diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000000..9fb85ec49f --- /dev/null +++ b/.gitattributes @@ -0,0 +1,14 @@ +# Set the default behavior, in case people don't have core.autocrlf set. +* text=auto + +# Explicitly declare text files you want to always be normalized and converted +# to native line endings on checkout. +*.c text +*.h text + +# Declare files that will always have CRLF line endings on checkout. +*.sln text eol=crlf + +# Denote all files that are truly binary and should not be modified. +*.png binary +*.jpg binary \ No newline at end of file diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index f9d982e542..224abb8ddd 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -34,6 +34,22 @@ "moniker_groups": [], "version": 0 }, + { + "docset_name": "eula-vsts", + "build_source_folder": "windows/eulas", + "build_output_subfolder": "eula-vsts", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, { "docset_name": "gdpr", "build_source_folder": "gdpr", @@ -511,11 +527,11 @@ ] }, "need_generate_pdf_url_template": true, - "need_generate_pdf": false, - "need_generate_intellisense": false, - "Targets": { + "targets": { "Pdf": { "template_folder": "_themes.pdf" } - } + }, + "need_generate_pdf": false, + "need_generate_intellisense": false } \ No newline at end of file diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 6ac2e03625..ffffa7e53e 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1,13 +1,13 @@ { "redirections": [ { -"source_path": "browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md", -"redirect_url": "https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility", +"source_path": "windows/application-management/msix-app-packaging-tool-walkthrough.md", +"redirect_url": "https://docs.microsoft.com/windows/msix/mpt-overview", "redirect_document_id": true }, { -"source_path": "browsers/edge/emie-to-improve-compatibility.md", -"redirect_url": "https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp", +"source_path": "browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md", +"redirect_url": "https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility", "redirect_document_id": true }, { @@ -5421,6 +5421,26 @@ "redirect_document_id": true }, { +"source_path": "devices/hololens/hololens-microsoft-layout-app.md", +"redirect_url": "/hololens/hololens-microsoft-dynamics-365-layout-app", +"redirect_document_id": true +}, +{ +"source_path": "devices/hololens/hololens-microsoft-dynamics-365-layout-app.md", +"redirect_url": "https://docs.microsoft.com/dynamics365/mixed-reality/layout/", +"redirect_document_id": true +}, +{ +"source_path": "devices/hololens/hololens-microsoft-remote-assist-app.md", +"redirect_url": "https://docs.microsoft.com/dynamics365/mixed-reality/remote-assist/", +"redirect_document_id": true +}, +{ +"source_path": "devices/hololens/hololens-public-preview-apps.md", +"redirect_url": "https://docs.microsoft.com/dynamics365/#pivot=mixed-reality-apps", +"redirect_document_id": true +}, +{ "source_path": "devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md", "redirect_url": "/surface-hub/provisioning-packages-for-surface-hub", "redirect_document_id": true diff --git a/README.md b/README.md index 01059ee91d..824a7c6d56 100644 --- a/README.md +++ b/README.md @@ -1,26 +1,3 @@ ## Microsoft Open Source Code of Conduct - This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). -For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. - -# Windows IT professional documentation - -Welcome! This repository houses the docs that are written for IT professionals for the following products: - -- [Windows 10](https://technet.microsoft.com/itpro/windows) -- [Internet Explorer 11](https://technet.microsoft.com/itpro/internet-explorer) -- [Microsoft Edge](https://technet.microsoft.com/itpro/microsoft-edge) -- [Surface](https://technet.microsoft.com/itpro/surface) -- [Surface Hub](https://technet.microsoft.com/itpro/surface-hub) -- [Windows 10 for Education](https://technet.microsoft.com/edu/windows) -- [HoloLens](https://technet.microsoft.com/itpro/hololens) -- [Microsoft Desktop Optimization Pack](https://technet.microsoft.com/itpro/mdop) - -## Contributing - -We actively merge contributions into this repository via [pull request](https://help.github.com/articles/using-pull-requests/) into the *master* branch. -If you are not a Microsoft employee, before you submit a pull request you must [sign a Contribution License Agreement](https://cla.microsoft.com/) to ensure that the community is free to use your submissions. -For more information on contributing, read our [contributions guide](CONTRIBUTING.md). - - -This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information, see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. +For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. \ No newline at end of file diff --git a/README.md [FRENCH] b/README.md [FRENCH] new file mode 100644 index 0000000000..01059ee91d --- /dev/null +++ b/README.md [FRENCH] @@ -0,0 +1,26 @@ +## Microsoft Open Source Code of Conduct + +This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). +For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. + +# Windows IT professional documentation + +Welcome! This repository houses the docs that are written for IT professionals for the following products: + +- [Windows 10](https://technet.microsoft.com/itpro/windows) +- [Internet Explorer 11](https://technet.microsoft.com/itpro/internet-explorer) +- [Microsoft Edge](https://technet.microsoft.com/itpro/microsoft-edge) +- [Surface](https://technet.microsoft.com/itpro/surface) +- [Surface Hub](https://technet.microsoft.com/itpro/surface-hub) +- [Windows 10 for Education](https://technet.microsoft.com/edu/windows) +- [HoloLens](https://technet.microsoft.com/itpro/hololens) +- [Microsoft Desktop Optimization Pack](https://technet.microsoft.com/itpro/mdop) + +## Contributing + +We actively merge contributions into this repository via [pull request](https://help.github.com/articles/using-pull-requests/) into the *master* branch. +If you are not a Microsoft employee, before you submit a pull request you must [sign a Contribution License Agreement](https://cla.microsoft.com/) to ensure that the community is free to use your submissions. +For more information on contributing, read our [contributions guide](CONTRIBUTING.md). + + +This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information, see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. diff --git a/browsers/edge/TOC.md b/browsers/edge/TOC.md index 304c8bd604..3314f77577 100644 --- a/browsers/edge/TOC.md +++ b/browsers/edge/TOC.md @@ -2,6 +2,8 @@ ## [System requirements and supported languages](about-microsoft-edge.md) +## [Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) + ## [Deploy Microsoft Edge kiosk mode](microsoft-edge-kiosk-mode-deploy.md) ## [Group policies & configuration options](group-policies/index.yml) @@ -22,7 +24,6 @@ ### [Start page](group-policies/start-pages-gp.md) ### [Sync browser](group-policies/sync-browser-settings-gp.md) ### [Telemetry and data collection](group-policies/telemetry-management-gp.md) -### [All group policies](available-policies.md) ## [Change history for Microsoft Edge](change-history-for-microsoft-edge.md) diff --git a/browsers/edge/about-microsoft-edge.md b/browsers/edge/about-microsoft-edge.md index 974364ebb1..e39d63f4e2 100644 --- a/browsers/edge/about-microsoft-edge.md +++ b/browsers/edge/about-microsoft-edge.md @@ -35,13 +35,14 @@ Some of the components might also need additional system resources. Check the co | Display | Super VGA (800 x 600) or higher-resolution monitor with 256 colors | | Graphics card | Microsoft DirectX 9 or later with Windows Display Driver Model (WDDM) 1.0 driver | | Peripherals | Internet connection and a compatible pointing device | - +---   ## Supported languages +Microsoft Edge supports all of the same languages as Windows 10 and you can use the [Microsoft Translator extension](https://www.microsoft.com/en-us/p/translator-for-microsoft-edge/9nblggh4n4n3) to translate foreign language web pages and text selections for 60+ languages. -Microsoft Edge supports all of the same languages as Windows 10, including: +If the extension does not work after install, restart Microsoft Edge. If the extension still does not work, provide feedback through the Feedback Hub. | Language | Country/Region | Code | diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index 93f763fc07..a4fecd5083 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -26,11 +26,11 @@ Other policy settings in Microsoft Edge include allowing Adobe Flash content to When you edit a Group Policy setting, you have the following configuration options: -• Enabled - writes the policy setting to the registry with a value that enables it. -• Disabled - writes the policy setting to the registry with a value that disables it. -• Not configured leaves the policy setting undefined. Group Policy does not write the policy setting to the registry and has no impact on computers or users. +- **Enabled** - writes the policy setting to the registry with a value that enables it. +- **Disabled** - writes the policy setting to the registry with a value that disables it. +- **Not configured** - leaves the policy setting undefined. Group Policy does not write the policy setting to the registry and has no impact on computers or users. -Some policy settings have additional options you can configure. For example, if you want to set the default search engine, set the Start page, or configure the Enterprise Mode Site List, you would type the URL. +Some policy settings have additional options you can configure. For example, if you want to set the default search engine, set the Start page, or configure the Enterprise Mode Site List, you would type the URL. ## Allow a shared books folder diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md index e008145cec..af0f42078e 100644 --- a/browsers/edge/change-history-for-microsoft-edge.md +++ b/browsers/edge/change-history-for-microsoft-edge.md @@ -41,8 +41,8 @@ We have discontinued the **Configure Favorites** group policy, so use the [Provi | New | [Configure collection of browsing data for Microsoft 365 Analytics](group-policies/telemetry-management-gp.md#configure-collection-of-browsing-data-for-microsoft-365-analytics) | [!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] | | New | [Configure Favorites Bar](group-policies/favorites-management-gp.md#configure-favorites-bar) | [!INCLUDE [configure-favorites-bar-shortdesc](shortdesc/configure-favorites-bar-shortdesc.md)] | | New | [Configure Home Button](group-policies/home-button-gp.md#configure-home-button) | [!INCLUDE [configure-home-button-shortdesc](shortdesc/configure-home-button-shortdesc.md)] | -| New | [Configure kiosk mode](microsoft-edge-kiosk-mode-deploy.md#relevant-policies) | [!INCLUDE [configure-kiosk-mode-shortdesc](shortdesc/configure-kiosk-mode-shortdesc.md)] | -| New | [Configure kiosk reset after idle timeout](microsoft-edge-kiosk-mode-deploy.md#relevant-policies) |[!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] | +| New | [Configure kiosk mode](microsoft-edge-kiosk-mode-deploy.md#configure-kiosk-mode) | [!INCLUDE [configure-kiosk-mode-shortdesc](shortdesc/configure-kiosk-mode-shortdesc.md)] | +| New | [Configure kiosk reset idle timeout](microsoft-edge-kiosk-mode-deploy.md#configure-kiosk-reset-idle-timeout) |[!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] | | New | [Configure Open Microsoft Edge With](group-policies/start-pages-gp.md#configure-open-microsoft-edge-with) | [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] | | New | [Prevent certificate error overrides](group-policies/security-privacy-management-gp.md#prevent-certificate-error-overrides) | [!INCLUDE [prevent-certificate-error-overrides-shortdesc](shortdesc/prevent-certificate-error-overrides-shortdesc.md)] | | New | [Prevent users from turning on browser syncing](group-policies/sync-browser-settings-gp.md#prevent-users-from-turning-on-browser-syncing) | [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] | diff --git a/browsers/edge/emie-to-improve-compatibility.md b/browsers/edge/emie-to-improve-compatibility.md new file mode 100644 index 0000000000..c91c3e87b0 --- /dev/null +++ b/browsers/edge/emie-to-improve-compatibility.md @@ -0,0 +1,59 @@ +--- +description: If you're having problems with Microsoft Edge, this topic tells how to use the Enterprise Mode site list to automatically open sites using IE11. +ms.assetid: 89c75f7e-35ca-4ca8-96fa-b3b498b53bE4 +author: shortpatti +ms.author: pashort +ms.manager: dougkim +ms.prod: browser-edge +ms.mktglfcycl: support +ms.sitesec: library +ms.pagetype: appcompat +title: Use Enterprise Mode to improve compatibility (Microsoft Edge for IT Pros) +ms.localizationpriority: high +ms.date: 10/24/2018 +--- + +# Use Enterprise Mode to improve compatibility + +> Applies to: Windows 10 + +If you have specific websites and apps that have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites open in Internet Explorer 11 automatically. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to automatically open using IE11 with the **Send all intranet sites to IE** group policy. + +Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. + + +[!INCLUDE [interoperability-goals-enterprise-guidance](../includes/interoperability-goals-enterprise-guidance.md)] + +## Enterprise guidance +Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that rely on ActiveX controls, continue using Internet Explorer 11 for the web apps to work correctly. If you don't have IE11 installed anymore, you can download it from the Microsoft Store or the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). Also, if you use an earlier version of Internet Explorer, upgrade to IE11. + +Windows 7, Windows 8, and Windows 10 support IE11 so that you can continue using legacy apps even as you migrate to Windows 10 and Microsoft Edge. + +If you're having trouble deciding whether Microsoft Edge is right for your organization, then take a look at the infographic about the potential impact of using Microsoft Edge in an organization. + +![Microsoft Edge infographic](images/microsoft-edge-infographic-sm.png)
+[Click to enlarge](img-microsoft-edge-infographic-lg.md)
+[Click to download image](https://www.microsoft.com/download/details.aspx?id=53892) + + +|Microsoft Edge |IE11 | +|---------|---------| +|Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana. |IE11 offers enterprises additional security, manageability, performance, backward compatibility, and modern standards support. | + + +## Configure the Enterprise Mode Site List +[Available policy options](includes/configure-enterprise-mode-site-list-include.md) + + +## Related topics +- [Blog: How Microsoft Edge and Internet Explorer 11 on Windows 10 work better together in the Enterprise](https://go.microsoft.com/fwlink/p/?LinkID=624035) +- [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377) +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager) +- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/browser/mt612809.aspx) +- [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=290956) +- [Microsoft Edge - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/microsoft-edge/index) +- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760644) +- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](https://go.microsoft.com/fwlink/p/?LinkId=760646) +- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11) diff --git a/browsers/edge/group-policies/index.yml b/browsers/edge/group-policies/index.yml index 8be9af2e9d..4d51332890 100644 --- a/browsers/edge/group-policies/index.yml +++ b/browsers/edge/group-policies/index.yml @@ -202,7 +202,7 @@ sections: - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/sync-browser-settings-gp - html:

Learn how to you can prevent the "browser" group from syncing and prevent users from turning on the the Sync your Settings toggle.

+ html:

Learn how to you can prevent the "browser" group from syncing and prevent users from turning on the Sync your Settings toggle.

image: @@ -228,4 +228,4 @@ sections: src: https://docs.microsoft.com/media/common/i_policy.svg - title: All group policies \ No newline at end of file + title: All group policies diff --git a/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md b/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md index 65e68d1a5e..d053b89a43 100644 --- a/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md +++ b/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md @@ -23,7 +23,7 @@ Microsoft Edge is the default browser experience for Windows 10 and Windows 10 M - ActiveX controls -- Browser Heler Objects +- Browser Helper Objects - VBScript diff --git a/browsers/edge/group-policies/start-pages-gp.md b/browsers/edge/group-policies/start-pages-gp.md index 4a048616d8..8aded2af76 100644 --- a/browsers/edge/group-policies/start-pages-gp.md +++ b/browsers/edge/group-policies/start-pages-gp.md @@ -27,7 +27,7 @@ You can find the Microsoft Edge Group Policy settings in the following location ## Configuration options -![Load URLs defined in Configure Start Pages](../images/load-urls-defined-in-configure-open-edge-with-main-sm.png) +![Load URLs defined in Configure Start pages](../images/load-urls-defined-in-configure-open-edge-with-sm.png) ## Configure Open Microsoft Edge With diff --git a/browsers/edge/images/allow-shared-books-folder.png b/browsers/edge/images/allow-shared-books-folder.png new file mode 100644 index 0000000000..84465f886e Binary files /dev/null and b/browsers/edge/images/allow-shared-books-folder.png differ diff --git a/browsers/edge/images/allow-shared-books-folder_sm.png b/browsers/edge/images/allow-shared-books-folder_sm.png index fc49829b14..0eb5feb868 100644 Binary files a/browsers/edge/images/allow-shared-books-folder_sm.png and b/browsers/edge/images/allow-shared-books-folder_sm.png differ diff --git a/browsers/edge/images/home-buttom-custom-url-v4-sm.png b/browsers/edge/images/home-buttom-custom-url-v4-sm.png index 397b46c75b..dcacfdd7cf 100644 Binary files a/browsers/edge/images/home-buttom-custom-url-v4-sm.png and b/browsers/edge/images/home-buttom-custom-url-v4-sm.png differ diff --git a/browsers/edge/images/home-buttom-custom-url-v4.png b/browsers/edge/images/home-buttom-custom-url-v4.png index db47a93117..edc22f0ce2 100644 Binary files a/browsers/edge/images/home-buttom-custom-url-v4.png and b/browsers/edge/images/home-buttom-custom-url-v4.png differ diff --git a/browsers/edge/images/home-button-hide-sm.png b/browsers/edge/images/home-button-hide-sm.png deleted file mode 100644 index beab1c22ef..0000000000 Binary files a/browsers/edge/images/home-button-hide-sm.png and /dev/null differ diff --git a/browsers/edge/images/home-button-hide-v4-sm.png b/browsers/edge/images/home-button-hide-v4-sm.png index fe21f0523c..adf5961b64 100644 Binary files a/browsers/edge/images/home-button-hide-v4-sm.png and b/browsers/edge/images/home-button-hide-v4-sm.png differ diff --git a/browsers/edge/images/home-button-hide-v4.png b/browsers/edge/images/home-button-hide-v4.png deleted file mode 100644 index 761143f0c8..0000000000 Binary files a/browsers/edge/images/home-button-hide-v4.png and /dev/null differ diff --git a/browsers/edge/images/home-button-hide.png b/browsers/edge/images/home-button-hide.png deleted file mode 100644 index 761143f0c8..0000000000 Binary files a/browsers/edge/images/home-button-hide.png and /dev/null differ diff --git a/browsers/edge/images/home-button-start-new-tab-page-v4-sm.png b/browsers/edge/images/home-button-start-new-tab-page-v4-sm.png index 7b04f17b28..5f4d97445d 100644 Binary files a/browsers/edge/images/home-button-start-new-tab-page-v4-sm.png and b/browsers/edge/images/home-button-start-new-tab-page-v4-sm.png differ diff --git a/browsers/edge/images/home-button-start-new-tab-page-v4.png b/browsers/edge/images/home-button-start-new-tab-page-v4.png deleted file mode 100644 index 599ebeb8df..0000000000 Binary files a/browsers/edge/images/home-button-start-new-tab-page-v4.png and /dev/null differ diff --git a/browsers/edge/images/icon-thin-line-computer.png b/browsers/edge/images/icon-thin-line-computer.png index e941caf0c1..d7fc810e2f 100644 Binary files a/browsers/edge/images/icon-thin-line-computer.png and b/browsers/edge/images/icon-thin-line-computer.png differ diff --git a/browsers/edge/images/kiosk-mode-types.png b/browsers/edge/images/kiosk-mode-types.png deleted file mode 100644 index 1ae43b31ac..0000000000 Binary files a/browsers/edge/images/kiosk-mode-types.png and /dev/null differ diff --git a/browsers/edge/images/load-any-start-page-let-users-make-changes.png b/browsers/edge/images/load-any-start-page-let-users-make-changes.png deleted file mode 100644 index fd4caf021e..0000000000 Binary files a/browsers/edge/images/load-any-start-page-let-users-make-changes.png and /dev/null differ diff --git a/browsers/edge/images/load-blank-page-not-new-tab-page-sm.png b/browsers/edge/images/load-blank-page-not-new-tab-page-sm.png index bddfed4cf8..5cd776f936 100644 Binary files a/browsers/edge/images/load-blank-page-not-new-tab-page-sm.png and b/browsers/edge/images/load-blank-page-not-new-tab-page-sm.png differ diff --git a/browsers/edge/images/load-default-new-tab-page-sm.png b/browsers/edge/images/load-default-new-tab-page-sm.png index 66a5cc830f..3fd9b6b714 100644 Binary files a/browsers/edge/images/load-default-new-tab-page-sm.png and b/browsers/edge/images/load-default-new-tab-page-sm.png differ diff --git a/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-main-sm.png b/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-main-sm.png deleted file mode 100644 index eb3987003d..0000000000 Binary files a/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-main-sm.png and /dev/null differ diff --git a/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-main.png b/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-main.png deleted file mode 100644 index bf4dc617aa..0000000000 Binary files a/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-main.png and /dev/null differ diff --git a/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-sm.png b/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-sm.png index eacac1b216..f82383cb1d 100644 Binary files a/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-sm.png and b/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-sm.png differ diff --git a/browsers/edge/images/load-urls-defined-in-configure-open-edge-with.png b/browsers/edge/images/load-urls-defined-in-configure-open-edge-with.png deleted file mode 100644 index eacac1b216..0000000000 Binary files a/browsers/edge/images/load-urls-defined-in-configure-open-edge-with.png and /dev/null differ diff --git a/browsers/edge/images/microsoft-edge-kiosk-mode.png b/browsers/edge/images/microsoft-edge-kiosk-mode.png index ea96e6f845..c012affb90 100644 Binary files a/browsers/edge/images/microsoft-edge-kiosk-mode.png and b/browsers/edge/images/microsoft-edge-kiosk-mode.png differ diff --git a/browsers/edge/images/prelaunch-edge-and-preload-tabs-sm.png b/browsers/edge/images/prelaunch-edge-and-preload-tabs-sm.png index 823309be3e..2e0c2caaa5 100644 Binary files a/browsers/edge/images/prelaunch-edge-and-preload-tabs-sm.png and b/browsers/edge/images/prelaunch-edge-and-preload-tabs-sm.png differ diff --git a/browsers/edge/images/prelaunch-edge-and-preload-tabs.png b/browsers/edge/images/prelaunch-edge-and-preload-tabs.png deleted file mode 100644 index a287ebb8fd..0000000000 Binary files a/browsers/edge/images/prelaunch-edge-and-preload-tabs.png and /dev/null differ diff --git a/browsers/edge/images/prelaunch-edge-only-sm.png b/browsers/edge/images/prelaunch-edge-only-sm.png index 365bddf96a..e5ae065226 100644 Binary files a/browsers/edge/images/prelaunch-edge-only-sm.png and b/browsers/edge/images/prelaunch-edge-only-sm.png differ diff --git a/browsers/edge/images/prelaunch-edge-only.png b/browsers/edge/images/prelaunch-edge-only.png deleted file mode 100644 index 975a745f3f..0000000000 Binary files a/browsers/edge/images/prelaunch-edge-only.png and /dev/null differ diff --git a/browsers/edge/images/preload-tabs-only-sm.png b/browsers/edge/images/preload-tabs-only-sm.png index 32089d3fce..1ea5a5af23 100644 Binary files a/browsers/edge/images/preload-tabs-only-sm.png and b/browsers/edge/images/preload-tabs-only-sm.png differ diff --git a/browsers/edge/images/preload-tabs-only.png b/browsers/edge/images/preload-tabs-only.png deleted file mode 100644 index 01181d6b82..0000000000 Binary files a/browsers/edge/images/preload-tabs-only.png and /dev/null differ diff --git a/browsers/edge/images/prevent-syncing-browser-settings-sm.png b/browsers/edge/images/prevent-syncing-browser-settings-sm.png index 7bcdfcdc8c..fb88466201 100644 Binary files a/browsers/edge/images/prevent-syncing-browser-settings-sm.png and b/browsers/edge/images/prevent-syncing-browser-settings-sm.png differ diff --git a/browsers/edge/images/prevent-syncing-browser-settings.png b/browsers/edge/images/prevent-syncing-browser-settings.png deleted file mode 100644 index 6f98dc6c22..0000000000 Binary files a/browsers/edge/images/prevent-syncing-browser-settings.png and /dev/null differ diff --git a/browsers/edge/images/set-default-search-engine-v4-sm.png b/browsers/edge/images/set-default-search-engine-v4-sm.png index 44a5ae094a..cf43642b65 100644 Binary files a/browsers/edge/images/set-default-search-engine-v4-sm.png and b/browsers/edge/images/set-default-search-engine-v4-sm.png differ diff --git a/browsers/edge/images/set-default-search-engine-v4.png b/browsers/edge/images/set-default-search-engine-v4.png deleted file mode 100644 index 59528a3282..0000000000 Binary files a/browsers/edge/images/set-default-search-engine-v4.png and /dev/null differ diff --git a/browsers/edge/images/sync-browser-settings-automatically-sm.png b/browsers/edge/images/sync-browser-settings-automatically-sm.png index 25b68500d5..ff9695d64c 100644 Binary files a/browsers/edge/images/sync-browser-settings-automatically-sm.png and b/browsers/edge/images/sync-browser-settings-automatically-sm.png differ diff --git a/browsers/edge/images/sync-browser-settings-automatically.png b/browsers/edge/images/sync-browser-settings-automatically.png deleted file mode 100644 index 3f81196ebc..0000000000 Binary files a/browsers/edge/images/sync-browser-settings-automatically.png and /dev/null differ diff --git a/browsers/edge/images/use-enterprise-mode-with-microsoft-edge-sm.png b/browsers/edge/images/use-enterprise-mode-with-microsoft-edge-sm.png index 99c2e9bf12..bc64f2dade 100644 Binary files a/browsers/edge/images/use-enterprise-mode-with-microsoft-edge-sm.png and b/browsers/edge/images/use-enterprise-mode-with-microsoft-edge-sm.png differ diff --git a/browsers/edge/images/use-enterprise-mode-with-microsoft-edge.png b/browsers/edge/images/use-enterprise-mode-with-microsoft-edge.png deleted file mode 100644 index 8a9b11ff19..0000000000 Binary files a/browsers/edge/images/use-enterprise-mode-with-microsoft-edge.png and /dev/null differ diff --git a/browsers/edge/images/users-choose-new-tab-page-sm.png b/browsers/edge/images/users-choose-new-tab-page-sm.png index 9373069370..21e7c7ea7f 100644 Binary files a/browsers/edge/images/users-choose-new-tab-page-sm.png and b/browsers/edge/images/users-choose-new-tab-page-sm.png differ diff --git a/browsers/edge/img-microsoft-edge-infographic-lg.md b/browsers/edge/img-microsoft-edge-infographic-lg.md index cb3a42f1b9..e9d8b67cc2 100644 --- a/browsers/edge/img-microsoft-edge-infographic-lg.md +++ b/browsers/edge/img-microsoft-edge-infographic-lg.md @@ -2,8 +2,6 @@ description: A full-sized view of the Microsoft Edge infographic. title: Full-sized view of the Microsoft Edge infographic ms.date: 11/10/2016 -ms.author: pashort -author: shortpatti --- Return to: [Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md)
diff --git a/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md b/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md index e628013a54..3b773befed 100644 --- a/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md +++ b/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md @@ -49,6 +49,6 @@ You must set the Configure kiosk mode policy to enabled (1 - InPrivate public br ### Related topics -[Deploy Microsoft Edge kiosk mode](../microsoft-edge-kiosk-mode-deploy.md): Microsoft Edge kiosk mode works with assigned access to allow IT administrators, to create a tailored browsing experience designed for kiosk devices. In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn about the other group policies to help you enhance the how to setup your Microsoft Edge kiosk mode experience. +[Deploy Microsoft Edge kiosk mode](../microsoft-edge-kiosk-mode-deploy.md): Microsoft Edge kiosk mode works with assigned access to allow IT administrators, to create a tailored browsing experience designed for kiosk devices. In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn about the other group policies to help you enhance the how to set up your Microsoft Edge kiosk mode experience.
\ No newline at end of file diff --git a/browsers/edge/includes/configure-enterprise-mode-site-list-include.md b/browsers/edge/includes/configure-enterprise-mode-site-list-include.md index 10b23c7c4b..7075fc1fd6 100644 --- a/browsers/edge/includes/configure-enterprise-mode-site-list-include.md +++ b/browsers/edge/includes/configure-enterprise-mode-site-list-include.md @@ -12,7 +12,7 @@ |Group Policy |MDM |Registry |Description | |---|:---:|:---:|---| |Disabled or not configured
**(default)** |0 |0 |Turned off. Microsoft Edge does not check the Enterprise Mode Site List, and in this case, users might experience problems while using legacy apps. | -|Enabled |1 |1 |Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 second, but uses the existing file. To add the location to your site list, enter it in the **{URI}** box.

