate page of the Internet Explorer Customization Wizard 11. Administrators can manually install certificates using the Certificates Microsoft Management Console snap-in (Certmgr.msc) or using the command-line tool, Certificate Manager (Certmgr.exe). + +>[!NOTE] +>This applies only when using the External licensing mode of IEAK 11. + +## The Additional Settings page appears in the wrong language when using a localized version of IEAK 11 +When using IEAK 11 in other languages, the settings on the Additional Settings page appear in the language of the target platform, regardless of the IEAK 11 language. + +>[!NOTE] +>This applies only when using the Internal licensing mode of IEAK 11. + +To work around this issue, run the customization wizard following these steps: +1. On the **Language Selection** page, select the language that matches the language of your installed IEAK 11. +2. Click **Next**, and then click **Synchronize** on the Automatic Version Synchronization page. +3. After synchronization is complete, cancel the wizard. +4. Repeat these steps for each platform on the Platform Selection page. + +After performing these steps, you must still do the following each time you synchronize a new language and platform: +1. Open File Explorer to the Program Files\Windows IEAK 11 or Program Files (x86)\Windows IEAK 11 folder. +2. Open the **Policies** folder, and then open the appropriate platform folder. +3. Copy the contents of the matching-language folder into the new language folder. + +After completing these steps, the Additional Settings page matches your wizard’s language. + +## Unable to access feeds stored in a subfolder +Adding feeds using the **Favorites**, **Favorites Bar**, and **Feeds** page of the Internet Explorer 11 Customization Wizard requires that the feeds be stored in a single folder. Creating two levels of folders, and creating the feed in the subfolder, causes the feed to fail. diff --git a/education/windows/TOC.md b/education/windows/TOC.md index 3c2caa9f9a..ca73e87080 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -21,6 +21,6 @@ ## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) ## [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md) ## [Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode](s-mode-switch-to-edu.md) -## [Switch to Windows 10 Pro Education from Windows 10 Pro](switch-to-pro-education.md) +## [Change to Windows 10 Pro Education from Windows 10 Pro](change-to-pro-education.md) ## [Chromebook migration guide](chromebook-migration-guide.md) ## [Change history for Windows 10 for Education](change-history-edu.md) diff --git a/education/windows/switch-to-pro-education.md b/education/windows/change-to-pro-education.md similarity index 100% rename from education/windows/switch-to-pro-education.md rename to education/windows/change-to-pro-education.md diff --git a/windows/security/information-protection/TOC.md b/windows/security/information-protection/TOC.md index aa050873f5..c845e7e6aa 100644 --- a/windows/security/information-protection/TOC.md +++ b/windows/security/information-protection/TOC.md @@ -51,4 +51,5 @@ #### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](windows-information-protection\app-behavior-with-wip.md) #### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](windows-information-protection\recommended-network-definitions-for-wip.md) #### [Using Outlook Web Access with Windows Information Protection (WIP)](windows-information-protection\using-owa-with-wip.md) +### [Fine-tune Windows Information Protection (WIP) with WIP Learning](windows-information-protection\wip-learning.md) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md index 1286383620..9014f9ca05 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md @@ -256,6 +256,7 @@ Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the For this example, we’re going to add an AppLocker XML file to the **Allowed apps** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content. **To create a list of Allowed apps using the AppLocker tool** + 1. Open the Local Security Policy snap-in (SecPol.msc). 2. In the left blade, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**. diff --git a/windows/security/information-protection/windows-information-protection/images/WIPNEW1-chart-selected-sterile.png b/windows/security/information-protection/windows-information-protection/images/WIPNEW1-chart-selected-sterile.png new file mode 100644 index 0000000000..5ce10dd81f Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/WIPNEW1-chart-selected-sterile.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/WIPNEWMAIN-sterile.png b/windows/security/information-protection/windows-information-protection/images/WIPNEWMAIN-sterile.png new file mode 100644 index 0000000000..6bc8237f7f Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/WIPNEWMAIN-sterile.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/WIPappID-sterile.png b/windows/security/information-protection/windows-information-protection/images/WIPappID-sterile.png new file mode 100644 index 0000000000..7d67692ff3 Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/WIPappID-sterile.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/access-wip-learning-report.png b/windows/security/information-protection/windows-information-protection/images/access-wip-learning-report.png new file mode 100644 index 0000000000..cf48ea50fc Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/access-wip-learning-report.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/oms-wip-app-learning-tile.png b/windows/security/information-protection/windows-information-protection/images/oms-wip-app-learning-tile.png new file mode 100644 index 0000000000..cfeee8a45f Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/oms-wip-app-learning-tile.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png b/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png new file mode 100644 index 0000000000..e0dc52bd86 Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-learning-app-info.png b/windows/security/information-protection/windows-information-protection/images/wip-learning-app-info.png new file mode 100644 index 0000000000..09539d6773 Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/wip-learning-app-info.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-learning-choose-store-or-desktop-app.png b/windows/security/information-protection/windows-information-protection/images/wip-learning-choose-store-or-desktop-app.png new file mode 100644 index 0000000000..2393cc7eca Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/wip-learning-choose-store-or-desktop-app.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-learning-select-report.png b/windows/security/information-protection/windows-information-protection/images/wip-learning-select-report.png new file mode 100644 index 0000000000..4f5a81b9a2 Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/wip-learning-select-report.png differ diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md index 20431799cb..4227a5f80b 100644 --- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md +++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: eross-msft +author: coreyp-at-msft ms.localizationpriority: medium ms.date: 09/11/2017 --- @@ -120,7 +120,7 @@ WIP currently addresses these enterprise scenarios: - Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn’t required. -### WIP-protection modes +### WIP-protection modes Enterprise data is automatically encrypted after it’s loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. Your WIP policy includes a list of trusted apps that are allowed to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list don’t have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if it’s personally owned. diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md new file mode 100644 index 0000000000..f85ded38d6 --- /dev/null +++ b/windows/security/information-protection/windows-information-protection/wip-learning.md @@ -0,0 +1,101 @@ +--- +title: +# Fine-tune Windows Information Policy (WIP) with WIP Learning +description: How to access the WIP Learning report to monitor and apply Windows Information Protection in your company. +ms.assetid: 53db29d2-d99d-4db6-b494-90e2b4872ca2 +keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP Learning +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +ms.pagetype: security +author: coreyp-at-msft +ms.localizationpriority: medium +ms.date: 04/18/2018 +--- + +# Fine-tune Windows Information Protection (WIP) with WIP Learning +**Applies to:** + +- Windows 10, version 1703 and later +- Windows 10 Mobile, version 1703 and later + +With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports are accessed from Microsoft Azure Intune, and you can alternately access the App learning report from Microsoft Operations Management Suite (OMS). + +The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [“Hide overrides”](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly. + +In the **Website learning report**, you can view a summary of the devices that have shared work data with websites. You can use this information to determine which websites should be added to group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps so you can decide which ones are cloud or personal, and add them to the resource list. + +## Access the WIP Learning reports + +1. Open the [Azure portal](http://https://portal.azure.com/). Choose **All services**. Type **Intune** in the text box filter. + +2. Choose **Intune** > **Mobile Apps**. + +3. Choose **App protection status**. + +4. Choose **Reports**. + + ![Image showing the UI path to the WIP report](images/access-wip-learning-report.png) + +5. Finally, select either **App learning report for Windows Information Protection**, or **Website learning report for Windows Information Protection**. + + ![Image showing the UI with for app and website learning reports](images/wip-learning-select-report.png) + +Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies. Next, we'll look at how to do that in Operations Management Suite (OMS). + +## View the WIP app learning report in Microsoft Operations Management Suite + +From Intune, you can open OMS by choosing **WIP in the OMS console**. Then you can view the WIP App learning blade to monitor access events per app, and devices that have reported WIP access events: + +![View in Intune of the link to OMS](images/wip-in-oms-console-link.png) + +If you don't have OMS linked to your Microsoft Azure Account, and want to configure your environment for Windows Analytics: Device Health, see [Get Started with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-get-started) for more information. + +>[!NOTE] +>Intune has a 14 day data retention capacity, while OMS offers better querying capabilities and longer data retention. + +Once you have WIP policies in place, by using the WIP section of Device Health, you can: + +- Reduce disruptive prompts by adding rules to allow data sharing from approved apps. +- Tune WIP rules by confirming that certain apps are allowed or denied by current policy. + +![Main Windows Information Protection view](images/oms-wip-app-learning-tile.png) + +The **APP LEARNING** tile shows details of app statistics that you can use to evaluate each incident and update app policies by using WIP AppIDs. + +![Details view](images/WIPNEW1-chart-selected-sterile.png) + +In this chart view, you can see apps that have been used on connected devices which, when clicked on, will open additional details on the app, including details you need to adjust your WIP Policy: + +![Details view for a specific app](images/WIPappID-sterile.png) + +Here, you can copy the **WipAppid** and use it to adjust your WIP protection policies. + +## Use OMS and Intune to adjust WIP protection policy + +1. Click the **APP LEARNING** tile in OMS, as described above, to determine which apps are being used for work so you can add those you choose to your WIP policy. + +2. Click the app you want to add to your policy and copy the publisher information from the app details screen. + +3. Back in Intune, click **App protection policies** and then choose the app policy you want to add an application to. + +4. Click **Protected apps**, and then click **Add Apps**. + +5. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app). + + ![View of drop down menu for Store or desktop apps](images/wip-learning-choose-store-or-desktop-app.png) + +6. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 2 above. + + ![View of Add Apps app info entry boxes](images/wip-learning-app-info.png) + +7. Type the name of the product in **PRODUCT NAME** (required) (this will probably be the same as what you typed for **NAME**). + +8. Back in OMS, copy the name of the executable (for example, snippingtool.exe) and then go back to Intune and paste it in **FILE** (required). + +9. Go back to OMS one more time and note the version number of the app and type it in **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny** + +When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Hide overrides**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes) + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md index 872058c8f7..97f53bee77 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md @@ -44,4 +44,4 @@ These settings, located at **Computer Configuration\Administrative Templates\Win |Allow Persistence|Windows 10 Enterprise, 1709 or higher