For details on how to configure the Enterprise Mode Site List, see [Interoperability and enterprise guidance](../group-policies/interoperability-enterprise-guidance-gp.md). | +|Enabled |1 |1 |Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 seconds, but uses the existing file. To add the location to your site list, enter it in the **{URI}** box.

For details on how to configure the Enterprise Mode Site List, see [Interoperability and enterprise guidance](../group-policies/interoperability-enterprise-guidance-gp.md). | --- ### ADMX info and settings @@ -42,15 +42,15 @@ ### Related topics -- [Use Enterprise Mode to improve compatibility](https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility). If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11. Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. +- [Use Enterprise Mode to improve compatibility](https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility). If you have specific websites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to open using IE11 automatically. Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. - [Use the Enterprise Mode Site List Manager](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager). You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode. - [Enterprise Mode for Internet Explorer 11](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11). Learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. -- [Enterprise Mode and the Enterprise Mode Site List](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode). Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge. Working with multiple browsers can be difficult, particularly if you have a substantial number of internal sites. To help manage this dual-browser experience, we are introducing a new web tool specifically targeted towards larger organizations: the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal). +- [Enterprise Mode and the Enterprise Mode Site List](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode). Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge. Working with multiple browsers can be difficult, particularly if you have a substantial number of internal sites. To help manage this dual-browser experience, we are introducing a new web tool targeted explicitly towards larger organizations: the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal). -- [Enterprise Mode and the Enterprise Mode Site List XML file](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode#enterprise-mode-and-the-enterprise-mode-site-list-xml-file). The Enterprise Mode Site List is an XML document that specifies a list of sites, their compat mode, and their intended browser. Using Enterprise Mode Site List Manager (schema v.2), you can automatically start a webpage using a specific browser. In the case of IE11, the webpage can also be launched in a specific compat mode, so it always renders correctly. Your users can easily view this site list by typing about:compat in either Microsoft Edge or IE11. +- [Enterprise Mode and the Enterprise Mode Site List XML file](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode#enterprise-mode-and-the-enterprise-mode-site-list-xml-file). The Enterprise Mode Site List is an XML document that specifies a list of sites, their compat mode, and their intended browser. When you use the Enterprise Mode Site List Manager schema v.2, you can automatically start a webpage using a specific browser. In the case of IE11, the webpage can also launch in a specific compat mode, so it always renders correctly. Your users can quickly view this site list by typing about:compat in either Microsoft Edge or IE11. diff --git a/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md b/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md index 6c5f7a83e8..95b6dd63de 100644 --- a/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md +++ b/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md @@ -49,6 +49,6 @@ For this policy to work, you must configure Microsoft Edge in assigned access; o ### Related topics -[Deploy Microsoft Edge kiosk mode](../microsoft-edge-kiosk-mode-deploy.md): Microsoft Edge kiosk mode works with assigned access to allow IT administrators, to create a tailored browsing experience designed for kiosk devices. In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn about the other group policies to help you enhance the how to setup your Microsoft Edge kiosk mode experience. +[Deploy Microsoft Edge kiosk mode](../microsoft-edge-kiosk-mode-deploy.md): Microsoft Edge kiosk mode works with assigned access to allow IT administrators, to create a tailored browsing experience designed for kiosk devices. In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn about the other group policies to help you enhance the how to set up your Microsoft Edge kiosk mode experience.

\ No newline at end of file diff --git a/browsers/edge/includes/do-not-sync-include.md b/browsers/edge/includes/do-not-sync-include.md index e572ce631a..d75d411cd8 100644 --- a/browsers/edge/includes/do-not-sync-include.md +++ b/browsers/edge/includes/do-not-sync-include.md @@ -39,7 +39,7 @@ ms:topic: include - **Value type:** REG_DWORD ### Related topics -[About sync setting on Microsoft Edge on Windows 10 devices](https://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices): Learn about what settings are sync'ed. +[About sync setting on Microsoft Edge on Windows 10 devices](https://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices): Learn about what settings are synced.
\ No newline at end of file diff --git a/browsers/edge/includes/prevent-turning-off-required-extensions-include.md b/browsers/edge/includes/prevent-turning-off-required-extensions-include.md index 12aad63505..15cfcc3cf0 100644 --- a/browsers/edge/includes/prevent-turning-off-required-extensions-include.md +++ b/browsers/edge/includes/prevent-turning-off-required-extensions-include.md @@ -49,8 +49,8 @@ ms:topic: include - [Find a package family name (PFN) for per-app VPN](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn): There are two ways to find a PFN so that you can configure a per-app VPN. - [How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/en-us/intune/windows-store-for-business): The Microsoft Store for Business gives you a place to find and purchase apps for your organization, individually, or in volume. By connecting the store to Microsoft Intune, you can manage volume-purchased apps from the Azure portal. -- [How to assign apps to groups with Microsoft Intune](https://docs.microsoft.com/en-us/intune/apps-deploy): Apps can be assigned to devices whether or not they are managed by Intune. +- [How to assign apps to groups with Microsoft Intune](https://docs.microsoft.com/en-us/intune/apps-deploy): Apps can be assigned to devices whether or not Intune manages them. - [Manage apps from the Microsoft Store for Business with System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business): Configuration Manager supports managing Microsoft Store for Business apps on both Windows 10 devices with the Configuration Manager client, and also Windows 10 devices enrolled with Microsoft Intune. -- [How to add Windows line-of-business (LOB) apps to Microsoft Intune](https://docs.microsoft.com/en-us/intune/lob-apps-windows): A line-of-business (LOB) app is one that you add from an app installation file. These types of apps are typically written in-house. +- [How to add Windows line-of-business (LOB) apps to Microsoft Intune](https://docs.microsoft.com/en-us/intune/lob-apps-windows): A line-of-business (LOB) app is one that you add from an app installation file. Typically, these types of apps are written in-house.
\ No newline at end of file diff --git a/browsers/edge/includes/provision-favorites-include.md b/browsers/edge/includes/provision-favorites-include.md index cc5617a248..9c2f2e9fb7 100644 --- a/browsers/edge/includes/provision-favorites-include.md +++ b/browsers/edge/includes/provision-favorites-include.md @@ -21,7 +21,7 @@ ms:topic: include |Group Policy |Description |Most restricted | |---|---|:---:| |Disabled or not configured
**(default)** |Users can customize the favorites list, such as adding folders, or adding and removing favorites. | | -|Enabled |Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.

To define a default list of favorites, do the following:

  1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
  2. Click **Import from another browser**, click **Export to file**, and save the file.
  3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as:
|![Most restricted value](../images/check-gn.png) | +|Enabled |Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.

To define a default list of favorites, do the following:

  1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
  2. Click **Import from another browser**, click **Export to file** and save the file.
  3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as:
|![Most restricted value](../images/check-gn.png) | --- ### ADMX info and settings diff --git a/browsers/edge/includes/send-all-intranet-sites-ie-include.md b/browsers/edge/includes/send-all-intranet-sites-ie-include.md index fa61ceaac2..d523059275 100644 --- a/browsers/edge/includes/send-all-intranet-sites-ie-include.md +++ b/browsers/edge/includes/send-all-intranet-sites-ie-include.md @@ -21,7 +21,7 @@ ms:topic: include |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| |Disabled or not configured
**(default)** |0 |0 |All sites, including intranet sites, open in Microsoft Edge automatically. |![Most restricted value](../images/check-gn.png) | -|Enabled |1 |1 |Only intranet sites open in Internet Explorer 11 automatically.

Enabling this policy automatically opens all intranet sites in IE11, even if the users have Microsoft Edge as their default browser.

  1. In Group Policy Editor, navigate to:

    **Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file**

  2. Click **Enable** and then refresh the policy to view the affected sites in Microsoft Edge.

    A message opens stating that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.

| | +|Enabled |1 |1 |Only intranet sites open in Internet Explorer 11 automatically.

Enabling this policy opens all intranet sites in IE11 automatically, even if the users have Microsoft Edge as their default browser.

  1. In Group Policy Editor, navigate to:

    **Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file**

  2. Click **Enable** and then refresh the policy to view the affected sites in Microsoft Edge.

    A message opens stating that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.

| | --- @@ -50,7 +50,7 @@ ms:topic: include ### Related topics -- [Blog: How Microsoft Edge and Internet Explorer 11 on Windows 10 work better together in the Enterprise](https://go.microsoft.com/fwlink/p/?LinkID=624035). Many customers depend on legacy features only available in older versions of Internet Explorer and are familiar with our Enterprise Mode tools for IE11. The Enterprise Mode has been extended to support to Microsoft Edge by opening any site specified on the Enterprise Mode Site List in IE11. IT Pros can use their existing IE11 Enterprise Mode Site List or they can create a new one specifically for Microsoft Edge. By keeping Microsoft Edge as the default browser in Windows 10 and only opening legacy line of business sites in IE11 when necessary, you can help keep newer development projects on track, using the latest web standards on Microsoft Edge. +- [Blog: How Microsoft Edge and Internet Explorer 11 on Windows 10 work better together in the Enterprise](https://go.microsoft.com/fwlink/p/?LinkID=624035). Many customers depend on legacy features only available in older versions of Internet Explorer and are familiar with our Enterprise Mode tools for IE11. The Enterprise Mode has been extended to support to Microsoft Edge by opening any site specified on the Enterprise Mode Site List in IE11. IT Pros can use their existing IE11 Enterprise Mode Site List, or they can create a new one specifically for Microsoft Edge. By keeping Microsoft Edge as the default browser in Windows 10 and only opening legacy line of business sites in IE11 when necessary, you can help keep newer development projects on track, using the latest web standards on Microsoft Edge. - [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377). Learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. diff --git a/browsers/edge/includes/set-default-search-engine-include.md b/browsers/edge/includes/set-default-search-engine-include.md index 68c6521ad8..004e98b45c 100644 --- a/browsers/edge/includes/set-default-search-engine-include.md +++ b/browsers/edge/includes/set-default-search-engine-include.md @@ -18,7 +18,7 @@ ms:topic: include |---|:---:|:---:|---|:---:| |Not configured
**(default)** |Blank |Blank |Use the search engine specified in App settings. If you don't configure this policy and disable the [Allow search engine customization](../group-policies/search-engine-customization-gp.md#allow-search-engine-customization) policy, users cannot make changes. | | |Disabled |0 |0 |Remove or don't use the policy-set search engine and use the search engine for the market, letting users make changes. | | -|Enabled |1 |1 |Use the policy-set search engine specified in the OpenSearch XML file, preventing users from making changes.

Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.

If you want users to use the default Microsoft Edge settings for each market set the string to **EDGEDEFAULT**.

If you would like users to use Microsoft Bing as the default search engine set the string to **EDGEBING**. |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Use the policy-set search engine specified in the OpenSearch XML file, preventing users from making changes.

Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.

If you want your users to use the default Microsoft Edge settings for each market, then set the string to **EDGEDEFAULT**.

If you would like your users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**. |![Most restricted value](../images/check-gn.png) | --- @@ -52,6 +52,6 @@ ms:topic: include - [!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)] -- [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery): Rich search integration is built into the Microsoft Edge address bar, including search suggestions, results from the web, your browsing history, and favorites. +- [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery): The Microsoft Edge address bar uses rich search integration, including search suggestions, results from the web, your browsing history, and favorites.

\ No newline at end of file diff --git a/browsers/edge/microsoft-edge-faq.md b/browsers/edge/microsoft-edge-faq.md index d5a7390752..47bbca9473 100644 --- a/browsers/edge/microsoft-edge-faq.md +++ b/browsers/edge/microsoft-edge-faq.md @@ -7,13 +7,19 @@ ms.prod: edge ms.mktglfcycl: general ms.sitesec: library ms.localizationpriority: medium -ms.date: 10/02/2018 +ms.date: 10/23/2018 --- # Frequently Asked Questions (FAQs) for IT Pros >Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile +**Q: Why is the Sync settings option under Settings \> Accounts \> Sync your settings permanently disabled? + +**A:** In the Windows 10 Anniversary Update, domain-joined users who connected their Microsoft Account (MSA) could roam settings and data between Windows devices. A group policy to prevent users from connecting their MSAs exists, but this setting also prevents users from easily accessing their personal Microsoft services. Enterprises can still enable Enterprise State Roaming with Azure Active Directory. + +>In a nutshell, any fresh install of Windows 10 Creators Update or higher does not support funtionality if it's under an Active Directory, but works for Azure Active Directory. + **Q: What is the size of the local storage for Microsoft Edge overall and per domain?** **A:** The limits are 5MB per subdomain, 10MB per domain, and 50MB total. diff --git a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md index 428657dfea..f626465766 100644 --- a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md +++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md @@ -7,205 +7,162 @@ ms.prod: edge ms.sitesec: library title: Deploy Microsoft Edge kiosk mode ms.localizationpriority: medium -ms.date: 10/02/2018 +ms.date: 10/15/2018 --- # Deploy Microsoft Edge kiosk mode >Applies to: Microsoft Edge on Windows 10, version 1809 -In the Windows 10 October 2018 Update, we added the capability to use Microsoft Edge as a kiosk (referred to as Microsoft Edge kiosk mode). We added and updated Microsoft Edge group policies to enhance the kiosk experience depending on the Microsoft Edge kiosk mode type you configure. +In the Windows 10 October 2018 Update, we added Microsoft Edge kiosk mode which works with assigned access, locking down a Windows 10 device to only run a single application or multiple applications. It also prevents access to the file system and running executables or other apps from Microsoft Edge. Assigned access lets IT administrators create a tailored browsing experience designed for kiosk devices. Learn more about [assigned access](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/assigned-access). -Microsoft Edge kiosk mode works with assigned access, which lets IT administrators create a tailored browsing experience designed for kiosk devices. Assigned access prevents users from accessing the file system and running other apps from Microsoft Edge, such as the address bar or downloads. For example, you can configure Microsoft Edge to load only a single URL in full-screen mode when you configure digital/interactive signage on a single-app kiosk device. +Microsoft Edge kiosk mode supports four configurations types. For example, you can configure Microsoft Edge to load only a single URL in full-screen mode when you configure digital/interactive signage on a single-app kiosk device. -In addition to digital/interactive signage, you can configure Microsoft Edge for public browsing either on a single and multi-app kiosk device. Public browsing runs a multi-tab version of InPrivate browsing mode with limited functionality to run in full-screen mode or normal browsing of Microsoft Edge. +In addition to digital/interactive signage, you can configure Microsoft Edge kiosk mode for public browsing either on a single or multi-app kiosk device. The public browsing kiosk types run Microsoft Edge InPrivate mode to protect user data with a browsing experience designed for public kiosks. For example, the Microsoft Edge Settings are disabled, favorites, extensions, and books are unavailable to prevent users from customizing Microsoft Edge. -Both digital/interactive signage and public browsing help protect the user’s data by running Microsoft Edge with InPrivate browsing. In single-app public browsing, there is both an ‘End Session’ button that users click to end the browsing session or that resets the session after a specified time of user inactivity. The idle timer is set to 5 minutes by default, but you can choose a value of your own. - -In this topic, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn how to set up your Microsoft Edge kiosk mode experience. Learn more about [Configuring kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc). +In single-app public browsing, there is an “End session” button and reset after an idle timeout option. Both restart Microsoft Edge and clear the user’s session. The reset after the idle timer is set to 5 minutes by default, but you can choose a value of your own. +In this topic, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn how to set up your Microsoft Edge kiosk mode experience. Learn more about [Configuring kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc). ## Microsoft Edge kiosk types -Depending on how Microsoft Edge is set up in assigned access, Microsoft Edge kiosk mode supports four types, single-app or multi-app kiosk mode with both supporting public browsing. Learn more about [assigned access](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/assigned-access). -### Single-app kiosk +Microsoft Edge kiosk mode supports four configuration types that depending on how Microsoft Edge is set up with assigned access. Two for single-app kiosk devices (Digital/Interactive signage and Public browsing) and two for multi-app kiosk devices (Public browsing and Normal mode). -When you set up Microsoft Edge kiosk mode in single-app assigned access, Microsoft Edge runs InPrivate either in full-screen or a limited multi-tab version for public browsing. For more details about setting up a single-app kiosk, see [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](https://docs.microsoft.com/en-us/windows/configuration/setup-kiosk-digital-signage). +### Single app -The single-app Microsoft Edge kiosk mode types include: +When you set up Microsoft Edge kiosk mode in single-app assigned access, Microsoft Edge runs InPrivate either in full-screen or a multi-tab version designed for public browsing. For more details about setting up a single-app kiosk, see [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](https://docs.microsoft.com/en-us/windows/configuration/setup-kiosk-digital-signage). -1. **Digital / Interactive signage** devices display a specific site in full-screen mode that runs InPrivate browsing mode. +The single-app Microsoft Edge kiosk mode types are: - - **Digital signage** does not require user interaction and best used for a rotating advertisement or menu. +1. **Digital / Interactive signage** devices display a specific site in full-screen mode that runs InPrivate browsing mode. - - **Interactive signage**, on the other hand, requires user interaction within the page but doesn’t allow for any other uses, such as browsing the internet. Use interactive signage for things like a building business directory or restaurant order/pay station. + - **Digital signage** does not require user interaction and best used for a rotating advertisement or menu. -2. **Public browsing** devices are publicly accessible and run a limited multi-tab version of InPrivate browsing in Microsoft Edge, which is the only app available on the device. Users can’t minimize, close, or open new Microsoft Edge windows or customize Microsoft Edge.

The single-app public browsing mode is the only kiosk mode that has an ‘End Session’ button that users click to end the browsing session and an idle timer that resets the session after a specified time of user inactivity. Use the “Configure kiosk reset after idle timeout” policy to set the idle timer, which is set to 5 minutes by default, but you can provide a value of your own.

A public library or hotel concierge desk are two examples of public browsing that restricts access to only Microsoft Edge. + - **Interactive signage**, on the other hand, requires user interaction within the page but doesn’t allow for any other uses, such as browsing the internet. Use interactive signage for things like a building business directory or restaurant order/pay station. + +2. **Public browsing** runs Microsoft Edge InPrivate mode to protect user data with a browsing experience designed for publicly accessible kiosk devices. For example, the Microsoft Edge Settings are disabled, favorites, extensions, and books are unavailable to prevent users from customizing Microsoft Edge. Users can’t minimize, close or open a new Microsoft Window. Microsoft Edge is the only app users can use on the device.

The single-app public browsing mode is the only kiosk mode that has an ‘End session’ button that users click to end the browsing session and an idle timer that resets the session after a specified time of user inactivity. Both restart Microsoft Edge and clear the user’s session, including any downloads.

A public library or hotel concierge desk are two examples of public browsing that restricts access to only Microsoft Edge. ![Public browsing Microsoft Edge kiosk mode on a single-app kiosk device](images/surface_hub_single-app_browse_kiosk_inframe.png) -### Multi-app kiosk -When you set up Microsoft Edge kiosk mode in multi-app assigned access, Microsoft Edge runs a limited multi-tab version of InPrivate or a normal browsing version. For more details about running a multi-app kiosk, or fixed-purpose device, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps). Here you learn how to create kiosks that run more than one app and the benefits of a multi-app kiosk, or fixed-purpose device. +### Multi-app + +Microsoft Edge two kiosk mode in multi-app assigned access runs InPrivate mode and a regular browsing version. For more details about running a multi-app kiosk, or fixed-purpose device, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps). + +Here you learn how to create kiosks that run more than one app and the benefits of a multi-app kiosk, or fixed-purpose device. The multi-app Microsoft Edge kiosk mode types include: -3. **Public browsing** devices are publicly accessible and supports browsing the internet. Public browsing runs a multi-tab version of InPrivate browsing mode with limited functionality that runs in full-screen mode.

In this configuration, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access, you can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.

A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps. +3. **Public browsing**, which is similar to the single-app version, runs Microsoft Edge InPrivate mode to protect user data with a browsing experience designed for publicly accessible kiosk devices running more than one application.

Users can open and close Microsoft Edge and launch other apps if allowed by assigned access. Instead of an “End session” button to clear their browsing session, the user closes Microsoft Edge normally.

In this configuration, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access, you can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.

A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps. ![Public browsing Microsoft Edge kiosk mode on a multi-app kiosk device](images/surface_hub_multi-app_kiosk_inframe.png) -4. **Normal mode** devices run a full-featured version of Microsoft Edge (referred to as normal browsing).

Some features may not work depending on what other apps you have configured in assigned access. For example, if Internet Explorer 11 is set up in assigned access, you can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support. +4. **Normal mode** provides all the Microsoft Edge browsing features and preserves the user data and state between sessions.

Some features may not work depending on what other apps you have configured in assigned access. For example, installing extensions or books from the Microsoft store are not allowed if the store is not available. If Internet Explorer 11 is set up in assigned access, you can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support. ![Normal Microsoft Edge kiosk mode on a multi-app kiosk device](images/surface_hub_multi-app_normal_kiosk_inframe.png) ## Let’s get started! -Before you can configure Microsoft Edge kiosk mode, you must set up Microsoft Edge in assigned access. With assigned access, you restrict a local standard user account so that it only has access to one Windows app, such as Microsoft Edge in kiosk mode. You can set up Microsoft Edge kiosk mode in assigned access using: -- **Windows Settings.** Best for physically setting up a couple of devices as kiosks. You can configure Microsoft Edge in single-app (full-screen or public browsing as the kiosk type) and define a single URL for the Home button, Start page, and New Tab page. You can also set the reset after an idle timeout. +Before you can configure Microsoft Edge kiosk mode, you must set up Microsoft Edge in assigned access. With assigned access, you restrict a local standard user account so that it only has access to one or more Windows app, such as Microsoft Edge in kiosk mode. You can set up Microsoft Edge kiosk mode in assigned access using: -- **Microsoft Intune or other MDM service.** Best for setting up multiple devices as a kiosk. With this method, you configure Microsoft Edge in assigned access and configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access. +- **Windows Settings.** Use to set up a couple of single-app kiosk devices. If you hit the Windows key and type “kiosk” you can set up Microsoft Edge kiosk mode for a single-app (Digital / Interactive signage or Public browsing) experience and define a single URL for the Home button, Start page, and New Tab page. You can also set the reset after an idle timeout. + + >[!IMPORTANT] + >Do not use the Windows 10 Settings to configure multi-app kiosks. + +- **Microsoft Intune or other MDM service.** Use to set up several single-app and multi-app kiosk devices. Microsoft Intune and other MDM service providers offer more options for customizing the Microsoft Edge kiosk mode experience by using the [supported or available] Microsoft Edge policies. For a list of supported policies see [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode). >[!NOTE] >For other MDM service, check with your provider for instructions. -- **Windows PowerShell.** Best for setting up multiple devices as a kiosk. With this method, you can set up single-app or multi-app assigned access using a PowerShell script. For details, see For details, see [Set up a kiosk or digital sign using Windows PowerShell](https://docs.microsoft.com/en-us/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-using-windows-powershell).  -- **Windows Configuration Designer.** Best for setting up multiple kiosk devices. Download and install both the latest version of the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) and [Windows Configuration Manager](https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-install-icd#install-windows-configuration-designer-1). ### Prerequisites -- Microsoft Edge on Windows 10, version 1809 (Professional, Enterprise, and Education). +- Microsoft Edge on Windows 10, version 1809 (Professional, Enterprise, and Education). -- Configuration and deployment service, such as Windows PowerShell, Microsoft Intune or other MDM service, or Windows Configuration Designer. With these methods, you must have the AppUserModelID (AUMID) to set up Microsoft Edge: - - Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge +- Configuration and deployment service, such as Microsoft Intune or other MDM service. With these methods, you must have the AppUserModelID (AUMID) to set up Microsoft Edge:

Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge -### Use Windows Settings +### Use Windows Settings Windows Settings is the simplest and easiest way to set up one or a couple of devices because you perform these steps physically on each device. This method is ideal for small businesses. -When you set up a single-app kiosk device using Windows Settings, you must first set up assigned access before configuring the device. With assigned access, you restrict a local standard user account so that it only has access to one Windows app, such as Microsoft Edge, in kiosk mode. +When you set up a single-app kiosk device using Windows Settings, you must first set up assigned access before configuring the device. With assigned access, you restrict a local standard user account so that it only has access to one Windows app, such as Microsoft Edge in kiosk mode. -1. In the search field of Windows Settings, type **kiosk** and then select **Set up a kiosk (assigned access)**. +1. In the search field of Windows Settings, type **kiosk** and then select **Set up a kiosk (assigned access)**. -2. On the **Set up a kiosk** page, click **Get started**. +2. On the **Set up a kiosk** page, click **Get started**. -3. Type a name to create a new account or you can choose an existing account and click **Next**. +3. Type a name to create a new account, or you can choose an existing account and click **Next**. -4. On the **Choose a kiosk app** page, select **Microsoft Edge** and then click **Next**. +4. On the **Choose a kiosk app** page, select **Microsoft Edge** and then click **Next**. -5. Select how Microsoft Edge displays when running in kiosk mode: +5. Select how Microsoft Edge displays when running in kiosk mode: - - **As a digital sign or interactive display**, the default URL shows in full screen, without browser controls. + - **As a digital sign or interactive display**, the default URL shows in full screen, without browser controls. - - **As a public browser**, the default URL shows in a browser view with limited browser controls. + - **As a public browser**, the default URL shows in a browser view with + limited browser controls. -6. Select **Next**. +6. Select **Next**. -7. Type the URL to load when the kiosk launches. +7. Type the URL to load when the kiosk launches. - >[!NOTE] - >The URL sets the Home button, Start page, and New Tab page. + >[!NOTE] + >The URL sets the Home button, Start page, and New Tab page. -8. Accept the default value of **5 minutes** for the idle time or provide your own value. +8. Accept the default value of **5 minutes** for the idle time or provide a value of your own. - >[!TIP] - >Microsoft Edge kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue. If the user does not **Continue**, Microsoft Edge resets to the default URL. + >[!TIP] + >Microsoft Edge kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue. If the user does not **Continue**, Microsoft Edge resets to the default URL. -9. Click **Next**. +9. Click **Next**. 10. Close the **Settings** window to save and apply your choices. -11. Now that you have configured assigned access, selected how Microsoft Edge displays the kiosk, and set the idle timer, you can configure the group policies for Microsoft Edge kiosk mode. +11. Once you've configured the policies, restart the kiosk device and sign in with the local kiosk account to validate the configuration. - >>You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: - >> - >>      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** - - - **[Configure kiosk mode](#configure-kiosk-mode)**: Configure the display mode for Microsoft Edge as a kiosk app. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. For this policy to work, you must configure assigned access; otherwise, Microsoft Edge ignores the settings in this policy. - - - **[Configure kiosk reset after idle timeout](#configure-kiosk-reset-idle-timeout)**: Change the time, in minutes, from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration. For this policy to work, you must enable the Configure kiosk mode policy (InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access; otherwise, Microsoft Edge ignores this setting. - - - **[Additional policies for kiosk mode](#additional-policies-for-kiosk-mode)**: We have other new and existing policies that work with Microsoft Edge kiosk mode, such as Allow cookies, Allow printing, Configure Home button, and Configure telemetry for Microsoft 365 analytics. At this time, only a few features work in all kiosk types, for example, Unlock Home button works only in normal browsing. - -12. Once you've configured the group policies, restart the kiosk device and sign in with the local kiosk account to validate the configuration. - -**_Congratulations!_** You’ve just finished setting up Microsoft Edge in assigned access, a kiosk or digital sign, and configured the group policies for Microsoft Edge kiosk mode. +**_Congratulations!_** You’ve just finished setting up Microsoft Edge in assigned access, a kiosk or digital sign, and configured Microsoft Edge kiosk mode. **_Next steps._** |If you want to... |Then... | |---|---| |Use your new kiosk |Sign into the device with the kiosk account that you selected to run Microsoft Edge kiosk mode. | -|Make changes to your kiosk such as change the display option or the URL that loads |

  1. In Windows Settings, type **kiosk** in the search field and select **Set up a kiosk (assigned access)**.
  2. On the **Set up a kiosk** page, make your changes to **Choose a kiosk mode** and **Set up Microsoft Edge**.
| +|Make changes to your kiosks such as change the display option or the URL that loads |
  1. In Windows Settings, type **kiosk** in the search field and select **Set up a kiosk (assigned access)**.
  2. On the **Set up a kiosk** page, make your changes to **Choose a kiosk mode** and **Set up Microsoft Edge**.
| --- ### Use Microsoft Intune or other MDM service -With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge kiosk mode in assigned access and how it behaves on a kiosk device. +With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge kiosk mode in assigned access and how it behaves on a kiosk device. >[!IMPORTANT] ->If you are using a local account as a kiosk account in Intune or a provisioning package, make sure to sign into this account and then sign out before configuring the assigned access single-app kiosk. +>If you are using a local account as a kiosk account in Microsoft Intune or a provisioning package, make sure to sign into this account and then sign out before configuring the assigned access single-app kiosk. -1. In Microsoft Intune or other MDM service, configure [AssignedAccess](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to prevent users from accessing the file system, running executables, or other apps. +1. In Microsoft Intune or other MDM service, configure [AssignedAccess](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to prevent users from accessing the file system, running executables, or other apps. -2. Configure the following MDM settings to control a web browser app on the kiosk device and then restart the device. +2. Configure the following MDM settings to setup Microsoft Edge kiosk mode on the kiosk device and then restart the device. - | | | - |---|---| - | **[ConfigureKioskMode](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)**

![](images/icon-thin-line-computer.png) | Configure the display mode for Microsoft Edge as a kiosk app.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode

**Data type:** Integer

**Allowed values:**

| - | **[ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)**

![](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout

**Data type:** Integer

**Allowed values:**

| - | **[HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages)**

![](images/icon-thin-line-computer.png) | Set one or more start pages, URLs, to load when Microsoft Edge launches.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages

**Data type:** String

**Allowed values:**

Enter one or more URLs, for example,
   \\ | - | **[ConfigureHomeButton](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)**

![](images/icon-thin-line-computer.png) | Configure how the Home Button behaves.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton

**Data type:** Integer

**Allowed values:**

| - | **[SetHomeButtonURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)**

![](images/icon-thin-line-computer.png) | If you set ConfigureHomeButton to 2, configure the home button URL.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.bing.com | - | **[SetNewTabPageURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**

![](images/icon-thin-line-computer.png) | Set a custom URL for the New Tab page.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.msn.com | + | | | + |---|---| + | **[ConfigureKioskMode](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)**

![](images/icon-thin-line-computer.png) | Configure the display mode for Microsoft Edge as a kiosk app.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode

**Data type:** Integer

**Allowed values:**

| + | **[ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)**

![](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout

**Data type:** Integer

**Allowed values:**

| + | **[HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages)**

![](images/icon-thin-line-computer.png) | Set one or more start pages, URLs, to load when Microsoft Edge launches.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages

**Data type:** String

**Allowed values:**

Enter one or more URLs, for example,
   \\ | + | **[ConfigureHomeButton](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)**

![](images/icon-thin-line-computer.png) | Configure how the Home Button behaves.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton

**Data type:** Integer

**Allowed values:**

| + | **[SetHomeButtonURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)**

![](images/icon-thin-line-computer.png) | If you set ConfigureHomeButton to 2, configure the home button URL.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.bing.com | + | **[SetNewTabPageURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**

![](images/icon-thin-line-computer.png) | Set a custom URL for the New Tab page.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.msn.com | --- -
+ **_Congratulations!_** You’ve just finished setting up a kiosk or digital signage and configuring group policies for Microsoft Edge kiosk mode using Microsoft Intune or other MDM service. **_Next steps._** Use your new kiosk. Sign in to the device using the user account that you selected to run the kiosk app. -### Use a provisioning package - -With this method, you can use a provisioning package to configure Microsoft Edge kiosk mode in assigned access. After you set up the provisioning package for configuring Microsoft Edge in assigned access, you configure how Microsoft Edge behaves on a kiosk device. - ->[!IMPORTANT] ->If you are using a local account as a kiosk account in Intune or a provisioning package, make sure to sign into this account and then sign out before configuring the assigned access single-app kiosk. - -1. Open Windows Configuration Designer and select **Provision Kiosk devices**. - -2. Name your project, and click **Next**. - -3. [Set up a kiosk](https://docs.microsoft.com/en-us/windows/configuration/kiosk-single-app#set-up-a-kiosk-using-the-kiosk-wizard-in-windows-configuration-designer). - -4. Switch to the advanced editor and navigate to **Runtime settings \> Policies \> Browser** and set the following policies: - - | | | - |---|---| - | **[ConfigureKioskMode](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)**

![](images/icon-thin-line-computer.png) | Configure the display mode for Microsoft Edge as a kiosk app.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode

**Data type:** Integer

**Allowed values:**

| - | **[ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)**

![](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout

**Data type:** Integer

**Allowed values:**

| - | **[HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages)**

![](images/icon-thin-line-computer.png) | Set one or more start pages, URLs, to load when Microsoft Edge launches.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages

**Data type:** String

**Allowed values:**

Enter one or more URLs, for example,
   \\ | - | **[ConfigureHomeButton](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)**

![](images/icon-thin-line-computer.png) | Configure how the Home Button behaves.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton

**Data type:** Integer

**Allowed values:**

| - | **[SetHomeButtonURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)**

![](images/icon-thin-line-computer.png) | If you set ConfigureHomeButton to 2, configure the home button URL.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.bing.com | - | **[SetNewTabPageURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**

![](images/icon-thin-line-computer.png) | Set a custom URL for the New Tab page.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.msn.com | - --- - -5. After you’ve configured the Microsoft Edge kiosk mode policies, including any of the related policies, it’s time to [build the package](https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-create-package#build-package). - -6. Click **Finish**.

The wizard closes and takes you back to the Customizations page. - -7. [Apply the provisioning package](https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-apply-package) to the device, which you can do during the first-run experience (out-of-box experience or OOBE) and after (runtime). - -**_Congratulations!_** You’ve finished creating your provisioning package for Microsoft Edge kiosk mode. - -**_Next steps._** Use your new kiosk. Sign in to the device using the user account that you selected to run the kiosk app. - --- +## Microsoft Edge kiosk mode policies -## Relevant policies -We added and updated Microsoft Edge group policies to enhance the kiosk experience depending on the Microsoft Edge kiosk mode type you configure. +We added new Microsoft Edge policies to configure the kiosk mode type as well as the idle timer. For these policies to work correctly, you must set up Microsoft Edge in assigned access. ### Configure kiosk mode [!INCLUDE [configure-microsoft-edge-kiosk-mode-include](includes/configure-microsoft-edge-kiosk-mode-include.md)] @@ -213,75 +170,75 @@ We added and updated Microsoft Edge group policies to enhance the kiosk experien ### Configure kiosk reset idle timeout [!INCLUDE [configure-edge-kiosk-reset-idle-timeout-include](includes/configure-edge-kiosk-reset-idle-timeout-include.md)] -### Additional policies for kiosk mode +## Supported policies for kiosk mode Use any of the Microsoft Edge policies listed below to enhance the kiosk experience depending on the Microsoft Edge kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser). | **MDM Setting** | **Digital /
Interactive signage** | **Public browsing
single-app** | **Public browsing
multi-app** | **Normal
mode** | |------------------|:---------:|:---------:|:---------:|:---------:| -| [AllowAddressBarDropdown](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowaddressbardropdown) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowAutofill](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowautofill) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowBrowser](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowbrowser) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | -| [AllowConfigurationUpdateForBooksLibrary](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowCookies](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowcookies) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowDeveloperTools](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdevelopertools) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowDoNotTrack](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowextensions) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowFlash](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflash) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowFlashClickToRun](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) | ![Supported](images/148767.png)2 | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowFullscreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowfullscreenmode)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowInPrivate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowinprivate) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowMicrosoftCompatibilityList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | -| [AllowPasswordManager](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowPopups](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpopups) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowPrelaunch](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowPrinting](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowprinting)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowSavingHistory](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowSearchEngineCustomization](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowSideloadingExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowSmartScreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowSyncMySettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowTabPreloading](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowWebContentOnNewTabPage](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AlwaysEnabledBooksLibrary](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [ClearBrowsingDataOnExit](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-clearbrowsingdataonexit) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [ConfigureAdditionalSearchEngines](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configureadditionalsearchengines) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [ConfigureFavoritesBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [ConfigureHomeButton](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -|  [ConfigureKioskMode](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -|  [ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | -| [ConfigureOpenEdgeWith](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [ConfigureTelemetryForMicrosoft365Analytics](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [DisableLockdownOfStartPages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-disablelockdownofstartpages) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowAddressBarDropdown](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowaddressbardropdown) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowAutofill](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowautofill) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowBrowser](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowbrowser) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | +| [AllowConfigurationUpdateForBooksLibrary](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowCookies](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowcookies) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowDeveloperTools](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdevelopertools) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowDoNotTrack](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowextensions) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowFlash](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflash) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowFlashClickToRun](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) | ![Supported](images/148767.png)2 | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowFullscreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowfullscreenmode)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowInPrivate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowinprivate) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowMicrosoftCompatibilityList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | +| [AllowPasswordManager](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowPopups](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpopups) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowPrelaunch](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowPrinting](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowprinting)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowSavingHistory](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowSearchEngineCustomization](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowSideloadingExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowSmartScreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowSyncMySettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowTabPreloading](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowWebContentOnNewTabPage](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AlwaysEnabledBooksLibrary](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [ClearBrowsingDataOnExit](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-clearbrowsingdataonexit) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [ConfigureAdditionalSearchEngines](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configureadditionalsearchengines) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [ConfigureFavoritesBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [ConfigureHomeButton](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +|  [ConfigureKioskMode](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +|  [ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | +| [ConfigureOpenEdgeWith](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [ConfigureTelemetryForMicrosoft365Analytics](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [DisableLockdownOfStartPages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-disablelockdownofstartpages) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | | [Experience/DoNotSyncBrowserSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting)\* and [Experience/PreventTurningOffRequiredExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [EnableExtendedBooksTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [EnterpriseModeSiteList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | -| [FirstRunURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-firstrunurl) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | -| [HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [LockdownFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [PreventAccessToAboutFlagsInMicrosoftEdge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventaccesstoaboutflagsinmicrosoftedge) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [PreventCertErrorOverrides](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [PreventFirstRunPage](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventfirstrunpage) | ![Supported](images/148767.png) | ![Supported](images/148767.png)| ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [PreventLiveTileDataCollection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [PreventSmartScreenPromptOverride](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverride) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverrideforfiles) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [PreventTurningOffRequiredExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventusinglocalhostipaddressforwebrtc) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [ProvisionFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | -| [SetDefaultSearchEngine](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setdefaultsearchengine) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [SetHomeButtonURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [SetNewTabPageURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [ShowMessageWhenOpeningInteretExplorerSites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | -| [SyncFavoritesBetweenIEAndMicrosoftEdge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-syncfavoritesbetweenieandmicrosoftedge) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | -| [UnlockHomeButton](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [UseSharedFolderForBooks](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [EnableExtendedBooksTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [EnterpriseModeSiteList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | +| [FirstRunURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-firstrunurl) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | +| [HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [LockdownFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventAccessToAboutFlagsInMicrosoftEdge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventaccesstoaboutflagsinmicrosoftedge) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventCertErrorOverrides](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventFirstRunPage](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventfirstrunpage) | ![Supported](images/148767.png) | ![Supported](images/148767.png)| ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventLiveTileDataCollection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [PreventSmartScreenPromptOverride](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverride) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverrideforfiles) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventTurningOffRequiredExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventusinglocalhostipaddressforwebrtc) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [ProvisionFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | +| [SetDefaultSearchEngine](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setdefaultsearchengine) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [SetHomeButtonURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [SetNewTabPageURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [ShowMessageWhenOpeningInteretExplorerSites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | +| [SyncFavoritesBetweenIEAndMicrosoftEdge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-syncfavoritesbetweenieandmicrosoftedge) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | +| [UnlockHomeButton](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [UseSharedFolderForBooks](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | --- *\* New policy as of Windows 10, version 1809.*

*1) For multi-app assigned access, you must configure Internet Explorer 11.*
-*2) For digital/interactive signage to enable Flash, set [AllowFlashClickToRun].(https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) to 0.* +*2) For digital/interactive signage to enable Flash, set [AllowFlashClickToRun](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) to 0.* **Legend:**

       ![Not supported](images/148766.png) = Not applicable or not supported
@@ -307,7 +264,6 @@ Use any of the Microsoft Edge policies listed below to enhance the kiosk experie - **[AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/en-us/windows/client-management/mdm/assignedaccess-csp):** The AssignedAccess configuration service provider (CSP) sets the device to run in kiosk mode. Once the CSP has executed, then the next user login associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration. -- **[Create a provisioning page for Windows 10](https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-create-package):** Learn to use Windows Configuration Designer (WCD) to create a provisioning package (.ppkg) for configuring devices running Windows 10. The WCD wizard options provide a simple interface to configure desktop, mobile, and kiosk device settings. --- @@ -322,19 +278,20 @@ To provide feedback on Microsoft Edge kiosk mode in Feedback Hub, select **Micro ## Feature comparison of kiosk mode and kiosk browser app In the following table, we show you the features available in both Microsoft Edge kiosk mode and Kiosk Browser app available in Microsoft Store. Both kiosk mode and kiosk browser app work in assigned access. -| **Feature** | **Microsoft Edge kiosk mode** | **Kiosk Browser** | +| **Feature** | **Microsoft Edge kiosk mode** | **Microsoft Kiosk browser app** | |---------------|:----------------:|:---------------:| | Print support | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | -| Multi-tab support | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | -| Allow URL support | ![Supported](images/148767.png)

*\*For Microsoft Edge kiosk mode use* [Windows Defender Firewall](#_*Windows_Defender_Firewall)*. Microsoft kiosk browser has custom policy support.* | ![Supported](images/148767.png) | -| Block URL support | ![Supported](images/148767.png)

*\*For Microsoft Edge kiosk mode use* [Windows Defender Firewall](#_*Windows_Defender_Firewall)*. Microsoft kiosk browser has custom policy support.* | ![Supported](images/148767.png) | -| Configure Home Button | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| Set Start page(s) URL | ![Supported](images/148767.png) | ![Supported](images/148767.png)

*Same as Home button URL* | -| Set New Tab page URL | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | -| Favorites management | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | -| End session button | ![Supported](images/148767.png) | ![Supported](images/148767.png)

*In Intune, must create custom URI to enable. Dedicated UI configuration targeted for 1808.* | +| Multi-tab support | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | +| Allow/Block URL support | ![Supported](images/148767.png)

*\*For Microsoft Edge kiosk mode use* [Windows Defender Firewall](#_*Windows_Defender_Firewall)*. Microsoft kiosk browser has custom policy support.* | ![Supported](images/148767.png) | +| Configure Home Button | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| Set Start page(s) URL | ![Supported](images/148767.png) | ![Supported](images/148767.png)

*Same as Home button URL* | +| Set New Tab page URL | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | +| Favorites management | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | +| End session button | ![Supported](images/148767.png) | ![Supported](images/148767.png)

*In Microsoft Intune, you must create a custom URI to enable. Dedicated UI configuration targeted for 1808.* | | Reset on inactivity | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| Internet Explorer integration (Enterprise Mode site list) | ![Supported](images/148767.png)

*Multi-app mode only* | ![Not supported](images/148766.png) | +| Internet Explorer integration (Enterprise Mode site list) | ![Supported](images/148767.png)