Windows 10 Professional, 1803|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

**Disabled or not configured.** All user data within Application Guard is reset between sessions.

**Note**
If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:**

  1. Open a command-line program and navigate to Windows/System32.
  2. Type `wdagtool.exe cleanup`.
    The container environment is reset, retaining only the employee-generated data.
  3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.
    The container environment is reset, including discarding all employee-generated data.
| |Turn on Windows Defender Application Guard in Enterprise Mode|Windows 10 Enterprise, 1709 or higher|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.

**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.| |Allow files to download to host operating system|Windows 10 Enterprise, 1803|Determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Windows Defender Application Guard container to the host operating system.

**Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.| -|Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, version 1803

(experimental only)|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering.

**Important**
Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

**Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| +|Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, version 1803

(experimental only)|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering.

**Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.

**Note**
This is an experimental feature in Windows 10 Enterprise, version 1803 and will not function without the presence of an additional registry key provided by Microsoft. If you would like to evaluate this feature on deployments of Windows 10 Enterprise, version 1803, please contact Microsoft for further information.| diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md index d970e7206f..e6dfc5a7cb 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -13,7 +13,8 @@ ms.date: 11/07/2017 # Frequently asked questions - Windows Defender Application Guard **Applies to:** -- Windows 10 Enterpise edition, version 1709 +- Windows 10 Enterpise edition, version 1709 or higher +- Windows 10 Professional edition, version 1803 Answering frequently asked questions about Windows Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration. @@ -31,7 +32,7 @@ Answering frequently asked questions about Windows Defender Application Guard (A | | | |---|----------------------------| |**Q:** |Can employees download documents from the Application Guard Edge session onto host devices?| -|**A:** |It's not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.| +|**A:** |In Windows 10 Enterprise edition 1803, users will be able to download documents from the isolated Application Guard container to the host PC.

In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.|
| | | @@ -55,5 +56,11 @@ Answering frequently asked questions about Windows Defender Application Guard (A | | | |---|----------------------------| |**Q:** |How do I configure WDAG to work with my network proxy (IP-Literal Addresses)?| -|**A:** |WDAG requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as “192.168.1.4:81” can be annotated as “itproxy:81” or using a record such as “P19216810010” for a proxy with an IP address of 192.168.100.10. This applies to WDAG in RS3 (1709) and RS4 (1803).| +|**A:** |WDAG requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as “192.168.1.4:81” can be annotated as “itproxy:81” or using a record such as “P19216810010” for a proxy with an IP address of 192.168.100.10. This applies to Windows 10 Enterprise edition, 1709 or higher.| +
+ +| | | +|---|----------------------------| +|**Q:** |I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering??| +|**A:** |This feature is currently experimental-only and is not functional without an additional regkey provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, please contact Microsoft and we’ll work with you to enable the feature.|
diff --git a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md index 4e9d84ab90..2e7c06d339 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md @@ -12,11 +12,12 @@ ms.date: 10/19/2017 # Testing scenarios using Windows Defender Application Guard in your business or organization -**Applies to:** -- Windows 10 Enterpise edition, version 1709 - We've come up with a list of suggested testing scenarios that you can use to test Windows Defender Application Guard (Application Guard) in your organization. +**Applies to:** +- Windows 10 Enterpise edition, version 1709 or higher +- Windows 10 Professional edition, version 1803 + ## Application Guard in standalone mode You can see how an employee would use standalone mode with Application Guard. @@ -97,6 +98,10 @@ Application Guard provides the following default behavior for your employees: You have the option to change each of these settings to work with your enterprise from within Group Policy. +**Applies to:** +- Windows 10 Enterpise edition, version 1709 or higher +- Windows 10 Professional edition, version 1803 + **To change the copy and paste options** 1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings**. @@ -152,3 +157,34 @@ You have the option to change each of these settings to work with your enterpris >[!NOTE] >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren’t shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.

If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

**To reset the container:**
  1. Open a command-line program and navigate to Windows/System32.
  2. Type `wdagtool.exe cleanup`.
    The container environment is reset, retaining only the employee-generated data.
  3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.
    The container environment is reset, including discarding all employee-generated data.
+ +**Applies to:** +- Windows 10 Enterpise edition, version 1803 +- Windows 10 Professional edition, version 1803 + +**To change the download options** +1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow files to download and save to the host operating system from Windows Defender Application Guard** setting. + +2. Click **Enabled**. + + ![Group Policy editor Download options](images/appguard-gp-download.png) + +3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. + +4. Download a file from Windows Defender Application Guard. + +5. Check to see the file has been downloaded into This PC > Downloads > Untrusted files. + +**To change the download options** +1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow hardware-accelerated rendering for Windows Defender Application Guard** setting. + +2. Click **Enabled**. + + ![Group Policy editor hardware acceleration options](images/appguard-gp-vgpu.png) + +3. Contact Microsoft for further information to fully enable this setting. + +4. Once you have fully enabled this experimental feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session. + +5. Assess the visual experience and battery performance. +