*Multi-app mode only* | ![Not supported](images/148766.png) | +| Available in Microsoft Store | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +|SKU availability | Windows 10 October 2018 Update
Professional, Enterprise, and Education | Windows 10 April 2018 Update
Professional, Enterprise, and Education | --- **\*Windows Defender Firewall**

diff --git a/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md b/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md index 0de9b830c6..06a3905c63 100644 --- a/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md +++ b/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md @@ -7,4 +7,4 @@ ms:topic: include --- [Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy): -This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**. \ No newline at end of file +This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**. \ No newline at end of file diff --git a/browsers/edge/shortdesc/shortdesc-test.md b/browsers/edge/shortdesc/shortdesc-test.md deleted file mode 100644 index c1d657d88b..0000000000 --- a/browsers/edge/shortdesc/shortdesc-test.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -author: shortpatti -ms.author: pashort -ms.date: 10/02/2018 -ms.prod: edge -ms:topic: include ---- - -UI settings for the home button are disabled preventing your users from making changes \ No newline at end of file diff --git a/browsers/edge/troubleshooting-microsoft-edge.md b/browsers/edge/troubleshooting-microsoft-edge.md new file mode 100644 index 0000000000..5b3af2b0e3 --- /dev/null +++ b/browsers/edge/troubleshooting-microsoft-edge.md @@ -0,0 +1,20 @@ +--- +title: Troubleshoot Microsoft Edge +description: +ms.assetid: +author: shortpatti +ms.author: pashort +ms.prod: edge +ms.sitesec: library +title: Deploy Microsoft Edge kiosk mode +ms.localizationpriority: medium +ms.date: 10/15/2018 +--- + +# Troubleshoot Microsoft Edge + + +## Microsoft Edge and IPv6 +We are aware that this is a known issue with Microsoft Edge and all UWP-based apps, such as Store, Mail, Feedback Hub, and so on. It only happens if you have disabled IPv6 (not recommended), so a temporary workaround is to enable IPv6. + +## Microsoft Edge hijacks .PDF and .HTM files diff --git a/browsers/edge/use-powershell-to-manage-group-policy.md b/browsers/edge/use-powershell-to-manage-group-policy.md deleted file mode 100644 index 5747091d66..0000000000 --- a/browsers/edge/use-powershell-to-manage-group-policy.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -title: Use Windows PowerShell to manage group policy -description: -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: -ms.localizationpriority: medium -ms.date: 10/02/2018 -ms.author: pashort -author: shortpatti ---- - -# Use Windows PowerShell to manage group policy - -Windows PowerShell supports group policy automation of the same tasks you perform in Group Policy Management Console (GPMC) for domain-based group policy objects (GPOs): - -- Maintain GPOs (GPO creation, removal, backup, and import) -- Associate GPOs with Active Directory service containers (group policy link creation, update, and removal) -- Set permissions on GPOs -- Modify inheritance flags on Active Directory organization units (OUs) and domains -- Configure registry-based policy settings and group policy preferences registry settings (update, retrieval, and removal) -- Create starter GPOs - - - diff --git a/browsers/includes/interoperability-goals-enterprise-guidance.md b/browsers/includes/interoperability-goals-enterprise-guidance.md index f980f943ee..a18552366f 100644 --- a/browsers/includes/interoperability-goals-enterprise-guidance.md +++ b/browsers/includes/interoperability-goals-enterprise-guidance.md @@ -1,7 +1,7 @@ --- author: shortpatti ms.author: pashort -ms.date: 10/02/2018 +ms.date: 10/15/2018 ms.prod: edge ms:topic: include --- @@ -18,19 +18,20 @@ You must continue using IE11 if web apps use any of the following: * <meta> tags -* Enterprise mode or compatibility view to address compatibility issues +* Enterprise mode or compatibility view to addressing compatibility issues -* legacy document modes [what is this?] +* legacy document modes -If you have uninstalled IE11, you can download it from the Microsoft Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). Alternatively, you can use Enterprise Mode with Microsoft Edge to transition only the sites that need these technologies to load in IE11. +If you have uninstalled IE11, you can download it from the Microsoft Store or the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). Alternatively, you can use Enterprise Mode with Microsoft Edge to transition only the sites that need these technologies to load in IE11. >[!TIP] ->If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy]( https://go.microsoft.com/fwlink/p/?LinkId=620714). +>If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy](https://go.microsoft.com/fwlink/p/?LinkId=620714). |Technology |Why it existed |Why we don't need it anymore | |---------|---------|---------| |ActiveX |ActiveX is a binary extension model introduced in 1996 which allowed developers to embed native Windows technologies (COM/OLE) in web pages. These controls can be downloaded and installed from a site and were subsequently loaded in-process and rendered in Internet Explorer. | | |Browser Helper Objects (BHO) |BHOs are a binary extension model introduced in 1997 which enabled developers to write COM objects that were loaded in-process with the browser and could perform actions on available windows and modules. A common use was to build toolbars that installed into Internet Explorer. | | -|Document modes | Starting with IE8, Internet Explorer introduced a new “document mode” with every release. These document modes could be requested via the x-ua-compatible header to put the browser into a mode which emulates legacy versions. |Similar to other modern browsers, Microsoft Edge will have a single “living” document mode. In order to minimize the compatibility burden, features will be tested behind switches in about:flags until they are stable and ready to be turned on by default. | +|Document modes | Starting with IE8, Internet Explorer introduced a new “document mode” with every release. These document modes could be requested via the x-ua-compatible header to put the browser into a mode which emulates legacy versions. |Similar to other modern browsers, Microsoft Edge has a single “living” document mode. To minimize the compatibility burden, we test features behind switches in about:flags until stable and ready to be turned on by default. | +--- diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md index 154ad6670a..a503628344 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md @@ -159,7 +159,7 @@ This table includes the attributes used by the Enterprise Mode schema. <exclude> -Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the <domain> and <path> elements. +Specifies the domain or path excluded from applying the behavior and is supported on the <domain> and <path> elements.

Example 

 <emie>
@@ -167,7 +167,7 @@ This table includes the attributes used by the Enterprise Mode schema.
     <path exclude="true">/products</path>
   </domain>
 </emie>

-Where http://fabrikam.com doesn't use IE8 Enterprise Mode, but http://fabrikam.com/products does. +Where http://fabrikam.com uses IE8 Enterprise Mode, but http://fabrikam.com/products does not. Internet Explorer 11 and Microsoft Edge @@ -230,4 +230,4 @@ If you want to target specific sites in your organization. |You can specify subdomains in the domain tag. |<docMode>
<domain docMode="5">contoso.com</domain>
<domain docMode="9">info.contoso.com</domain>
<docMode> |

| |You can specify exact URLs by listing the full path. |<emie>
<domain exclude="false">bing.com</domain>
<domain exclude="false" forceCompatView="true">contoso.com</domain>
<emie>|| |You can nest paths underneath domains. |<emie>
<domain exclude="true">contoso.com
<path exclude="false">/about</path>
<path exclude="true">
/about/business</path>
</domain>
</emie> | | -|You can’t add a path underneath a path. The file will still be parsed, but the sub-path will be ignored. |<emie>
<domain exclude="true">contoso.com
<path>/about
<path exclude="true">/business</path>
</path>
</domain>
</emie> | | \ No newline at end of file +|You can’t add a path underneath a path. The file will still be parsed, but the sub-path will be ignored. |<emie>
<domain exclude="true">contoso.com
<path>/about
<path exclude="true">/business</path>
</path>
</domain>
</emie> | | diff --git a/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md b/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md index e6c5587108..0e0ea99ea5 100644 --- a/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md +++ b/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md @@ -2,10 +2,10 @@ ms.localizationpriority: medium ms.mktglfcycl: support ms.pagetype: security -description: The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment. +description: The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. Use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment. author: shortpatti ms.author: pashort -ms.manager: elizapo +ms.manager: dougkim ms.prod: ie11 ms.assetid: title: Internet Explorer Administration Kit (IEAK) information and downloads @@ -15,8 +15,11 @@ ms.date: 05/10/2018 # Internet Explorer Administration Kit (IEAK) information and downloads +>Applies to: Windows 10 + The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment. To find more information on the IEAK, see [What IEAK can do for you](what-ieak-can-do-for-you.md). + ## Internet Explorer Administration Kit 11 (IEAK 11) [IEAK 11 documentation](index.md) diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md index 3370e6cf35..dafb293f9e 100644 --- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md @@ -1,20 +1,19 @@ --- ms.localizationpriority: medium ms.mktglfcycl: plan -description: Learn about which version of the IEAK 11 you should run, based on your license agreement. +description: Learn about the version of the IEAK 11 you should run, based on your license agreement. author: pashort ms.author: shortpatti -ms.manager: elizapo ms.prod: ie11, ieak11 ms.assetid: 69d25451-08af-4db0-9daa-44ab272acc15 title: Determine the licensing version and features to use in IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) ms.sitesec: library -ms.date: 05/02/2018 +ms.date: 10/23/2018 --- # Determine the licensing version and features to use in IEAK 11 -In addition to the Software License Terms for the Internet Explorer Administration Kit 11 (IEAK 11) (IEAK 11, the "software"), these Guidelines further define how you may and may not use the software to create versions of Internet Explorer 11 with optional customizations (the "customized browser") for internal use and distribution in accordance with the IEAK 11 Software License Terms. IEAK 11 is for testing purposes only and is not intended to be used in a production environment. +In addition to the Software License Terms for the Internet Explorer Administration Kit 11 (IEAK 11, referred to as the "software"), these Guidelines further define how you may and may not use the software to create versions of Internet Explorer 11 with optional customizations (referred to as the "customized browser") for internal use and distribution in accordance with the IEAK 11 Software License Terms. IEAK 11 is for testing purposes only and is not intended to be used in a production environment. During installation, you must pick a version of IEAK 11, either **External** or **Internal**, based on your license agreement. Your version selection decides the options you can chose, the steps you follow to deploy your Internet Explorer 11 package, and how you manage the browser after deployment. @@ -26,34 +25,35 @@ During installation, you must pick a version of IEAK 11, either **External** or ## Available features by version -|Internal |External | -|------------------------------------------|------------------------------------------| -|Welcome screen |Welcome screen | -|File locations |File locations | -|Platform selection |Platform selection | -|Language selection |Language selection | -|Package type selection |Package type selection | -|Feature selection |Feature selection | -|Automatic Version Synchronization (AVS) |Automatic Version Synchronization (AVS) | -|Custom components |Custom components | -|Internal install |Not available | -|User experience |Not available | -|Browser user interface |Browser user interface | -|Search providers |Search providers | -|Important URLs – Home page and support |Important URLs – Home page and support | -|Accelerators |Accelerators | -|Favorites, Favorites bar, and feeds |Favorites, Favorites bar, and feeds | -|Browsing options |Not available | -|First Run wizard and Welcome page options |First Run wizard and Welcome page options | -|Connection manager |Connection manager | -|Connection settings |Connection settings | -|Automatic configuration |Not available | -|Proxy settings |Proxy settings | -|Security and privacy settings |Not available | -|Add a root certificate |Not available | -|Programs |Programs | -|Additional settings |Not available | -|Wizard complete |Wizard complete | +| Feature | Internal | External | +| ---------------------------------------- | :---------------------------------------------: | :----------------------------------------------: | +|Welcome screen | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | +|File locations | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | +|Platform selection | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | +|Language selection | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | +|Package type selection | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | +|Feature selection | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | +|Automatic Version Synchronization (AVS) | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | +|Custom components | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | +|Internal install | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148766.png) | +|User experience | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148766.png) | +|Browser user interface | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | +|Search providers | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | +|Important URLs – Home page and support | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | +|Accelerators | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | +|Favorites, Favorites bar, and feeds | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | +|Browsing options | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148766.png) | +|First Run wizard and Welcome page options | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | +|Connection manager | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | +|Connection settings | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | +|Automatic configuration | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148766.png) | +|Proxy settings | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | +|Security and privacy settings | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148766.png) | +|Add a root certificate | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148766.png) | +|Programs | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | +|Additional settings | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148766.png) | +|Wizard complete | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/en-us/microsoft-edge/deploy/images/148767.png) | +--- ## Customization guidelines @@ -68,7 +68,7 @@ Two installation modes are available to you, depending on how you are planning t The table below identifies which customizations you may or may not perform based on the mode you selected. | **Feature Name** | **External Distribution** | **Internal Distribution** | -|---------------------------------|----------------------|-------------------| +|---------------------------------|:--------------------:|:-------------------:| | **Custom Components** | Yes | Yes | | **Title Bar** | Yes | Yes | | **Favorites** | One folder, containing any number of links. | Any number of folders/links. | @@ -99,4 +99,4 @@ Two installation modes are available to you, depending on how you are planning t You shall use commercially reasonable efforts to maintain the quality of (i) any non-Microsoft software distributed with Internet Explorer 11, and (ii) any media used for distribution (for example, optical media, flash drives), at a level that meets or exceeds the highest industry standards. If you distribute add-ons with Internet Explorer 11, those add-ons must comply with the [Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy). - **Internal Distribution - corporate intranet** - The software is solely for use by your employees within your company's organization and affiliated companies through your corporate intranet. Neither you nor any of your employees may permit redistribution of the software to or for use by third parties other than for third parties such as consultants, contractors, and temporary staff accessing your corporate intranet. \ No newline at end of file + The software is solely for use by your employees within your company's organization and affiliated companies through your corporate intranet. Neither you nor any of your employees may permit redistribution of the software to or for use by third parties other than for third parties such as consultants, contractors, and temporary staff accessing your corporate intranet. diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index e1fa685f30..bec5bec56b 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -10,8 +10,5 @@ ## [Share HoloLens with multiple people](hololens-multiple-users.md) ## [Configure HoloLens using a provisioning package](hololens-provisioning.md) ## [Install apps on HoloLens](hololens-install-apps.md) -## [Preview new mixed reality apps for HoloLens](hololens-public-preview-apps.md) -### [Microsoft Remote Assist app](hololens-microsoft-remote-assist-app.md) -### [Microsoft Layout app](hololens-microsoft-layout-app.md) ## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) ## [Change history for Microsoft HoloLens documentation](change-history-hololens.md) \ No newline at end of file diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md index f7cd722421..0b9f30c11d 100644 --- a/devices/hololens/change-history-hololens.md +++ b/devices/hololens/change-history-hololens.md @@ -9,14 +9,21 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 07/27/2018 +ms.date: 10/23/2018 --- # Change history for Microsoft HoloLens documentation This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md). +## October 2018 +New or changed topic | Description +--- | --- +[Preview new mixed reality apps for HoloLens](hololens-public-preview-apps.md) | Removed, and redirected to [Mixed reality apps](https://docs.microsoft.com/dynamics365/#pivot=mixed-reality-apps) +[Microsoft Remote Assist app](hololens-microsoft-remote-assist-app.md) | Removed, and redirected to [Overview of Dynamics 365 Remote Assist](https://docs.microsoft.com/dynamics365/mixed-reality/remote-assist/) +[Microsoft Dynamics 365 Layout app](hololens-microsoft-dynamics-365-layout-app.md) | Removed, and redirected to [Overview of Dynamics 365 Layout](https://docs.microsoft.com/dynamics365/mixed-reality/layout/) +[Insider preview for Microsoft HoloLens](hololens-insider.md) | Added instructions for opting out of Insider builds. ## July 2018 diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md index 05e12d5cce..3b41c79294 100644 --- a/devices/hololens/hololens-insider.md +++ b/devices/hololens/hololens-insider.md @@ -7,15 +7,15 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 07/27/2018 +ms.date: 10/23/2018 --- # Insider preview for Microsoft HoloLens Welcome to the latest Insider Preview builds for HoloLens! It’s simple to get started and provide valuable feedback for our next major operating system update for HoloLens. ->Latest insider version: 10.0.17720.1000 + ## How do I install the Insider builds? @@ -25,9 +25,21 @@ Then, select **Active development of Windows**, choose whether you’d like to r Select **Confirm -> Restart Now** to finish up. After your device has rebooted, go to **Settings -> Update & Security -> Check for updates** to get the latest build. +## How do I stop receiving Insider builds? + +If you no longer want to receive Insider builds of Windows Holographic, you can opt out when your HoloLens is running a production build, or you can [recover your device](https://docs.microsoft.com/windows/mixed-reality/reset-or-recover-your-hololens#perform-a-full-device-recovery) using the Windows Device Recovery Tool to recover your device to a non-Insider version of Windows Holographic. + +To verify that your HoloLens is running a production build: +- Go to **Settings > System > About**, and find the build number. +- If the build number is 10.0.17763.1, your HoloLens is running a production build. [See the list of production build numbers.](https://www.microsoft.com/itpro/windows-10/release-information) + +To opt out of Insider builds: +- On a HoloLens running a production build, go to **Settings > Update & Security > Windows Insider Program**, and select **Stop Insider builds**. +- Follow the instructions to opt out your device. + ## New features for HoloLens -The latest Insider Preview (RS5) has arrived for all HoloLens customers! This latest flight is packed with improvements that have been introduced since the [last major release of HoloLens software in May 2018](https://docs.microsoft.com/windows/mixed-reality/release-notes). +The latest Insider Preview (RS5) has arrived for all HoloLens customers! This latest flight is packed with improvements that have been introduced since the [last major release of HoloLens software in May 2018](https://docs.microsoft.com/windows/mixed-reality/release-notes-october-2018). ### For everyone @@ -82,14 +94,16 @@ In order to switch to the Chinese or Japanese version of HoloLens, you’ll need 6. The tool will automatically detect your HoloLens. Select the Microsoft HoloLens tile. 7. On the next screen, select **Manual package selection** and choose the installation file contained in the folder you unzipped in step 4. (Look for a file with the extension “.ffu”.) 8. Select **Install software** and follow the instructions to finish installing. -9. Once the build is installed, HoloLens setup will start automatically. Put on the device and follow the setup directions. +9. Once the build is installed, HoloLens setup will start automatically. Put on the device and follow the setup directions. +10. After you complete setup, go to **Settings -> Update & Security -> Windows Insider Program** and select **Get started**. Link the account you used to register as a Windows Insider. Then, select **Active development of Windows**, choose whether you’d like to receive **Fast** or **Slow** builds, and review the program terms. Select **Confirm -> Restart Now** to finish up. After your device has rebooted, go to **Settings -> Update & Security -> Check for updates** to get the latest build. -When you’re done with setup, go to **Settings -> Update & Security -> Windows Insider Program** and check that you’re configured to receive the latest preview builds. The Chinese/Japanese version of HoloLens will be kept up-to-date with the latest preview builds via the Windows Insider Program the same way the English version is. + + ## Note for language support - You can’t change the system language between English, Japanese, and Chinese using the Settings app. Flashing a new build is the only supported way to change the device system language. -- While you can enter Simplified Chinese / Japanese text using the on-screen Pinyin keyboard, typing in Simplified Chinese / Japanese using a Bluetooth hardware keyboard is not supported at this time. However, on Chinese/Japanese HoloLens, you can continue to use a BT keyboard to type in English (the ~ key on a hardware keyboard toggles the keyboard to type in English). +- While you can enter Simplified Chinese / Japanese text using the on-screen Pinyin keyboard, typing in Simplified Chinese / Japanese using a Bluetooth hardware keyboard is not supported at this time. However, on Chinese/Japanese HoloLens, you can continue to use a BT keyboard to type in English (the Shift key on a hardware keyboard toggles the keyboard to type in English). ## Note for developers diff --git a/devices/hololens/hololens-install-apps.md b/devices/hololens/hololens-install-apps.md index 3de34452cf..05d7673aa2 100644 --- a/devices/hololens/hololens-install-apps.md +++ b/devices/hololens/hololens-install-apps.md @@ -8,7 +8,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 12/20/2017 +ms.date: 10/23/2018 --- # Install apps on HoloLens @@ -83,7 +83,7 @@ Using Intune, you can also [monitor your app deployment](https://docs.microsoft. ![App Manager](images/apps.png) -5. In **Install app**, select an **app package** from a folder on your computer or network. If the app package requires additional software, click **Add dependency**. +5. In **Install app**, select an **app package** from a folder on your computer or network. If the app package requires additional software, such as dependency frameworks, select **I want to specify framework packages**. 6. In **Deploy**, click **Go** to deploy the app package and added dependencies to the connected HoloLens. diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md index 9b54f8a335..8f05c5e15c 100644 --- a/devices/hololens/hololens-kiosk.md +++ b/devices/hololens/hololens-kiosk.md @@ -7,7 +7,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 05/22/2018 +ms.date: 08/14/2018 --- # Set up HoloLens in kiosk mode diff --git a/devices/hololens/hololens-microsoft-layout-app.md b/devices/hololens/hololens-microsoft-layout-app.md deleted file mode 100644 index 4f5540e858..0000000000 --- a/devices/hololens/hololens-microsoft-layout-app.md +++ /dev/null @@ -1,73 +0,0 @@ ---- -title: Microsoft Layout -description: How to get and deploy the Microsoft Layout app throughout your organization -ms.prod: hololens -ms.sitesec: library -author: alhopper-msft -ms.author: alhopper -ms.topic: article -ms.localizationpriority: medium -ms.date: 05/21/2018 ---- -# Microsoft Layout - -Bring designs from concept to completion with confidence and speed. Import 3D models to easily create room layouts in real-world scale. Experience designs as high-quality holograms in physical space or virtual reality and edit with stakeholders in real time. With Microsoft Layout, see ideas in context, saving valuable time and money. - -## Device options and technical requirements - -Below are the device options, and technical requirements, to use and deploy Microsoft Layout throughout your organization. - -### Device options - -Microsoft Layout works with a HoloLens, or with a Windows Mixed Reality headset with motion controllers. - -#### HoloLens requirements - -| OS requirements | Details | -|:----------------------------------|:-----------------------------------------------------------| -| Build 10.0.17134.77 or above | See [Update HoloLens](https://support.microsoft.com/help/12643/hololens-update-hololens) for instructions on upgrading to this build. | - -#### Windows Mixed Reality headset requirements - -| Requirements | Details | -|:----------------------------------------------|:-----------------------------------------------------------| -| Windows 10 PC with build 16299.0 or higher | The Windows 10 PC hardware must be able to support the headset. See [Windows Mixed Reality PC hardware guidelines](https://support.microsoft.com/en-us/help/4039260/windows-10-mixed-reality-pc-hardware-guidelines) for specific hardware requirements. We recommend following the **Windows Mixed Reality Ultra** hardware guidelines. | -| Motion controllers | Motion controllers are hardware accessories that allow users to take action in mixed reality. See [Motion controllers](https://docs.microsoft.com/en-us/windows/mixed-reality/motion-controllers) to learn more. | - -### Technical requirements - -Have the following technical requirements in place to start using Microsoft Layout. - -| Requirement | Details | Learn more | -|:----------------------------------|:------------------|:------------------| -| Azure Active Directory (Azure AD) | Required for app distribution through the [Microsoft Store for Business](https://docs.microsoft.com/en-us/microsoft-store/sign-up-microsoft-store-for-business). If you choose not to distribute the app through the Microsoft Store for Business, users can also install Layout on a HoloLens or PC from the [Microsoft Store](https://www.microsoft.com/en-us/store/apps). | [Get started with Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/get-started-azure-ad) | -| Network connectivity | Internet access is required to download the app, and utilize all of its features. There are no bandwidth requirements. | | -| Apps for sharing | Video calling or screen sharing requires a separate app, such as Microsoft Remote Assist on HoloLens, or Skype or Skype for Business on Windows Mixed Reality headsets.

A Windows 10 PC that meets the Windows Mixed Reality Ultra specifications is also required for video calling or screen sharing when using Layout with a Windows Mixed Reality headset. | [Remote Assist](hololens-microsoft-remote-assist-app.md)

[Windows Mixed Reality PC hardware guidelines](https://support.microsoft.com/en-us/help/4039260/windows-10-mixed-reality-pc-hardware-guidelines) | -| Import Tool for Microsoft Layout | The Import Tool for Microsoft Layout is a companion app for Layout that makes model optimization and management easy. The Import Tool runs on Windows 10 PCs, and is required to transfer existing 3D models from your PC to Microsoft Layout, so they can be viewed and edited from the HoloLens or mixed reality headset. The Import Tool is also required to transfer Visio space dimensions to the HoloLens or Windows Mixed Reality headset. | [Import Tool for Microsoft Layout](#get-and-deploy-the-import-tool-for-microsoft-layout) | - -## Get and deploy Microsoft Layout - -Microsoft Layout is available from the Microsoft Store for Business for free for a limited time: - -1. Go to the [Microsoft Layout](https://businessstore.microsoft.com/en-us/store/details/app/9NSJN53K3GFJ) app in the Microsoft Store for Business. -1. Click **Get the app**. Microsoft Layout is added to the **Products and Services** tab for your private store. -1. Users can open the **Products and Services** tab to install the app to their device, or you can deploy the app throughout your organization using MDM. See [Install apps on HoloLens](hololens-install-apps.md) for further instructions on deploying apps. - -For a limited time, users can also [Get Microsoft Layout from the Microsoft Store](https://www.microsoft.com/store/productId/9NSJN53K3GFJ) for free. - -### Get and deploy the Import Tool for Microsoft Layout - -The **Import Tool for Microsoft Layout** is a companion app for Layout that makes model optimization and management easy. The Import Tool runs on Windows 10 PCs, and is required to transfer existing 3D models from your PC to Microsoft Layout, for viewing and editing on Microsoft HoloLens or a Windows Mixed Reality headset. - -The companion app is available in both the Microsoft Store for Business, and the Microsoft Store, for free for a limited time: - -* [Get the Microsoft Layout Import Tool](https://businessstore.microsoft.com/en-us/store/details/app/9N88Q3RXPLP0) from the Microsoft Store for Business. See [Distribute apps to your employees from Microsoft Store for Business](https://docs.microsoft.com/en-us/microsoft-store/distribute-apps-to-your-employees-microsoft-store-for-business) for instructions on using the Microsoft Store for Business, and/or MDM, to deploy Windows 10 apps throughout your organization. -* Alternately, have your users [Get the Microsoft Layout Import Tool](https://www.microsoft.com/store/productId/9N88Q3RXPLP0) from the Microsoft Store to install the app on their Windows 10 PC. - -## Use Microsoft Layout - -For guidance on using the features of the Microsoft Layout app, please see [Set up and use Microsoft Layout](https://support.microsoft.com/help/4294437). - -## Questions and support - -You can ask questions and engage with our team in the [Mixed Reality Tech Community](https://techcommunity.microsoft.com/t5/Mixed-Reality/ct-p/MixedReality). \ No newline at end of file diff --git a/devices/hololens/hololens-microsoft-remote-assist-app.md b/devices/hololens/hololens-microsoft-remote-assist-app.md deleted file mode 100644 index 221c650ada..0000000000 --- a/devices/hololens/hololens-microsoft-remote-assist-app.md +++ /dev/null @@ -1,64 +0,0 @@ ---- -title: Microsoft Remote Assist -description: How to get and deploy the Microsoft Remote Assist app throughout your organization -ms.prod: hololens -ms.sitesec: library -author: alhopper-msft -ms.author: alhopper -ms.topic: article -ms.localizationpriority: medium -ms.date: 05/22/2018 ---- -# Microsoft Remote Assist - -Collaborate remotely with heads-up, hands-free video calling, image sharing, and mixed reality annotations. Firstline workers can share what they see with any expert on Microsoft Teams, while staying hands on to solve problems and complete tasks together, faster. Backed by enterprise-level security, Microsoft Remote Assist enables communication with peace of mind. - -## Technical requirements - -Below are the technical requirements to deploy and use Microsoft Remote Assist throughout your organization. - -### Device requirements - -| Device | OS requirements | Details | -|:---------------------------|:----------------------------------|:-----------------------------------------------------------| -| HoloLens | Build 10.0.14393.0 or above | See [Manage updates to HoloLens](https://docs.microsoft.com/en-us/HoloLens/hololens-updates) for instructions on using Windows Update for Business, MDM, and Windows Server Update Service (WSUS) to deploy updates to HoloLens. | -| Windows 10 PC (optional) | Any Windows 10 build | A Windows 10 PC can collaborate with the HoloLens using Microsoft Teams. | - -> [!Note] -> HoloLens build 10.0.14393.0 is the minimum that supports Remote Assist. We recommend updating the HoloLens to newer versions when they are available. - -### Licensing & product requirements - -| Product required | Details | Learn more | -|:----------------------------------|:------------------|:------------------| -| Azure Active Directory (Azure AD) | Required to log users into the Remote Assist app through Microsoft Teams. Also required for app distribution through the [Microsoft Store for Business](https://docs.microsoft.com/en-us/microsoft-store/sign-up-microsoft-store-for-business). If you choose not to distribute the app through the Microsoft Store for Business, users can alternately install Remote Assist on a HoloLens or PC from the [Microsoft Store](https://www.microsoft.com/en-us/store/apps). | [Get started with Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/get-started-azure-ad) | -| Microsoft Teams | Microsoft Teams facilitates communication in Remote Assist. Microsoft Teams must be installed on any device that will make calls to the HoloLens. | [Overview of Microsoft Teams](https://docs.microsoft.com/en-us/MicrosoftTeams/teams-overview) | -| Microsoft Office 365 | Because Microsoft Teams is part of Office 365, each user who will make calls from their PC/phone to the HoloLens will need an Office 365 license. | [Office 365 licensing for Microsoft Teams](https://docs.microsoft.com/en-us/MicrosoftTeams/office-365-licensing) | - -### Network requirements - -1.5 MB/s is the recommended bandwidth for optimal performance of Microsoft Remote Assist. Though audio/video calls may be possible in environments with reduced bandwidth, you may experience HoloLens feature degradation, limiting the user experience. To test your company’s network bandwidth, follow these steps: - - 1. Have a Teams user video call another Teams user. - 2. Add another separate video call between a 3rd and 4th user, and another for a 5th and 6th user. - 3. Continue adding video callers to stress test your network bandwidth until confident that multiple users can successfully connect on video calls at the same time. - -See [Preparing your organization's network for Microsoft Teams](https://docs.microsoft.com/en-us/MicrosoftTeams/prepare-network) to learn more. - -## Get and deploy Microsoft Remote Assist - -Microsoft Remote Assist is available from the Microsoft Store for Business for free for a limited time: - -1. Go to the [Microsoft Remote Assist](https://businessstore.microsoft.com/en-us/store/details/app/9PPJSDMD680S) app in the Microsoft Store for Business. -1. Click **Get the app**. Microsoft Remote Assist is added to the **Products and Services** tab for your private store. -1. Users can open the **Products and Services** tab to install the app to their device, or you can deploy the app throughout your organization using MDM. See [Install apps on HoloLens](hololens-install-apps.md) for further instructions on deploying apps. - -For a limited time, users can also [Get Microsoft Remote Assist from the Microsoft Store](https://www.microsoft.com/store/productId/9PPJSDMD680S) for free. - -## Use Microsoft Remote Assist - -For guidance on using the features of the Microsoft Remote Assist app, please see [Set up and use Microsoft Remote Assist](https://support.microsoft.com/en-us/help/4294812). - -## Questions and support - -You can ask questions and engage with our team in the [Mixed Reality Tech Community](https://techcommunity.microsoft.com/t5/Mixed-Reality/ct-p/MixedReality). diff --git a/devices/hololens/hololens-public-preview-apps.md b/devices/hololens/hololens-public-preview-apps.md deleted file mode 100644 index e3a966f008..0000000000 --- a/devices/hololens/hololens-public-preview-apps.md +++ /dev/null @@ -1,31 +0,0 @@ ---- -title: Preview new mixed reality apps for HoloLens -description: Here's how to download and distribute new mixed reality apps for HoloLens, free for a limited time during public preview -ms.prod: hololens -ms.sitesec: library -author: alhopper -ms.author: alhopper -ms.topic: article -ms.localizationpriority: medium -ms.date: 05/21/2018 ---- -# Preview new mixed reality apps for HoloLens - -Microsoft has just announced two new mixed reality apps coming to HoloLens: Microsoft Remote Assist and Microsoft Layout. - -The gap between the real and digital world limits our ability to take advantage of new technologies and transform how we work, learn, create, communicate, and live. **Mixed reality is here to close that gap**. - -Mixed reality has the potential to help customers and businesses across the globe do things that until now, have never been possible. Mixed reality helps businesses and employees complete crucial tasks faster, safer, more efficiently, and create new ways to connect to customers and partners. - -Ready to get started? Check out the links below to learn more about how you can download and deploy Microsoft's new commercial-focused mixed reality apps. - -## In this section - -| Topic | Description | -| --- | --- | -| [Microsoft Remote Assist](hololens-microsoft-remote-assist-app.md) | Microsoft Remote Assist enables collaboration in mixed reality to solve problems faster. Firstline workers can collaborate remotely with heads-up, hands-free video calling, image sharing, and mixed reality annotations. They can share what they see with an expert on Microsoft Teams, while staying hands-on to solve problems and complete tasks together, faster. | -| [Microsoft Layout](hololens-microsoft-layout-app.md ) | Bring designs from concept to completion with confidence and speed using Microsoft Layout. Import 3D models to easily create room layouts in real-world scale. Experience designs as high-quality holograms in physical or virtual space and edit in real time. With Microsoft Layout, you can see ideas in context, saving valuable time and money. | - -## Questions and support - -You can ask questions and engage with our team in the [Mixed Reality Tech Community](https://techcommunity.microsoft.com/t5/Mixed-Reality/ct-p/MixedReality). \ No newline at end of file diff --git a/devices/hololens/index.md b/devices/hololens/index.md index 786b38a1e3..2f5741df7e 100644 --- a/devices/hololens/index.md +++ b/devices/hololens/index.md @@ -32,7 +32,6 @@ ms.date: 07/27/2018 [Share HoloLens with multiple people](hololens-multiple-users.md) | Multiple users can shared a HoloLens device by using their Azure Active Directory accounts. | | [Configure HoloLens using a provisioning package](hololens-provisioning.md) | Provisioning packages make it easy for IT administrators to configure HoloLens devices without imaging | | [Install apps on HoloLens](hololens-install-apps.md) | Use Microsoft Store for Business, mobile device management (MDM), or the Windows Device Portal to install apps on HoloLens | -| [Preview new mixed reality apps for HoloLens](hololens-public-preview-apps.md) | Download and deploy new mixed reality apps for HoloLens, free for a limited time during public preview | | [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) | Learn how to use Bitlocker device encryption to protect files and information stored on the HoloLens | | [Change history for Microsoft HoloLens documentation](change-history-hololens.md) | See new and updated topics in the HoloLens documentation library. | diff --git a/devices/surface-hub/install-apps-on-surface-hub.md b/devices/surface-hub/install-apps-on-surface-hub.md index ffa77e640e..d043b182c5 100644 --- a/devices/surface-hub/install-apps-on-surface-hub.md +++ b/devices/surface-hub/install-apps-on-surface-hub.md @@ -8,7 +8,7 @@ ms.sitesec: library author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 10/20/2017 +ms.date: 10/23/2018 ms.localizationpriority: medium --- @@ -19,7 +19,9 @@ You can install additional apps on your Surface Hub to fit your team or organiza A few things to know about apps on Surface Hub: - Surface Hub only runs [Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/windows/uwp/get-started/whats-a-uwp). Apps created using the [Desktop App Converter](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) will not run on Surface Hub. See a [list of apps that work with Surface Hub](https://support.microsoft.com/help/4040382/surface-Apps-that-work-with-Microsoft-Surface-Hub). - Apps must be targeted for the [Universal device family](https://msdn.microsoft.com/library/windows/apps/dn894631) or Windows Team device family. -- By default, apps must be Store-signed to be installed. During testing and development, you can also choose to run developer-signed UWP apps by placing the device in developer mode.- When submitting an app to the Microsoft Store, developers need to set Device family availability and Organizational licensing options to make sure an app will be available to run on Surface Hub. +- Surface Hub only supports [offline-licensed apps](https://docs.microsoft.com/microsoft-store/distribute-offline-apps) from Microsoft Store for Business. +- By default, apps must be Store-signed to be installed. During testing and development, you can also choose to run developer-signed UWP apps by placing the device in developer mode. +- When submitting an app to the Microsoft Store, developers need to set Device family availability and Organizational licensing options to make sure an app will be available to run on Surface Hub. - You need admin credentials to install apps on your Surface Hub. Since the device is designed to be used in communal spaces like meeting rooms, people can't access the Microsoft Store to download and install apps. diff --git a/devices/surface-hub/surface-hub-start-menu.md b/devices/surface-hub/surface-hub-start-menu.md index 5e6469aab1..06e75a666a 100644 --- a/devices/surface-hub/surface-hub-start-menu.md +++ b/devices/surface-hub/surface-hub-start-menu.md @@ -145,7 +145,7 @@ This example shows a link to a website and a link to a .pdf file. TileID="2678823080" DisplayName="Bing" Arguments="https://www.bing.com/" - Square150x150LogoUri="ms-appdata:///local/PinnedTiles/2678823080/lowres.png" + Square150x150LogoUri="ms-appx:///" Wide310x150LogoUri="ms-appx:///" ShowNameOnSquare150x150Logo="true" ShowNameOnWide310x150Logo="false" @@ -164,7 +164,10 @@ This example shows a link to a website and a link to a .pdf file. TileID="6153963000" DisplayName="cstrtqbiology.pdf" Arguments="-contentTile -formatVersion 0x00000003 -pinnedTimeLow 0x45b7376e -pinnedTimeHigh 0x01d2356c -securityFlags 0x00000000 -tileType 0x00000000 -url 0x0000003a https://www.ada.gov/regs2010/2010ADAStandards/Guidance_2010ADAStandards.pdf" - Square150x150LogoUri="ms-appdata:///local/PinnedTiles/2678823080/lowres.png" Wide310x150LogoUri="ms-appx:///" ShowNameOnSquare150x150Logo="true" ShowNameOnWide310x150Logo="true" + Square150x150LogoUri="ms-appx:///" + Wide310x150LogoUri="ms-appx:///" + ShowNameOnSquare150x150Logo="true" + ShowNameOnWide310x150Logo="true" BackgroundColor="#ff4e4248" Size="4x2" Row="4" @@ -177,6 +180,11 @@ This example shows a link to a website and a link to a .pdf file. ``` +>[!NOTE] +>Microsoft Edge tile logos won't appear on secondary tiles because they aren't stored in Surface Hub. +> +>The default value for `ForegroundText` is light; you don't need to include `ForegroundText` in your XML unless you're changing the value to dark. + ## More information - [Blog post: Changing Surface Hub’s Start Menu](https://blogs.technet.microsoft.com/y0av/2018/02/13/47/) diff --git a/devices/surface/battery-limit.md b/devices/surface/battery-limit.md index 2406c075e7..58d620b6a8 100644 --- a/devices/surface/battery-limit.md +++ b/devices/surface/battery-limit.md @@ -19,7 +19,7 @@ Battery Limit option is a UEFI setting that changes how the Surface device batte Setting the device on Battery Limit changes the protocol for charging the device battery. When Battery Limit is enabled, the battery charge will be limited to 50% of its maximum capacity. The charge level reported in Windows will reflect this limit. Therefore, it will show that the battery is charged up to 50% and will not charge beyond this limit. If you enable Battery Limit while the device is above 50% charge, the Battery icon will show that the device is plugged in but discharging until the device reaches 50% of its maximum charge capacity. -Adding the Battery Limit option to Surface UEFI will require a [Surface UEFI firmware update](update.md), which will be made available through Windows Update or via the MSI driver and firmware packages on the Microsoft Download Center. Check [support article](https://support.microsoft.com/help/4464941) for the specific Surface UEFI version required for each device and supported devices. Currently, Battery Limit is only supported on Surface Pro 4 and Surface Pro 3. However, the setting will be available in the future on other Surface device models. +Adding the Battery Limit option to Surface UEFI will require a [Surface UEFI firmware update](update.md), which will be made available through Windows Update or via the MSI driver and firmware packages on the Microsoft Download Center. Check [Enable "Battery Limit" for Surface devices that have to be plugged in for extended periods of time](https://support.microsoft.com/help/4464941) for the specific Surface UEFI version required for each device and supported devices. Currently, Battery Limit is only supported on Surface Pro 4 and Surface Pro 3. However, the setting will be available in the future on other Surface device models. ## Enabling Battery Limit in Surface UEFI (Surface Pro 4 and later) diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md index 86bde3c803..0e0ff5dcc7 100644 --- a/devices/surface/change-history-for-surface.md +++ b/devices/surface/change-history-for-surface.md @@ -7,7 +7,7 @@ ms.sitesec: library author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 10/02/2018 +ms.date: 10/15/2018 --- # Change history for Surface documentation @@ -19,6 +19,7 @@ This topic lists new and updated topics in the Surface documentation library. New or changed topic | Description --- | --- [Battery Limit setting](battery-limit.md) | New +|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added Surface GO | ## May 2018 diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md index a023fdb141..116df9446d 100644 --- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md +++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md @@ -9,7 +9,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: brecords -ms.date: 09/13/2018 +ms.date: 10/15/2018 ms.author: jdecker ms.topic: article --- @@ -39,6 +39,11 @@ Recent additions to the downloads for Surface devices provide you with options t >A battery charge of 40% or greater is required before you install firmware to a Surface device. See [Microsoft Support article KB2909710](https://go.microsoft.com/fwlink/p/?LinkId=618106) for more information. +## Surface GO + +Download the following updates for [Surface GO from the Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=57439). +* SurfaceGO_Win10_17134_1802010_6.msi - Cumulative firmware and driver update package for Windows 10 + ## Surface Book 2 diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md index 3ba289e3e6..fece916499 100644 --- a/devices/surface/microsoft-surface-data-eraser.md +++ b/devices/surface/microsoft-surface-data-eraser.md @@ -26,6 +26,8 @@ Find out how the Microsoft Surface Data Eraser tool can help you securely wipe d Compatible Surface devices include: +* Surface Pro 6 +* Surface Laptop 2 * Surface Go * Surface Book 2 * Surface Pro with LTE Advanced (Model 1807) @@ -148,6 +150,14 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo Microsoft Surface Data Eraser is periodically updated by Microsoft. For information about the changes provided in each new version, see the following: +### Version 3.2.69.0 +*Release Date: 12 October 2018* + +This version of Surface Data Eraser adds support for the following: + +- Surface Pro 6 +- Surface Laptop 2 + ### Version 3.2.68.0 This version of Microsoft Surface Data Eraser adds support for the following: diff --git a/devices/surface/surface-dock-updater.md b/devices/surface/surface-dock-updater.md index 445be071c9..b8ee7359dc 100644 --- a/devices/surface/surface-dock-updater.md +++ b/devices/surface/surface-dock-updater.md @@ -117,6 +117,15 @@ Microsoft periodically updates Surface Dock Updater. To learn more about the app >[!Note] >Each update to Surface Dock firmware is included in a new version of Surface Dock Updater. To update a Surface Dock to the latest firmware, you must use the latest version of Surface Dock Updater. +### Version 2.23.139.0 +*Release Date: 10 October 2018* + +This version of Surface Dock Updater adds support for the following: + +- Add support for Surface Pro 6 +- Add support for Surface Laptop 2 + + ### Version 2.22.139.0 *Release Date: 26 July 2018* diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md index 2932bee71c..f102c5147a 100644 --- a/devices/surface/surface-enterprise-management-mode.md +++ b/devices/surface/surface-enterprise-management-mode.md @@ -191,6 +191,11 @@ For use with SEMM and Microsoft Surface UEFI Configurator, the certificate must ## Version History + +### Version 2.21.136.9 +* Add support to Surface Pro 6 +* Add support to Surface Laptop 2 + ### Version 2.14.136.0 * Add support to Surface Go diff --git a/education/index.md b/education/index.md index 20840df5df..1dc168eb0f 100644 --- a/education/index.md +++ b/education/index.md @@ -25,7 +25,7 @@ ms.date: 10/30/2017
  • - +
    diff --git a/education/windows/TOC.md b/education/windows/TOC.md index 533981750f..1729553e5c 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -3,6 +3,7 @@ ## [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) ## [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) ## [Set up Windows devices for education](set-up-windows-10.md) +### [What's new in Set up School PCs](set-up-school-pcs-whats-new.md) ### [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md) #### [Azure AD Join for school PCs](set-up-school-pcs-azure-ad-join.md) #### [Shared PC mode for school devices](set-up-school-pcs-shared-pc-mode.md) diff --git a/education/windows/images/1810_Name_Your_Package_SUSPC.png b/education/windows/images/1810_Name_Your_Package_SUSPC.png new file mode 100644 index 0000000000..69b81c91e4 Binary files /dev/null and b/education/windows/images/1810_Name_Your_Package_SUSPC.png differ diff --git a/education/windows/images/1810_SUSPC_Insert_USB.png b/education/windows/images/1810_SUSPC_Insert_USB.png new file mode 100644 index 0000000000..c3fdd47011 Binary files /dev/null and b/education/windows/images/1810_SUSPC_Insert_USB.png differ diff --git a/education/windows/images/1810_SUSPC_Package_ready.png b/education/windows/images/1810_SUSPC_Package_ready.png new file mode 100644 index 0000000000..b296fb3f84 Binary files /dev/null and b/education/windows/images/1810_SUSPC_Package_ready.png differ diff --git a/education/windows/images/1810_SUSPC_Product_key.png b/education/windows/images/1810_SUSPC_Product_key.png new file mode 100644 index 0000000000..3619edb5bf Binary files /dev/null and b/education/windows/images/1810_SUSPC_Product_key.png differ diff --git a/education/windows/images/1810_SUSPC_Take_Test.png b/education/windows/images/1810_SUSPC_Take_Test.png new file mode 100644 index 0000000000..d7920a492f Binary files /dev/null and b/education/windows/images/1810_SUSPC_Take_Test.png differ diff --git a/education/windows/images/1810_SUSPC_USB.png b/education/windows/images/1810_SUSPC_USB.png new file mode 100644 index 0000000000..9e6be13a46 Binary files /dev/null and b/education/windows/images/1810_SUSPC_USB.png differ diff --git a/education/windows/images/1810_SUSPC_add_apps.png b/education/windows/images/1810_SUSPC_add_apps.png new file mode 100644 index 0000000000..d7a296722f Binary files /dev/null and b/education/windows/images/1810_SUSPC_add_apps.png differ diff --git a/education/windows/images/1810_SUSPC_app_error.png b/education/windows/images/1810_SUSPC_app_error.png new file mode 100644 index 0000000000..a2d3a35e34 Binary files /dev/null and b/education/windows/images/1810_SUSPC_app_error.png differ diff --git a/education/windows/images/1810_SUSPC_available_settings.png b/education/windows/images/1810_SUSPC_available_settings.png new file mode 100644 index 0000000000..a208aa1fa8 Binary files /dev/null and b/education/windows/images/1810_SUSPC_available_settings.png differ diff --git a/education/windows/images/1810_SUSPC_personalization.png b/education/windows/images/1810_SUSPC_personalization.png new file mode 100644 index 0000000000..bbcbf878f0 Binary files /dev/null and b/education/windows/images/1810_SUSPC_personalization.png differ diff --git a/education/windows/images/1810_SUSPC_select_Wifi.png b/education/windows/images/1810_SUSPC_select_Wifi.png new file mode 100644 index 0000000000..f0f54c55c9 Binary files /dev/null and b/education/windows/images/1810_SUSPC_select_Wifi.png differ diff --git a/education/windows/images/1810_SUSPC_summary.png b/education/windows/images/1810_SUSPC_summary.png new file mode 100644 index 0000000000..de83332463 Binary files /dev/null and b/education/windows/images/1810_SUSPC_summary.png differ diff --git a/education/windows/images/1810_Sign_In_SUSPC.png b/education/windows/images/1810_Sign_In_SUSPC.png new file mode 100644 index 0000000000..b4ac241f72 Binary files /dev/null and b/education/windows/images/1810_Sign_In_SUSPC.png differ diff --git a/education/windows/images/1810_choose_account_SUSPC.png b/education/windows/images/1810_choose_account_SUSPC.png new file mode 100644 index 0000000000..c702fc87ea Binary files /dev/null and b/education/windows/images/1810_choose_account_SUSPC.png differ diff --git a/education/windows/images/1810_name-devices_SUSPC.png b/education/windows/images/1810_name-devices_SUSPC.png new file mode 100644 index 0000000000..6cfe014572 Binary files /dev/null and b/education/windows/images/1810_name-devices_SUSPC.png differ diff --git a/education/windows/images/1810_suspc_settings.png b/education/windows/images/1810_suspc_settings.png new file mode 100644 index 0000000000..c42bf2337e Binary files /dev/null and b/education/windows/images/1810_suspc_settings.png differ diff --git a/education/windows/images/1810_suspc_timezone.png b/education/windows/images/1810_suspc_timezone.png new file mode 100644 index 0000000000..1a4dfb7aa1 Binary files /dev/null and b/education/windows/images/1810_suspc_timezone.png differ diff --git a/education/windows/set-up-school-pcs-provisioning-package.md b/education/windows/set-up-school-pcs-provisioning-package.md index 16b671865d..a995eb5f41 100644 --- a/education/windows/set-up-school-pcs-provisioning-package.md +++ b/education/windows/set-up-school-pcs-provisioning-package.md @@ -10,7 +10,7 @@ ms.pagetype: edu ms.localizationpriority: medium author: lenewsad ms.author: lanewsad -ms.date: 07/13/2018 +ms.date: 10/17/2018 --- # What's in my provisioning package? @@ -107,6 +107,22 @@ Set up School PCs uses the Universal app install policy to install school-releva * OneNote * Sway +## Provisioning time estimates +The time it takes to install a package on a device depends on the: + +* Strength of network connection +* Number of policies and apps within the package +* Additional configurations made to the device + +Review the table below to estimate your expected provisioning time. A package that only applies Set Up School PC's default configurations will provision the fastest. A package that removes pre-installed apps, through CleanPC, will take much longer to provision. + +|Configurations |Connection type |Estimated provisioning time | +|---------|---------|---------| +|Default settings only | Wi-Fi | 3 to 5 minutes | +|Default settings + apps | Wi-Fi | 10 to 15 minutes | +|Default settings + remove pre-installed apps (CleanPC) | Wi-Fi | 60 minutes | +|Default settings + other settings (Not CleanPC) | Wi-Fi | 5 minutes | + ## Next steps Learn more about setting up devices with the Set up School PCs app. * [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md) diff --git a/education/windows/set-up-school-pcs-whats-new.md b/education/windows/set-up-school-pcs-whats-new.md new file mode 100644 index 0000000000..e942cf9a0a --- /dev/null +++ b/education/windows/set-up-school-pcs-whats-new.md @@ -0,0 +1,57 @@ +--- +title: What's new in the Windows Set up School PCs app +description: Find out about app updates and new features in Set up School PCs. +keywords: shared cart, shared PC, school, set up school pcs +ms.prod: w10 +ms.technology: Windows +ms.mktglfcycl: plan +ms.sitesec: library +ms.pagetype: edu +ms.localizationpriority: medium +author: lenewsad +ms.author: lanewsad +ms.date: 10/23/2018 +--- + +# What's new in Set up School PCs +Learn what’s new with the Set up School PCs app each week. Find out about new app features and functionality, and see updated screenshots. You'll also find information about past releases. + +## Week of October 15, 2018 + +The Set up School PCs app was updated with the following changes: + +### Three new setup screens added to the app +The following screens and functionality were added to the setup workflow. Select any screenname to view the relevant steps and screenshots in the Set Up School PCs docs. + +* [**Package name**](use-set-up-school-pcs-app.md#package-name): Customize a package name to make it easy to recognize it from your school's other packages. The name is generated by Azure Active Directory and appears as the filename and as the token name in Azure AD in the Azure portal. + +* [**Product key**](use-set-up-school-pcs-app.md#product-key): Enter a product key to upgrade your current edition of Windows 10, or change the existing product key. + +* [**Personalization**](use-set-up-school-pcs-app.md#personalization): Upload images from your computer to customize how the lock screen and background appears on student devices. + +### Azure AD token expiration extended to 180 days +Packages now expire 180 days from the date you create them. + +### Updated apps with more helpful, descriptive text +We've updated the app's **Skip** buttons to clarify the intent of each action. You'll also see an **Exit** button on the last page of the app. + +### Option to keep existing device names +The [**Name these devices** screen](use-set-up-school-pcs-app.md#device-names) now gives you the option to keep the orginal or existing names of your student devices. + +### Skype and Messaging apps to be removed from student PCs by default +We've added the Skype and Messaging app to a selection of apps that are, by default, removed from student devices. + + +## Next steps +Learn more about setting up devices with the Set up School PCs app. +* [What's in my provisioning package?](set-up-school-pcs-provisioning-package.md) +* [Shared PC mode for schools](set-up-school-pcs-shared-pc-mode.md) +* [Set up School PCs technical reference](set-up-school-pcs-technical.md) +* [Set up Windows 10 devices for education](set-up-windows-10.md) + +When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). + + + + + diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index b71c991d7c..90429edde2 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -154,23 +154,26 @@ To set up a test account through Windows Configuration Designer, follow these st 4. Follow the steps in [Apply a provisioning package](https://technet.microsoft.com/en-us/itpro/windows/configure/provisioning-apply-package) to apply the package that you created. -### Set up a test account in Group Policy -To set up a test account using Group Policy, first create a Powershell script that configures the test account and assessment URL, and then create a scheduled task to run the script. +### Set up a tester account in Group Policy +To set up a tester account using Group Policy, first create a Powershell script that configures the tester account and assessment URL, and then create a scheduled task to run the script. #### Create a PowerShell script -This sample PowerShell script configures the test account and the assessment URL. Edit the sample to: +This sample PowerShell script configures the tester account and the assessment URL. Edit the sample to: - Use your assessment URL for **$obj.LaunchURI** -- Use your test account for **$obj.TesterAccount** -- Use your test account for **-UserName** +- Use your tester account for **$obj.TesterAccount** +- Use your tester account for **-UserName** - ``` - $obj = get-wmiobject -namespace root/cimv2/mdm/dmmap -class MDM_SecureAssessment -filter "InstanceID='SecureAssessment' AND ParentID='./Vendor/MSFT'"; - $obj.LaunchURI='http://www.foo.com'; - $obj.TesterAccount='TestAccount'; - $obj.put() - Set-AssignedAccess -AppUserModelId Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App -UserName TestAccount - ``` +>[!NOTE] +>The account that you specify for the tester account must already exist on the device. + +``` +$obj = get-wmiobject -namespace root/cimv2/mdm/dmmap -class MDM_SecureAssessment -filter "InstanceID='SecureAssessment' AND ParentID='./Vendor/MSFT'"; +$obj.LaunchURI='http://www.foo.com'; +$obj.TesterAccount='TestAccount'; +$obj.put() +Set-AssignedAccess -AppUserModelId Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App -UserName TestAccount +``` #### Create a scheduled task in Group Policy 1. Open the Group Policy Management Console. diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index c4b90aee80..d9a63ba9d3 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -10,20 +10,20 @@ ms.pagetype: edu ms.localizationpriority: medium author: lenewsad ms.author: lanewsad -ms.date: 08/03/2018 +ms.date: 10/23/2018 --- # Use the Set up School PCs app -IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows 10 PCs for students. The app configures PCs with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app enrolls each student PC into a mobile device management (MDM) provider, such as Intune for Education. You can then manage all the settings Set up School PCs configures through the MDM. +IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows 10 PCs for students. The app configures PCs with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app enrolls each student PC into a mobile device management (MDM) provider, such as Intune for Education. You can then manage all the settings the app configures through the MDM. Set up School PCs also: * Joins each student PC to your organization's Office 365 and Azure Active Directory tenant. * Enables the optional Autopilot Reset feature, to return devices to a fully configured or known IT-approved state. -* Keeps student PCs up-to-date without interfering with class time using Windows Update and maintenance hours. +* Utilizes Windows Update and maintenance hours to keeps student PCs up-to-date, without interfering with class time. * Locks down the student PC to prevent activity that isn't beneficial to their education. -This article describes how to get started and provide information about your school in the Set up School PCs app. To learn more about the app's functionality, start with the [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md). +This article describes how to fill out your school's information in the the Set up School PCs app. To learn more about the app's functionality, start with the [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md). ## Requirements Before you begin, make sure that you, your computer, and your school's network are configured with the following requirements. @@ -100,72 +100,90 @@ We strongly recommend that you avoid changing preset policies. Changes can slow ## Create the provisioning package -The **Set up School PCs** app guides you through the configuration choices for the student PCs. +The **Set up School PCs** app guides you through the configuration choices for the student PCs. To begin, open the app on your PC and click **Get started**. + + ![Launch the Set up School PCs app](images/suspc_getstarted_050817.png) + +### Package name +Type a unique name to help distinguish your school's provisioning packages. The name appears: + +* On the local package folder +* In your tenant's Azure AD account in the Azure portal + +A package expiration date is also attached to the end of each package. For example, *Set_Up_School_PCs (Expires 4-16-2019)*. The expiration date is 180 days after you create your package. + + ![Example screenshot of the Set up School PCs app, Name your package screen.](images/1810_Name_Your_Package_SUSPC.png) + +After you click **Next**, you can no longer change the name in the app. To create a package with a different name, reopen the Set up School PCs app. + +To change an existing package's name, right-click the package folder on your device and select **Rename**. This action does not change the name in Azure AD. If you have Global Admin permissions, you can go to Azure AD in the Azure portal, and rename the package there. + ### Sign in -1. Open the Set up School PCs app on your PC and click **Get started**. - - ![Launch the Set up School PCs app](images/suspc_getstarted_050817.png) -2. Select how you want to sign in. - a. (Recommended) To enable student PCs to automatically be connect to Office 365, Azure AD, and management services like Intune for Education, click **Sign-in**. Then go to step 3. - b. To complete setup without signing in, click **Skip**. Student PCs won't be connected to your school's cloud services and managing them will be more difficult later. Continue to [Wireless network](use-set-up-school-pcs-app.md#Wireless-network). -3. In the new window, select the account you want to use throughout setup. - ![Sign-in screen showing the option to "Use this account" or use a different "Work or school account."](images/suspc-sign-in-select-1807.png) +1. Select how you want to sign in. + a. (Recommended) To enable student PCs to automatically be connect to Office 365, Azure AD, and management services like Intune for Education, click **Sign-in**. Then go to step 3. + b. To complete setup without signing in, click **Continue without account**. Student PCs won't be connected to your school's cloud services and managing them will be more difficult later. Continue to [Wireless network](use-set-up-school-pcs-app.md#Wireless-network). +2. In the new window, select the account you want to use throughout setup. + + ![Sign-in screen showing the option to "Use this account" or use a different "Work or school account."](images/1810_choose_account_suspc.png) To add an account not listed: -a. Click **Work or school account** > **Continue**. - b. Type in the account username and click **Next**. - c. You may be asked to verify the user account and password. + a. Click **Work or school account** > **Continue**. + b. Type in the account username and click **Next**. + c. Verify the user account and password, if prompted. -1. Click **Accept** to allow Set up School PCs to access your account throughout setup. + +3. Click **Accept** to allow Set up School PCs to access your account throughout setup. 2. When your account name appears on the page, as shown in the image below, click **Next.** - ![Verify that the account you selected shows up](images/suspc-createpackage-signin-1807.png) + ![Example screenshot of the Set up School PC app, Sign in screen, showing that the user's account name appears at the bottom of the page.](images/1810_Sign_In_SUSPC.png) ### Wireless network Add and save the wireless network profile that you want student PCs to connect to. Only skip Wi-Fi setup if you have an Ethernet connection. -Select your school's Wi-Fi network from the list of available wireless networks, or click **Add a wireless network** to manually configure it. Then click **Next.** +Select your school's Wi-Fi network from the list of available wireless networks, or click **Add a wireless network** to manually configure it. Then click **Next.** - ![Wireless network page with two Wi-Fi networks listed and one selected.](images/suspc-select-wifi-network-1807.png) + ![Example screenshot of the Set up School PC app, Wireless network page with two Wi-Fi networks listed, one of which is selected.](images/1810_SUSPC_select_Wifi.png) ### Device names -Create a short name to add as a prefix to each of the PCs you set up. The name will help you recognize and manage this group of devices in your mobile device manager. The name must be five (5) characters or less. +Create a short name to add as a prefix to each PC. This name will help you recognize and manage this specific group of devices in your mobile device manager. The name must be five (5) characters or less. -To make sure all device names are unique, Set up School PCs automatically appends `_%SERIAL%` to the name. For example, if you add *Math4* as the prefix, the device names will appear as *Math4* followed by a random string of letters and numbers. +To make sure all device names are unique, Set up School PCs automatically appends `_%SERIAL%` to the name. For example, if you add *Math4* as the prefix, the device names will appear as *Math4* followed by a random string of letters and numbers. - !["Name these devices" screen with the device field filled in with example device name, "Grd8."](images/suspc-device-names-1807.png) +To keep the default name for your devices, click **Continue with existing names**. + + !["Name these devices" screen with the device field filled in with example device name, "Grd8."](images/1810_name-devices_SUSPC.png) ### Settings -Select additional settings to include in the provisioning package. To begin, select the operating system on your student PCs. +Select additional settings to include in the provisioning package. To begin, select the operating system on your student PCs. -![Screenshot of the Current OS version page with the Select OS version menu selected, showing 6 Windows 10 options. All other settings on page are unavailable to select.](images/suspc-current-os-version-1807.png) +![Screenshot of the Current OS version page with the Select OS version menu selected, showing 7 Windows 10 options. All other settings on page are unavailable to select.](images/1810_suspc_settings.png) Setting selections vary based on the OS version you select. The example screenshot below shows the settings that become available when you select **Windows 10 version 1703**. The option to **Enable Autopilot Reset** is not available for this version of Windows 10. -![Example screenshot of the Current OS version page, with Windows 10 version 1803 selected. 4 available settings and 1 unavailable setting are shown, and none are selected.](images/suspc-available-student-settings-1807.png) + +![Example screenshot of the Current OS version page, with Windows 10 version 1803 selected. 4 available settings and 1 unavailable setting are shown, and none are selected.](images/1810_SUSPC_available_settings.png) + > [!NOTE] -> The [**Time zone** setting](use-set-up-school-pcs-app.md#time-zone), shown in the sidebar of the screenshot below, is not made available to versions of Windows 10 in S mode. If you select a version in S mode, you will not be asked to configure the time zone. +> The [**Time zone** setting](use-set-up-school-pcs-app.md#time-zone), shown in the sidebar of the screenshot above, is not made available to versions of Windows 10 in S mode. If you select a version in S mode, **Time zone** will become disabled. The following table describes each setting and lists the applicable Windows 10 versions. To find out if a setting is available in your version of Windows 10, look for an *X* in the setting row and in the version column. -|Setting |1703|1709|1803|What happens if I select it? |Note| -|---------|---------|---------|---------|---------|---------| -|Remove apps pre-installed by the device manufacturer |X|X|X| Uninstalls apps that came loaded on the computer by the device's manufacturer. |Adds about 30 minutes to the provisioning process.| -|Allow local storage (not recommended for shared devices) |X|X|X| Lets students save files to the Desktop and Documents folder on the Student PC. |Not recommended if the device will be part of a shared cart or lab.| -|Optimize device for a single student, instead of a shared cart or lab |X|X|X|Optimizes the device for use by a single student, rather than many students. |Recommended option only if the device is not shared with other students in the school. Single-optimized accounts are set to expire, and require a signin, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. | -|Let guests sign in to these PCs |X|X|X|Allows guests to use student PCs without a school account. |Common to use within a public, shared space, such as a library. Also used when a student loses their password. Adds a **Guest** account to the PC sign-in screen that anyone can sign in to.| -|Enable Autopilot Reset |Not available|X|X| Lets you remotely reset a student’s PC from the lock screen, apply the device’s original settings, and enroll it in device management (Azure AD and MDM). |Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met.| -|Lock screen background|X|X|X|Change the default screen lock background to a custom image.|Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.| +|Setting |1703|1709|1803|1809|What happens if I select it? |Note| +|---------|---------|---------|---------|---------|---------|---------| +|Remove apps pre-installed by the device manufacturer |X|X|X|X| Uninstalls apps that came loaded on the computer by the device's manufacturer. |Adds about 30 minutes to the provisioning process.| +|Allow local storage (not recommended for shared devices) |X|X|X|X| Lets students save files to the Desktop and Documents folder on the Student PC. |Not recommended if the device will be part of a shared cart or lab.| +|Optimize device for a single student, instead of a shared cart or lab |X|X|X|X|Optimizes the device for use by a single student, rather than many students. |Recommended option only if the device is not shared with other students in the school. Single-optimized accounts are set to expire, and require a signin, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. | +|Let guests sign in to these PCs |X|X|X|X|Allows guests to use student PCs without a school account. |Common to use within a public, shared space, such as a library. Also used when a student loses their password. Adds a **Guest** account to the PC sign-in screen that anyone can sign in to.| +|Enable Autopilot Reset |Not available|X|X|X|Lets you remotely reset a student’s PC from the lock screen, apply the device’s original settings, and enroll it in device management (Azure AD and MDM). |Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met.| +|Lock screen background|X|X|X|X|Change the default screen lock background to a custom image.|Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.| After you've made your selections, click **Next**. -![Configure student PC settings page showing 5 settings, with two settings selected. Lock screen background image is the default image. Cursor is hovering over the blue Next button.](images/suspc-current-os-version-next-1807.png) - ### Time zone > [!WARNING] @@ -173,13 +191,21 @@ After you've made your selections, click **Next**. Choose the time zone where your school's PCs are used. This setting ensures that all PCs are provisioned in the same time zone. When you're done, click **Next**. -![Choose PC time zone page with the time zone menu expanded to show all time zone selections.](images/suspc-time-zone-1807.png) +![Choose PC time zone page with the time zone menu expanded to show all time zone selections.](images/1810_suspc_timezone.png) + +### Product key +Optionally, type in a 25-digit product key to: +* Upgrade your current edition of Windows. For example, if you want to upgrade from Windows 10 Education to Windows 10 Education Pro, enter the product key for the Pro edition. +* Change the product key. If you want to associate student devices with a new or different Windows 10 product key, enter it now. + +![Example screenshot of the Set up School PC app, Product key screen, showing a value field, Next button, and Continue without change option.](images/1810_suspc_product_key.png) ### Take a Test Set up the Take a Test app to give online quizzes and high-stakes assessments. During assessments, Windows locks down the student PC so that students can't access anything else on the device. + 1. Select **Yes** to create a Take a Test button on the sign-in screens of your students' PCs. - ![Set up Take a Test app page with "Yes" selected to create an app button. Page also has two checkboxes for additional settings and one text field for the assessment URL.](images/suspc-take-a-test-1807.png) + ![Set up Take a Test app page with "Yes" selected to create an app button. Page also has two checkboxes for additional settings and one text field for the assessment URL.](images/1810_SUSPC_Take_Test.png) 2. Select from the advanced settings. Available settings inclue: * Allow keyboard auto-suggestions: Allows app to suggest words as the student types on the PC's keyboard. @@ -190,7 +216,7 @@ Set up the Take a Test app to give online quizzes and high-stakes assessments. D ### Recommended apps Choose from a list of recommended Microsoft Store apps to install on student PCs. Then click **Next**. After they're assigned, apps are pinned to the student's Start menu. - ![Add recommended apps screen with 7 icons of recommended apps and selection boxes. Skip button is enabled and Next button is disabled. ](images/suspc-add-recommended-apps-1807.png) + ![Example screenshots of the Add recommended apps screen with recommended app icons and selection boxes. Some apps selected for example purposes.](images/1810_SUSPC_add_apps.png) The following table lists the recommended apps you'll see. @@ -200,25 +226,34 @@ The following table lists the recommended apps you'll see. |Minecraft: Education Edition | Free trial| |Other apps fit for the classroom |Select from WeDo 2.0 LEGO®, Arduino IDE, Ohbot, Sesavis Visual, and EV3 Programming| -If you receive an error and are unable to add the selected apps, click **Skip**. Contact your IT admin to get these apps later. +If you receive an error and are unable to add the selected apps, click **Continue without apps**. Contact your IT admin to get these apps later. + + ![Example screenshots of the Add recommended apps screen with message that selected apps could not be added. Red rectangles highlight the message and Continue without apps button.](images/1810_SUSPC_app_error.png) + +### Personalization +Upload custom images to replace the student devices' default desktop and lock screen backgrounds. Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png. + +If you don't want to upload custom images or use the images that appear in the app, click **Continue without personalization**. This option does not apply any customizations, and instead uses the devices' default or preset images. + + ![Example image of the Set up School PCs app, Personalization screen, showing the default desktop and lock screen background photos, a Browse button under each photo, a blue Next button, and a Continue without personalization button.](images/1810_SUSPC_personalization.png) -### Summary -1. Review all of the settings for accuracy and completeness. Check carefully. To make changes to a saved package, you have to start over. -2. To make changes now, click any page along the left side of the window. -3. When finished, click **Accept**. +### Summary +Review all of the settings for accuracy and completeness. Check carefully. To make changes to a saved package, you have to start over. +1. To make changes now, click any page along the left side of the window. +2. When finished, click **Accept**. - ![Example image of the Summary screen, showing the user's configurations for Sign-in, Wireless network, Device names, Settings, Time zone, Take a Test. Accept button is available and the page contains three links on the right-hand side to help and support.](images/suspc-createpackage-summary-1807.png) + ![Example image of the Summary screen, showing the user's configurations for Sign-in, Wireless network, Device names, Settings, Time zone, Take a Test. Accept button is available and the page contains three links on the right-hand side to help and support.](images/1810_SUSPC_summary.png) ### Insert USB 1. Insert a USB drive. The **Save** button will light up when your computer detects the USB. 2. Choose your USB drive from the list and click **Save**. - ![Insert a USB drive now screen with USB drive selection highlighted. Save button is blue and active.](images/suspc-savepackage-insertusb-1807.png) + ![Insert a USB drive now screen with USB drive selection highlighted. Save button is blue and active.](images/1810_SUSPC_USB.png) 3. When the package is ready, you'll see the filename and package expiration date. You can also click **Add a USB** to save the same provisioning package to another USB drive. When you're done, remove the USB drive and click **Next**. - ![Your provisioning package is ready screen with package filename and expiration date. Shows an active blue, Next button, and a gray Add a USB button.](images/suspc-savepackage-ppkgisready-1807.png) + ![Your provisioning package is ready screen with package filename and expiration date. Shows an active blue, Next button, and a gray Add a USB button.](images/1810_SUSPC_Package_ready.png) ## Run package - Get PCs ready Complete each step on the **Get PCs ready** page to prepare student PCs for set-up. Then click **Next**. diff --git a/mdop/appv-v5/how-to-create-and-use-a-project-template.md b/mdop/appv-v5/how-to-create-and-use-a-project-template.md index 32a7d63c07..89e44e559b 100644 --- a/mdop/appv-v5/how-to-create-and-use-a-project-template.md +++ b/mdop/appv-v5/how-to-create-and-use-a-project-template.md @@ -19,8 +19,6 @@ You can use an App-V 5.0 project template to save commonly applied settings asso **Note**   You can, and often should apply an App-V 5.0 project template during a package upgrade. For example, if you sequenced an application with a custom exclusion list, it is recommended that an associated template is created and saved for later use while upgrading the sequenced application. -  - App-V 5.0 project templates differ from App-V 5.0 Application Accelerators because App-V 5.0 Application Accelerators are application-specific, and App-V 5.0 project templates can be applied to multiple applications. Use the following procedures to create and apply a new template. @@ -29,25 +27,20 @@ Use the following procedures to create and apply a new template. 1. To start the App-V 5.0 sequencer, on the computer that is running the sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**. -2. **Note**   +**Note**   If the virtual application package is currently open in the App-V 5.0 Sequencer console, skip to step 3 of this procedure. -   - - To open the existing virtual application package that contains the settings you want to save with the App-V 5.0 project template, click **File** / **Open**, and then click **Edit Package**. On the **Select Package** page, click **Browse** and locate the virtual application package that you want to open. Click **Edit**. +2. To open the existing virtual application package that contains the settings you want to save with the App-V 5.0 project template, click **File** / **Open**, and then click **Edit Package**. On the **Select Package** page, click **Browse** and locate the virtual application package that you want to open. Click **Edit**. 3. In the App-V 5.0 Sequencer console, to save the template file, click **File** / **Save As Template**. After you have reviewed the settings that will be saved with the new template, click **OK**. Specify a name that will be associated with the new App-V 5.0 project template. Click Save. - - The new App-V 5.0 project template is saved in the directory specified in step 3 of this procedure. +The new App-V 5.0 project template is saved in the directory specified in step 3 of this procedure. **To apply a project template** -1. **Important**   +**Important**   Creating a virtual application package using a project template in conjunction with a Package Accelerator is not supported. -   - - To start the App-V 5.0 sequencer, on the computer that is running the sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**. +1. To start the App-V 5.0 sequencer, on the computer that is running the sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**. 2. To create or upgrade a new virtual application package by using an App-V 5.0 project template, click **File** / **New From Template**. @@ -62,9 +55,9 @@ Use the following procedures to create and apply a new template. [Operations for App-V 5.0](operations-for-app-v-50.md) -  - -  + + + diff --git a/mdop/appv-v5/how-to-modify-client-configuration-by-using-powershell.md b/mdop/appv-v5/how-to-modify-client-configuration-by-using-powershell.md index c6f0c89d68..ded98a3926 100644 --- a/mdop/appv-v5/how-to-modify-client-configuration-by-using-powershell.md +++ b/mdop/appv-v5/how-to-modify-client-configuration-by-using-powershell.md @@ -24,9 +24,9 @@ Use the following procedure to configure the App-V 5.0 client configuration. `$config = Get-AppvClientConfiguration` - `Set-AppcClientConfiguration $config` + `Set-AppvClientConfiguration $config` - `Set-AppcClientConfiguration –Name1 MyConfig –Name2 “xyz”` + `Set-AppvClientConfiguration –AutoLoad 2` **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). diff --git a/mdop/appv-v5/how-to-modify-client-configuration-by-using-powershell51.md b/mdop/appv-v5/how-to-modify-client-configuration-by-using-powershell51.md index 4bf8017105..af53d695b0 100644 --- a/mdop/appv-v5/how-to-modify-client-configuration-by-using-powershell51.md +++ b/mdop/appv-v5/how-to-modify-client-configuration-by-using-powershell51.md @@ -24,9 +24,9 @@ Use the following procedure to configure the App-V 5.1 client configuration. `$config = Get-AppvClientConfiguration` - `Set-AppcClientConfiguration $config` + `Set-AppvClientConfiguration $config` - `Set-AppcClientConfiguration –Name1 MyConfig –Name2 “xyz”` + `Set-AppvClientConfiguration –AutoLoad 2` **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). diff --git a/mdop/mbam-v2/how-to-validate-the-mbam-installation-with-configuration-manager.md b/mdop/mbam-v2/how-to-validate-the-mbam-installation-with-configuration-manager.md index 349e62903b..78e6044a28 100644 --- a/mdop/mbam-v2/how-to-validate-the-mbam-installation-with-configuration-manager.md +++ b/mdop/mbam-v2/how-to-validate-the-mbam-installation-with-configuration-manager.md @@ -51,7 +51,7 @@ After installing Microsoft BitLocker Administration and Monitoring (MBAM) with C To view the configuration baselines with System Center 2012 Configuration Manager: Click the **Assets and Compliance** workspace, **Compliance Settings**, **Configuration Baselines**. -5. Use the Configuration Manager console to confirm that that the following new configuration items are displayed: +5. Use the Configuration Manager console to confirm that the following new configuration items are displayed: - BitLocker Fixed Data Drives Protection diff --git a/mdop/mbam-v25/evaluating-mbam-25-in-a-test-environment.md b/mdop/mbam-v25/evaluating-mbam-25-in-a-test-environment.md index b44f1f559e..875d8cccb0 100644 --- a/mdop/mbam-v25/evaluating-mbam-25-in-a-test-environment.md +++ b/mdop/mbam-v25/evaluating-mbam-25-in-a-test-environment.md @@ -232,10 +232,12 @@ To evaluate MBAM by using the Configuration Manager Integration topology, use th 4. Restart the **BitLocker Management Client Service**. 5. In Control Panel, open **Configuration Manager**, and then click the **Actions** tab. + + 6. Select **Hardware Inventory Cycle**, and then click **Run Now**. This step runs the hardware inventory by using the new classes that you imported to your .mof files, and then sends the data to the Configuration Manager server. + + 7. Select **Machine Policy Retrieval & Evaluation Cycle**, and then click **Run Now** to apply the Group Policy Objects that are relevant to that client computer. - 6. Select **Machine Policy Retrieval & Evaluation Cycle**, and then click **Run Now** to apply the Group Policy Objects that are relevant to that client computer. - 7. Select **Hardware Inventory Cycle**, and then click **Run Now**. This step runs the hardware inventory by using the new classes that you imported to your .mof files, and then sends the data to the Configuration Manager server. 4. In the Configuration Manager console, do the following: diff --git a/mdop/mbam-v25/mbam-25-supported-configurations.md b/mdop/mbam-v25/mbam-25-supported-configurations.md index db4b4232a6..3ce208407b 100644 --- a/mdop/mbam-v25/mbam-25-supported-configurations.md +++ b/mdop/mbam-v25/mbam-25-supported-configurations.md @@ -1,13 +1,13 @@ --- title: MBAM 2.5 Supported Configurations description: MBAM 2.5 Supported Configurations -author: jamiejdt +author: shortpatti ms.assetid: ce689aff-9a55-4ae7-a968-23c7bda9b4d6 ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library ms.prod: w10 -ms.date: 03/30/2017 +ms.date: 10/24/2018 --- @@ -581,6 +581,16 @@ The MBAM server can be deployed in Azure Infrastructure as a Service (IaaS) on a The MBAM client is not supported on virtual machines and is also not supported on Azure IaaS. +## Service releases + +- [April 2016 hotfix](https://support.microsoft.com/en-us/help/3144445/april-2016-hotfix-rollup-for-microsoft-desktop-optimization-pack) +- [September 2016](https://support.microsoft.com/ms-my/help/3168628/september-2016-servicing-release-for-microsoft-desktop-optimization-pa) +- [December 2016](https://support.microsoft.com/en-us/help/3198158/december-2016-servicing-release-for-microsoft-desktop-optimization-pac) +- [March 2017](https://support.microsoft.com/en-ie/help/4014009/march-2017-servicing-release-for-microsoft-desktop-optimization-pack) +- [June 2017](https://support.microsoft.com/af-za/help/4018510/june-2017-servicing-release-for-microsoft-desktop-optimization-pack) +- [September 2017](https://support.microsoft.com/en-ie/help/4041137/september-2017-servicing-release-for-microsoft-desktop-optimization) +- [March 2018](https://support.microsoft.com/en-us/help/4074878/march-2018-servicing-release-for-microsoft-desktop-optimization-pack) +- [July 2018](https://support.microsoft.com/en-us/help/4340040/july-2018-servicing-release-for-microsoft-desktop-optimization-pack) ## Related topics diff --git a/mdop/mbam-v25/planning-for-mbam-25-groups-and-accounts.md b/mdop/mbam-v25/planning-for-mbam-25-groups-and-accounts.md index 541ece0a38..e03e834e82 100644 --- a/mdop/mbam-v25/planning-for-mbam-25-groups-and-accounts.md +++ b/mdop/mbam-v25/planning-for-mbam-25-groups-and-accounts.md @@ -88,7 +88,7 @@ Create the following accounts for the Reports feature.

    Reports read-only domain access group

    Group

    Reporting role domain group

    -

    Name of the domain group whose members have read-only access to the reports in the Administration and Monitoring Website.

    +

    Specifies the domain user group that has read-only access to the reports in the Administration and Monitoring Website. The group you specify must be the same group you specified for the Reports Read Only Access Group parameter when the web apps are enabled.

    Compliance and Audit Database domain user account

    diff --git a/store-for-business/TOC.md b/store-for-business/TOC.md index 9709bdc21e..d383fa3117 100644 --- a/store-for-business/TOC.md +++ b/store-for-business/TOC.md @@ -24,6 +24,7 @@ ### [Manage Windows device deployment with Windows Autopilot Deployment](add-profile-to-devices.md) ### [Microsoft Store for Business and Education PowerShell module - preview](microsoft-store-for-business-education-powershell-module.md) ### [Manage software purchased with Microsoft Products and Services agreement in Microsoft Store for Business](manage-mpsa-software-microsoft-store-for-business.md) +### [Working with solution providers in Microsoft Store for Business](work-with-partner-microsoft-store-business.md) ## [Device Guard signing portal](device-guard-signing-portal.md) ### [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md) ### [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md) diff --git a/store-for-business/acquire-apps-microsoft-store-for-business.md b/store-for-business/acquire-apps-microsoft-store-for-business.md index 0aa8fe3acc..cf51aab7e8 100644 --- a/store-for-business/acquire-apps-microsoft-store-for-business.md +++ b/store-for-business/acquire-apps-microsoft-store-for-business.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: store author: TrudyHa ms.author: TrudyHa -ms.date: 08/01/2017 +ms.date: 10/23/2018 ms.topic: conceptual ms.localizationpriority: medium --- @@ -50,9 +50,9 @@ There are a couple of things we need to know when you pay for apps. You can add ## Allow app requests -People in your org can request license for apps that they need, or that others need. When **All app requests** is turned on, app requests are sent to org admins. Admins for your tenant will receive an email with the request, and can decide about making the purchase. +People in your org can request license for apps that they need, or that others need. When **Allow app requests** is turned on, app requests are sent to org admins. Admins for your tenant will receive an email with the request, and can decide about making the purchase. -**To manage All app requests** +**To manage Allow app requests** 1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com) 2. Select **Manage**, and then select **Settings**. 3. On **Shop**, under **Shopping behavior** turn on or turn off **Allow app requests**. diff --git a/store-for-business/images/msfb-find-partner.png b/store-for-business/images/msfb-find-partner.png new file mode 100644 index 0000000000..23759cfb5f Binary files /dev/null and b/store-for-business/images/msfb-find-partner.png differ diff --git a/store-for-business/images/msfb-provider-list.png b/store-for-business/images/msfb-provider-list.png new file mode 100644 index 0000000000..2fbafca80f Binary files /dev/null and b/store-for-business/images/msfb-provider-list.png differ diff --git a/store-for-business/prerequisites-microsoft-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md index 890829a7d5..d0c8a17014 100644 --- a/store-for-business/prerequisites-microsoft-store-for-business.md +++ b/store-for-business/prerequisites-microsoft-store-for-business.md @@ -47,7 +47,7 @@ While not required, you can use a management tool to distribute and manage apps. ## Proxy configuration -If your organization restricts computers on your network from connecting to the Internet, there is a set of URLs that need to be available for devices to use Microsoft Store. Some of the Microsoft Store features use Store services. Devices using Microsoft Store – either to acquire, install, or update apps – will need access to these URLs. If you use a proxy sever to block traffic, your configuration needs to allow these URLs: +If your organization restricts computers on your network from connecting to the Internet, there is a set of URLs that need to be available for devices to use Microsoft Store. Some of the Microsoft Store features use Store services. Devices using Microsoft Store – either to acquire, install, or update apps – will need access to these URLs. If you use a proxy server to block traffic, your configuration needs to allow these URLs: - login.live.com - login.windows.net diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md index 67c65aeebb..43b5a93ec5 100644 --- a/store-for-business/release-history-microsoft-store-business-education.md +++ b/store-for-business/release-history-microsoft-store-business-education.md @@ -8,7 +8,7 @@ ms.pagetype: store author: TrudyHa ms.author: TrudyHa ms.topic: conceptual -ms.date: 08/29/2018 +ms.date: 09/27/2018 --- # Microsoft Store for Business and Education release history @@ -17,6 +17,9 @@ Microsoft Store for Business and Education regularly releases new and improved f Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) +## August 2018 +- **App requests** - People in your organization can make requests for apps that they need. hey can also request them on behalf of other people. Admins review requests and can decide on purchases. [Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#allow-app-requests) + ## July 2018 - Bug fixes and permformance improvements. diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md index efce0d7fd7..f75698bd74 100644 --- a/store-for-business/whats-new-microsoft-store-business-education.md +++ b/store-for-business/whats-new-microsoft-store-business-education.md @@ -8,7 +8,7 @@ ms.pagetype: store author: TrudyHa ms.author: TrudyHa ms.topic: conceptual -ms.date: 08/29/2018 +ms.date: 09/27/2018 --- # What's new in Microsoft Store for Business and Education @@ -17,10 +17,10 @@ Microsoft Store for Business and Education regularly releases new and improved f ## Latest updates for Store for Business and Education -**August 2018** +**September 2018** | | | |-----------------------|---------------------------------| -| ![Private store performance icon](images/perf-improvement-icon.png) |**App requests**

    People in your organization can make requests for apps that they need. They can also request them on behalf of other people. Admins review requests and can decide on purchases.

    [Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#allow-app-requests)

    **Applies to**:
    Microsoft Store for Business
    Microsoft Store for Education | +| ![Private store performance icon](images/perf-improvement-icon.png) |**Performance improvements**

    With updates and improvements in the private store, most changes, like adding an app, will take fifteen minutes or less. If you make multiple changes at once, they may show at different times within the fifteen minutes. On rare occasions, private store changes might take up to an hour.

    [Get more info](https://https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance)

    **Applies to**:
    Microsoft Store for Business
    Microsoft Store for Education | + ##     Policies that can be set using Exchange Active Sync (EAS) diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index 1c14be4723..b20f24a567 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -1420,12 +1420,12 @@ Related policy: If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: - <support.contoso.com><support.microsoft.com> + If disabled or not configured, the webpages specified in App settings loads as the default Start pages. Version 1703 or later: -If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. +If you do not want to send traffic to Microsoft, enable this policy and use the value, which honors domain- and non-domain-joined devices, when it is the only configured URL. Version 1809: If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. @@ -10603,12 +10603,12 @@ Related policy: If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: - <support.contoso.com><support.microsoft.com> + If disabled or not configured, the webpages specified in App settings loads as the default Start pages. Version 1703 or later: -If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. +If you do not want to send traffic to Microsoft, enable this policy and use the value, which honors domain- and non-domain-joined devices, when it is the only configured URL. Version 1809: If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. @@ -22414,12 +22414,12 @@ Related policy: If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: - <support.contoso.com><support.microsoft.com> + If disabled or not configured, the webpages specified in App settings loads as the default Start pages. Version 1703 or later: -If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. +If you do not want to send traffic to Microsoft, enable this policy and use the value, which honors domain- and non-domain-joined devices, when it is the only configured URL. Version 1809: If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. @@ -49724,12 +49724,12 @@ Related policy: If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: - <support.contoso.com><support.microsoft.com> + If disabled or not configured, the webpages specified in App settings loads as the default Start pages. Version 1703 or later: -If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. +If you do not want to send traffic to Microsoft, enable this policy and use the value, which honors domain- and non-domain-joined devices, when it is the only configured URL. Version 1809: If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index bfb5dfd307..77dea602cf 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -36,12 +36,14 @@ The following diagram shows the Reboot configuration service provider management

    The supported operation is Get.

    **Schedule/Single** -

    This node will execute a reboot at a scheduled date and time. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. For example: 2015-12-15T07:36:25Z

    +

    This node will execute a reboot at a scheduled date and time. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required.
    +Example to configure: 2018-10-25T18:00:00

    The supported operations are Get, Add, Replace, and Delete.

    **Schedule/DailyRecurrent** -

    This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00.

    +

    This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00.
    +Example to configure: 2018-10-25T18:00:00

    The supported operations are Get, Add, Replace, and Delete.

    diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md index 03b111b649..16e8a58c36 100644 --- a/windows/client-management/mdm/understanding-admx-backed-policies.md +++ b/windows/client-management/mdm/understanding-admx-backed-policies.md @@ -176,7 +176,7 @@ The following SyncML examples describe how to set a MDM policy that is defined b ./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2 - <disabled/> + @@ -340,7 +340,7 @@ The `multiText` element simply corresponds to a REG_MULTISZ registry string and ./Device/Vendor/MSFT/Policy/Config/AppVirtualization/VirtualComponentsAllowList - <enabled/><data id="Virtualization_JITVAllowList_Prompt" value="C:\QuickPatch\TEST\snot.exeC:\QuickPatch\TEST\foo.exeC:\QuickPatch\TEST\bar.exe"/> + @@ -384,7 +384,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableSecondaryHomePageChange - <Enabled/><Data id="SecondaryHomePagesList" value="http://name1http://name1http://name2http://name2"/> + @@ -416,7 +416,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableUpdateCheck - <Enabled/> + @@ -470,8 +470,8 @@ Variations of the `list` element are dictated by attributes. These attributes ar ./Device/Vendor/MSFT/Policy/Config/BitLocker/EncryptionMethodByDriveType - <enabled/> - <data id="EncryptionMethodWithXtsOsDropDown_Name" value="4"/> + + @@ -507,8 +507,8 @@ Variations of the `list` element are dictated by attributes. These attributes ar ./Device/Vendor/MSFT/Policy/Config/AppVirtualization/StreamingAllowReestablishmentInterval - <enabled/> - <data id="Streaming_Reestablishment_Interval_Prompt" value="4"/> + + @@ -560,8 +560,8 @@ Variations of the `list` element are dictated by attributes. These attributes ar ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses - <enabled/><data id="DeviceInstall_Classes_Deny_Retroactive" value="true"/> - <Data id="DeviceInstall_Classes_Deny_List" value="1deviceId12deviceId2"/> + + diff --git a/windows/client-management/mdm/vpn-ddf-file.md b/windows/client-management/mdm/vpn-ddf-file.md index 51a11541d3..79be87ff7f 100644 --- a/windows/client-management/mdm/vpn-ddf-file.md +++ b/windows/client-management/mdm/vpn-ddf-file.md @@ -1384,7 +1384,7 @@ This topic shows the OMA DM device description framework (DDF) for the **VPN** c ## Related topics -[VPN configurtion service provider](vpn-csp.md) +[VPN configuration service provider](vpn-csp.md)   diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index e7dc68df1b..4bef8b6e80 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -603,41 +603,41 @@ Profile example ./Vendor/MSFT/VPNv2/VPN_Demo/ProfileXML - <VPNProfile> - <ProfileName>VPN_Demo</ProfileName> - <NativeProfile> - <Servers>VPNServer.contoso.com</Servers> - <NativeProtocolType>Automatic</NativeProtocolType> - <Authentication> - <UserMethod>Eap</UserMethod> - <Eap> - <Configuration> -<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"> <EapMethod> <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type> <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId> <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType> <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId> </EapMethod> <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"> <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"> <Type>25</Type> <EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1"> <ServerValidation> <DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation> <ServerNames></ServerNames> </ServerValidation> <FastReconnect>true</FastReconnect> <InnerEapOptional>false</InnerEapOptional> <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"> <Type>13</Type> <EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1"> <CredentialsSource> <CertificateStore> <SimpleCertSelection>false</SimpleCertSelection> </CertificateStore> </CredentialsSource> <ServerValidation> <DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation> <ServerNames></ServerNames> </ServerValidation> <DifferentUsername>false</DifferentUsername> <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</PerformServerValidation> <AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName> <TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2"> <FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3"> <EKUMapping> <EKUMap> <EKUName>Unknown Key Usage</EKUName> <EKUOID>1.3.6.1.4.1.311.87</EKUOID> </EKUMap> </EKUMapping> <ClientAuthEKUList Enabled="true"> <EKUMapInList> <EKUName>Unknown Key Usage</EKUName> </EKUMapInList> </ClientAuthEKUList> </FilteringInfo> </TLSExtensions> </EapType> </Eap> <EnableQuarantineChecks>false</EnableQuarantineChecks> <RequireCryptoBinding>false</RequireCryptoBinding> <PeapExtensions> <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</PerformServerValidation> <AcceptServerName xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName> </PeapExtensions> </EapType> </Eap> </Config> </EapHostConfig> - </Configuration> - </Eap> - </Authentication> - <RoutingPolicyType>SplitTunnel</RoutingPolicyType> - </NativeProfile> - <DomainNameInformation> - <DomainName>.contoso.com</DomainName> - <DNSServers>10.5.5.5</DNSServers> - </DomainNameInformation> - <TrafficFilter> - <App>%ProgramFiles%\Internet Explorer\iexplore.exe</App> - </TrafficFilter> - <TrafficFilter> - <App>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</App> - </TrafficFilter> - <Route> - <Address>10.0.0.0</Address> - <PrefixSize>8</PrefixSize> - </Route> - <Route> - <Address>25.0.0.0</Address> - <PrefixSize>8</PrefixSize> - </Route> - <RememberCredentials>true</RememberCredentials> - </VPNProfile> + + VPN_Demo + + VPNServer.contoso.com + Automatic + + Eap + + + 25 0 0 0 25 false true false 13 false false false false false Unknown Key Usage 1.3.6.1.4.1.311.87 Unknown Key Usage false false false false + + + + SplitTunnel + + + .contoso.com + 10.5.5.5 + + + %ProgramFiles%\Internet Explorer\iexplore.exe + + + Microsoft.MicrosoftEdge_8wekyb3d8bbwe + + +
    10.0.0.0
    + 8 +     + +
    25.0.0.0
    + 8 +     + true +     @@ -1166,7 +1166,7 @@ PluginPackageFamilyName ./Vendor/MSFT/VPNv2/VPNProfileName/PluginProfile/CustomConfiguration - <pluginschema><ipAddress>auto</ipAddress><port>443</port><networksettings><routes><includev4><route><address>172.10.10.0</address><prefix>24</prefix></route></includev4></routes><namespaces><namespace><space>.vpnbackend.com</space><dnsservers><server>172.10.10.11</server></dnsservers></namespace></namespaces></networksettings></pluginschema> + auto443
    172.10.10.0
    24    .vpnbackend.com172.10.10.11     ``` diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md index 6c582f4933..87b64762f7 100644 --- a/windows/client-management/mdm/vpnv2-profile-xsd.md +++ b/windows/client-management/mdm/vpnv2-profile-xsd.md @@ -347,7 +347,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro testserver1.contoso.com;testserver2.contoso..com JuniperNetworks.JunosPulseVpn_cw5n1h2txyewy - <pulse-schema><isSingleSignOnCredential>true</isSingleSignOnCredential></pulse-schema> + true
    192.168.0.0
    diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index cce5885ca9..d19d79eaec 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -7,13 +7,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 06/28/2018 +ms.date: 10/24/2018 --- # WiFi CSP > [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +> Some information relates to pre-released products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. The WiFi configuration service provider provides the functionality to add or delete Wi-Fi networks on a Windows device. The configuration service provider accepts SyncML input and converts it to a network profile that is installed on the device. This profile enables the device to connect to the Wi-Fi network when it is in range. @@ -23,7 +23,7 @@ Programming considerations: - Because the Windows 10 Mobile emulator does not support Wi-Fi, you cannot test the Wi-Fi configuration with an emulator. You can still provision a Wi-Fi network using the WiFi CSP, then check it in the Wi-Fi settings page, but you cannot test the network connectivity in the emulator. - For WEP, WPA, and WPA2-based networks, include the passkey in the network configuration in plaintext. The passkey is encrypted automatically when it is stored on the device. - The SSID of the Wi-Fi network part of the LocURI node must be a valid URI based on RFC 2396. This requires that all non-ASCII characters must be escaped using a %-character. Unicode characters without the necessary escaping are not supported. -- The <name>*name\_goes\_here*</name><SSIDConfig> must match <SSID><name> *name\_goes\_here*</name></SSID>. +- The *name\_goes\_here* must match *name\_goes\_here*. - For the WiFi CSP, you cannot use the Replace command unless the node already exists. - Using Proxyis only supported in Windows 10 Mobile. Using this configuration in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) will result in failure. @@ -41,10 +41,10 @@ Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is Supported operation is Get. -***<SSID>*** +****** Specifies the name of the Wi-Fi network (32 bytes maximum) to create, configure, query, or delete. The name is case sensitive and can be represented in ASCII. The SSID is added when the WlanXML node is added. When the SSID node is deleted, then all the subnodes are also deleted. -SSID is the name of network you are connecting to, while Profile name is the name of the Profile which contains the WiFi settings information. If the Profile name is not set right in the MDM SyncML, as per the information in the WiFi settings XML, it could lead to some unexpected errors. For example, <LocURI>./Vendor/MSFT/WiFi/Profile/<*MUST BE NAME OF PROFILE AS PER WIFI XML*>/WlanXml</LocURI>. +SSID is the name of network you are connecting to, while Profile name is the name of the Profile which contains the WiFi settings information. If the Profile name is not set right in the MDM SyncML, as per the information in the WiFi settings XML, it could lead to some unexpected errors. For example, ./Vendor/MSFT/WiFi/Profile/<*MUST BE NAME OF PROFILE AS PER WIFI XML*>/WlanXml. The supported operations are Add, Get, Delete, and Replace. @@ -130,7 +130,7 @@ The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwor chr - <?xml version="1.0"?><WLANProfile xmlns="http://contoso.com/networking/WLAN/profile/v1"><name>MyNetwork</name><SSIDConfig><SSID><hex>412D4D534654574C414E</hex><name>MyNetwork</name></SSID><nonBroadcast>false</nonBroadcast></SSIDConfig><connectionType>ESS</connectionType><connectionMode>manual</connectionMode><MSM><security><authEncryption><authentication>WPA2</authentication><encryption>AES</encryption><useOneX>true</useOneX></authEncryption><OneX xmlns="http://contoso.com/networking/OneX/v1"><authMode>user</authMode><EAPConfig><EapHostConfig xmlns="http://contoso.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://contoso.com/provisioning/EapCommon">25</Type><VendorId xmlns="http://contoso.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://contoso.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://contoso.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://contoso.com/provisioning/EapHostConfig"><Eap xmlns="http://contoso.com/provisioning/BaseEapConnectionPropertiesV1"><Type>25</Type><EapType xmlns="http://contoso.com/provisioning/MsPeapConnectionPropertiesV1"><ServerValidation><DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation><ServerNames></ServerNames></ServerValidation><FastReconnect>true</FastReconnect><InnerEapOptional>false</InnerEapOptional><Eap xmlns="http://contoso.com/provisioning/BaseEapConnectionPropertiesV1"><Type>26</Type><EapType xmlns="http://contoso.com/provisioning/MsChapV2ConnectionPropertiesV1"><UseWinLogonCredentials>false</UseWinLogonCredentials></EapType></Eap><EnableQuarantineChecks>false</EnableQuarantineChecks><RequireCryptoBinding>false</RequireCryptoBinding><PeapExtensions><PerformServerValidation xmlns="http://contoso.com/provisioning/MsPeapConnectionPropertiesV2">false</PerformServerValidation><AcceptServerName xmlns="http://contoso.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName></PeapExtensions></EapType></Eap></Config></EapHostConfig></EAPConfig></OneX></security></MSM></WLANProfile> + MyNetwork412D4D534654574C414EMyNetworkfalseESSmanualWPA2AEStrueuser2500025truetruefalse26falsefalsefalsefalsefalse @@ -215,7 +215,7 @@ The following example shows how to add PEAP-MSCHAPv2 network with SSID ‘MyNetw chr - <?xml version="1.0"?><WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1"><name>MyNetwork</name><SSIDConfig><SSID><name>MyNetwork</name></SSID><nonBroadcast>false</nonBroadcast></SSIDConfig><connectionType>ESS</connectionType><connectionMode>manual</connectionMode><MSM><security><authEncryption><authentication>WPA2</authentication><encryption>AES</encryption><useOneX>true</useOneX></authEncryption><OneX xmlns="http://www.microsoft.com/networking/OneX/v1"><authMode>user</authMode><EAPConfig><EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>25</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1"><ServerValidation><DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation><ServerNames></ServerNames><TrustedRootCA> InsertCertThumbPrintHere </TrustedRootCA></ServerValidation><FastReconnect>true</FastReconnect><InnerEapOptional>false</InnerEapOptional><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>26</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1"><UseWinLogonCredentials>false</UseWinLogonCredentials></EapType></Eap><EnableQuarantineChecks>false</EnableQuarantineChecks><RequireCryptoBinding>false</RequireCryptoBinding><PeapExtensions><PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">true</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName></PeapExtensions></EapType></Eap></Config></EapHostConfig></EAPConfig></OneX></security></MSM></WLANProfile> + MyNetworkMyNetworkfalseESSmanualWPA2AEStrueuser2500025true InsertCertThumbPrintHere truefalse26falsefalsefalsetruefalse diff --git a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md index 8c6f58a89e..eb942f3643 100644 --- a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md +++ b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md @@ -205,136 +205,136 @@ The following example shows an ADMX file in SyncML format: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/ContosoCompanyApp/Policy/AppAdmxFile01 - <policyDefinitions revision="1.0" schemaVersion="1.0"> - <categories> - <category name="ParentCategoryArea"/> - <category name="Category1"> - <parentCategory ref="ParentCategoryArea" /> - </category> - <category name="Category2"> - <parentCategory ref="ParentCategoryArea" /> - </category> - <category name="Category3"> - <parentCategory ref="Category2" /> - </category> - </categories> - <policies> - <policy name="L_PolicyConfigurationMode" class="Machine" displayName="$(string.L_PolicyConfigurationMode)" explainText="$(string.L_ExplainText_ConfigurationMode)" presentation="$(presentation.L_PolicyConfigurationMode)" key="software\policies\contoso\companyApp" valueName="configurationmode"> - <parentCategory ref="Category1" /> - <supportedOn ref="windows:SUPPORTED_Windows7" /> - <enabledValue> - <decimal value="1" /> - </enabledValue> - <disabledValue> - <decimal value="0" /> - </disabledValue> - <elements> - <text id="L_ServerAddressInternal_VALUE" key="software\policies\contoso\companyApp" valueName="serveraddressinternal" required="true" /> - <text id="L_ServerAddressExternal_VALUE" key="software\policies\contoso\companyApp" valueName="serveraddressexternal" required="true" /> - </elements> - </policy> - <policy name="L_PolicyEnableSIPHighSecurityMode" class="Machine" displayName="$(string.L_PolicyEnableSIPHighSecurityMode)" explainText="$(string.L_ExplainText_EnableSIPHighSecurityMode)" presentation="$(presentation.L_PolicyEnableSIPHighSecurityMode)" key="software\policies\contoso\companyApp" valueName="enablesiphighsecuritymode"> - <parentCategory ref="Category1" /> - <supportedOn ref="windows:SUPPORTED_Windows7" /> - <enabledValue> - <decimal value="1" /> - </enabledValue> - <disabledValue> - <decimal value="0" /> - </disabledValue> - </policy> - <policy name="L_PolicySipCompression" class="Machine" displayName="$(string.L_PolicySipCompression)" explainText="$(string.L_ExplainText_SipCompression)" presentation="$(presentation.L_PolicySipCompression)" key="software\policies\contoso\companyApp"> - <parentCategory ref="Category1" /> - <supportedOn ref="windows:SUPPORTED_Windows7" /> - <elements> - <enum id="L_PolicySipCompression" valueName="sipcompression"> - <item displayName="$(string.L_SipCompressionVal0)"> - <value> - <decimal value="0" /> - </value> - </item> - <item displayName="$(string.L_SipCompressionVal1)"> - <value> - <decimal value="1" /> - </value> - </item> - <item displayName="$(string.L_SipCompressionVal2)"> - <value> - <decimal value="2" /> - </value> - </item> - <item displayName="$(string.L_SipCompressionVal3)"> - <value> - <decimal value="3" /> - </value> - </item> - </enum> - </elements> - </policy> - <policy name="L_PolicyPreventRun" class="Machine" displayName="$(string.L_PolicyPreventRun)" explainText="$(string.L_ExplainText_PreventRun)" presentation="$(presentation.L_PolicyPreventRun)" key="software\policies\contoso\companyApp" valueName="preventrun"> - <parentCategory ref="Category1" /> - <supportedOn ref="windows:SUPPORTED_Windows7" /> - <enabledValue> - <decimal value="1" /> - </enabledValue> - <disabledValue> - <decimal value="0" /> - </disabledValue> - </policy> - <policy name="L_PolicyConfiguredServerCheckValues" class="Machine" displayName="$(string.L_PolicyConfiguredServerCheckValues)" explainText="$(string.L_ExplainText_ConfiguredServerCheckValues)" presentation="$(presentation.L_PolicyConfiguredServerCheckValues)" key="software\policies\contoso\companyApp"> - <parentCategory ref="Category2" /> - <supportedOn ref="windows:SUPPORTED_Windows7" /> - <elements> - <text id="L_ConfiguredServerCheckValues_VALUE" valueName="configuredservercheckvalues" required="true" /> - </elements> - </policy> - <policy name="L_PolicySipCompression_1" class="User" displayName="$(string.L_PolicySipCompression)" explainText="$(string.L_ExplainText_SipCompression)" presentation="$(presentation.L_PolicySipCompression_1)" key="software\policies\contoso\companyApp"> - <parentCategory ref="Category2" /> - <supportedOn ref="windows:SUPPORTED_Windows7" /> - <elements> - <enum id="L_PolicySipCompression" valueName="sipcompression"> - <item displayName="$(string.L_SipCompressionVal0)"> - <value> - <decimal value="0" /> - </value> - </item> - <item displayName="$(string.L_SipCompressionVal1)"> - <value> - <decimal value="1" /> - </value> - </item> - <item displayName="$(string.L_SipCompressionVal2)"> - <value> - <decimal value="2" /> - </value> - </item> - <item displayName="$(string.L_SipCompressionVal3)"> - <value> - <decimal value="3" /> - </value> - </item> - </enum> - </elements> - </policy> - <policy name="L_PolicyPreventRun_1" class="User" displayName="$(string.L_PolicyPreventRun)" explainText="$(string.L_ExplainText_PreventRun)" presentation="$(presentation.L_PolicyPreventRun_1)" key="software\policies\contoso\companyApp" valueName="preventrun"> - <parentCategory ref="Category3" /> - <supportedOn ref="windows:SUPPORTED_Windows7" /> - <enabledValue> - <decimal value="1" /> - </enabledValue> - <disabledValue> - <decimal value="0" /> - </disabledValue> - </policy> - <policy name="L_PolicyGalDownloadInitialDelay_1" class="User" displayName="$(string.L_PolicyGalDownloadInitialDelay)" explainText="$(string.L_ExplainText_GalDownloadInitialDelay)" presentation="$(presentation.L_PolicyGalDownloadInitialDelay_1)" key="software\policies\contoso\companyApp"> - <parentCategory ref="Category3" /> - <supportedOn ref="windows:SUPPORTED_Windows7" /> - <elements> - <decimal id="L_GalDownloadInitialDelay_VALUE" valueName="galdownloadinitialdelay" minValue="0" required="true" /> - </elements> - </policy> - </policies> - </policyDefinitions> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -423,7 +423,7 @@ The following examples describe how to set an ADMX-ingested app policy. ./Device/Vendor/MSFT/Policy/Config/ContosoCompanyApp~ Policy~ParentCategoryArea~Category1/L_PolicyConfigurationMode - <enabled/><data id="L_ServerAddressInternal_VALUE" value="TextValue1"/><data id="L_ServerAddressExternal_VALUE" value="TextValue2"/> + @@ -457,7 +457,7 @@ The following examples describe how to set an ADMX-ingested app policy. ./Device/Vendor/MSFT/Policy/Config/ContosoCompanyApp~ Policy~ParentCategoryArea~Category1/L_PolicyConfigurationMode - <disabled/> + diff --git a/windows/client-management/reset-a-windows-10-mobile-device.md b/windows/client-management/reset-a-windows-10-mobile-device.md index 92ca81cf5c..0fd57c2d06 100644 --- a/windows/client-management/reset-a-windows-10-mobile-device.md +++ b/windows/client-management/reset-a-windows-10-mobile-device.md @@ -65,7 +65,7 @@ To perform a "wipe and persist" reset, preserving the provisioning applied to th ## Reset using the UI -1. On your mobile device, go to **Settings** > **System** > **About** > **Reset your Phone** +1. On your mobile device, go to **Settings** > **System** > **About** > **Reset your Phone** 2. When you tap **Reset your phone**, the dialog box will present an option to **Also remove provisioned content** if: diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md index 4349340530..480f8257ed 100644 --- a/windows/client-management/windows-10-mobile-and-mdm.md +++ b/windows/client-management/windows-10-mobile-and-mdm.md @@ -1055,7 +1055,7 @@ If you choose to completely wipe a device when lost or when an employee leaves t A better option than wiping the entire device is to use Windows Information Protection to clean corporate-only data from a personal device. As explained in the Apps chapter, all corporate data will be tagged and when the device is unenrolled from your MDM system of your choice, all enterprise encrypted data, apps, settings and profiles will immediately be removed from the device without affecting the employee’s existing personal data. A user can initiate unenrollment via the settings screen or unenrollment action can be taken by IT from within the MDM management console. Unenrollment is a management event and will be reported to the MDM system. -**Corporate device:** You can certainly remotely expire the user’s encryption key in case of device theft, but please remember that that will also make the encrypted data on other Windows devices unreadable for the user. A better approach for retiring a discarded or lost device is to execute a full device wipe. The help desk or device users can initiate a full device wipe. When the wipe is complete, Windows 10 Mobile returns the device to a clean state and restarts the OOBE process. +**Corporate device:** You can certainly remotely expire the user’s encryption key in case of device theft, but please remember that will also make the encrypted data on other Windows devices unreadable for the user. A better approach for retiring a discarded or lost device is to execute a full device wipe. The help desk or device users can initiate a full device wipe. When the wipe is complete, Windows 10 Mobile returns the device to a clean state and restarts the OOBE process. **Settings for personal or corporate device retirement** - **Allow manual MDM unenrollment** Whether users are allowed to delete the workplace account (i.e., unenroll the device from the MDM system) diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index 3483fedd7a..f14d66e522 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -17,6 +17,12 @@ ms.date: 10/02/2018 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile. +## October 2018 + +New or changed topic | Description +--- | --- +[Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md) and [Set up a single-app kiosk](kiosk-single-app.md) | Added event log path for auto-logon issues. + ## RELEASE: Windows 10, version 1809 The topics in this library have been updated for Windows 10, version 1809. The following new topic has been added: diff --git a/windows/configuration/changes-to-start-policies-in-windows-10.md b/windows/configuration/changes-to-start-policies-in-windows-10.md index 2317f9ef8e..603ee4e60e 100644 --- a/windows/configuration/changes-to-start-policies-in-windows-10.md +++ b/windows/configuration/changes-to-start-policies-in-windows-10.md @@ -6,7 +6,7 @@ keywords: ["group policy", "start menu", "start screen"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: coreyp +author: coreyp-at-msft ms.author: coreyp ms.topic: article ms.localizationpriority: medium diff --git a/windows/configuration/images/enable-assigned-access-log.png b/windows/configuration/images/enable-assigned-access-log.png new file mode 100644 index 0000000000..d16f04c43a Binary files /dev/null and b/windows/configuration/images/enable-assigned-access-log.png differ diff --git a/windows/configuration/kiosk-mdm-bridge.md b/windows/configuration/kiosk-mdm-bridge.md index d2c46dcb4c..9738a64aae 100644 --- a/windows/configuration/kiosk-mdm-bridge.md +++ b/windows/configuration/kiosk-mdm-bridge.md @@ -32,54 +32,54 @@ $nameSpaceName="root\cimv2\mdm\dmmap" $className="MDM_AssignedAccess" $obj = Get-CimInstance -Namespace $namespaceName -ClassName $className $obj.Configuration = @" -<?xml version="1.0" encoding="utf-8" ?> -<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"> - <Profiles> - <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"> - <AllAppsList> - <AllowedApps> - <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> - <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> - <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> - <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> - <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> - <App DesktopAppPath="%windir%\system32\mspaint.exe" /> - <App DesktopAppPath="C:\Windows\System32\notepad.exe" /> - </AllowedApps> - </AllAppsList> - <StartLayout> - <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> - <LayoutOptions StartTileGroupCellWidth="6" /> - <DefaultLayoutOverride> - <StartLayoutCollection> - <defaultlayout:StartLayout GroupCellWidth="6"> - <start:Group Name="Group1"> - <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> - <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> - <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> - <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> - <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> - </start:Group> - <start:Group Name="Group2"> - <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" /> - <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk" /> - </start:Group> - </defaultlayout:StartLayout> - </StartLayoutCollection> - </DefaultLayoutOverride> - </LayoutModificationTemplate> - ]]> - </StartLayout> - <Taskbar ShowTaskbar="true"/> - </Profile> - </Profiles> - <Configs> - <Config> - <Account>MultiAppKioskUser</Account> - <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> - </Config> - </Configs> -</AssignedAccessConfiguration> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + MultiAppKioskUser + + + + "@ Set-CimInstance -CimInstance $obj diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md index 346ce64c96..7932dafc17 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk-prepare.md @@ -38,6 +38,12 @@ Disable the camera. | Go to **Settings** > **Privacy** > **Camera**, a Turn off app notifications on the lock screen. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. Disable removable media. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.

    **NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**. +## Enable logging + +Logs can help you [troubleshoot issues](multi-app-kiosk-troubleshoot.md) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default. + +![Event Viewer, right-click Operational, select enable log](images/enable-assigned-access-log.png) + ## Automatic logon In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can sign in the assigned access account manually or you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic sign in. diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index 9f16d7bc3b..4af964b132 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -8,7 +8,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms ms.localizationpriority: medium -ms.date: 10/02/2018 +ms.date: 10/09/2018 --- # Set up a single-app kiosk @@ -185,7 +185,7 @@ Clear-AssignedAccess >[!IMPORTANT] ->When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows}(https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows). +>When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows). When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Windows desktop application. @@ -200,7 +200,7 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des ![step three](images/three.png) ![account management](images/account-management.png)

    Enable account management if you want to configure settings on this page.

    **If enabled:**

    You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

    To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

    Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

    **Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.

    To create a local administrator account, select that option and enter a user name and password.

    **Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. ![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png) ![step four](images/four.png) ![add applications](images/add-applications.png)

    You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)

    **Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application. ![add an application](images/add-applications-details.png) ![step five](images/five.png) ![add certificates](images/add-certificates.png)

    To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.![add a certificate](images/add-certificates-details.png) -![step six](images/six.png) ![Configure kiosk account and app](images/kiosk-account.png)

    You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.

    If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts.

    In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Windows desktop application) or the AUMID (for a Universal Windows app). For a Windows desktop application, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.![Configure kiosk account and app](images/kiosk-account-details.png) +![step six](images/six.png) ![Configure kiosk account and app](images/kiosk-account.png)

    You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.

    If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts. (If you encounter issues with auto sign-in after you apply the provisioning package, check the Event Viewer logs for auto logon issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**.)

    In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Windows desktop application) or the AUMID (for a Universal Windows app). For a Windows desktop application, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.![Configure kiosk account and app](images/kiosk-account-details.png) ![step seven](images/seven.png) ![configure kiosk common settings](images/kiosk-common.png)

    On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.![set tablet mode and configure welcome and shutdown and turn off timeout settings](images/kiosk-common-details.png) ![finish](images/finish.png)

    You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.![Protect your package](images/finish-details.png) diff --git a/windows/configuration/manage-tips-and-suggestions.md b/windows/configuration/manage-tips-and-suggestions.md index 0c704c06f5..8e3923fef7 100644 --- a/windows/configuration/manage-tips-and-suggestions.md +++ b/windows/configuration/manage-tips-and-suggestions.md @@ -36,7 +36,7 @@ Since its inception, Windows 10 has included a number of user experience feature >[!TIP] > On all Windows desktop editions, users can directly enable and disable Windows 10 tips, "fun facts", and suggestions and Microsoft Store suggestions. For example, users are able to select personal photos for the lock screen as opposed to the images provided by Microsoft, or turn off tips, "fun facts", or suggestions as they use Windows. -Windows 10, version 1607 (also known as the Anniversary Update), provides organizations the ability to centrally manage the type of content provided by these features through Group Policy or mobile device management (MDM). The following table describes how administrators can manage suggestions and tips in Windows 10 commercial and education editions. +Windows 10 provides organizations the ability to centrally manage the type of content provided by these features through Group Policy or mobile device management (MDM). The following table describes how administrators can manage suggestions and tips in Windows 10 commercial and education editions. ## Options available to manage Windows 10 tips and "fun facts" and Microsoft Store suggestions diff --git a/windows/configuration/multi-app-kiosk-troubleshoot.md b/windows/configuration/multi-app-kiosk-troubleshoot.md index 6857cf8aac..d724cae559 100644 --- a/windows/configuration/multi-app-kiosk-troubleshoot.md +++ b/windows/configuration/multi-app-kiosk-troubleshoot.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: medium -ms.date: 07/30/2018 +ms.date: 10/09/2018 ms.author: jdecker ms.topic: article --- @@ -34,7 +34,14 @@ For example: 1. [Verify that the provisioning package is applied successfully](kiosk-validate.md). 2. Verify that the account (config) is mapped to a profile in the configuration XML file. 3. Verify that the configuration XML file is authored and formatted correctly. Correct any configuration errors, then create and apply a new provisioning package. Sign out and sign in again to check the new configuration. +4. Additional logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default. +![Event Viewer, right-click Operational, select enable log](images/enable-assigned-access-log.png) + + +## Automatic logon issues + +Check the Event Viewer logs for auto logon issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**. ## Apps configured in AllowedList are blocked diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md index cb66bfc3e5..b70f4fd66c 100644 --- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md +++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md @@ -27,7 +27,7 @@ The CSPs are documented on the [Hardware Dev Center](https://go.microsoft.com/fw >[!NOTE]   >The explanation of CSPs and CSP documentation also apply to Windows Mobile 5, Windows Mobile 6, Windows Phone 7, and Windows Phone 8, but links to current CSPs are for Windows 10 and Windows 10 Mobile. - [See what's new for CSPs in Windows 10, version 1607.](https://msdn.microsoft.com/library/windows/hardware/mt299056.aspx#whatsnew_1607) + [See what's new for CSPs in Windows 10, version 1809.](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1809) ## What is a CSP? diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md index 27bc5fc49f..eb3d236c32 100644 --- a/windows/configuration/stop-employees-from-using-microsoft-store.md +++ b/windows/configuration/stop-employees-from-using-microsoft-store.md @@ -25,6 +25,9 @@ ms.date: 4/16/2018 IT pros can configure access to Microsoft Store for client computers in their organization. For some organizations, business policies require blocking access to Microsoft Store. +> [!Important] +> All executable code including Microsoft Store applications should have an update and maintenance plan. Organizations that use Microsoft Store applications should ensure that the applications can be updated through the Microsoft Store over the internet, through the [Private Store](/microsoft-store/distribute-apps-from-your-private-store), or [distributed offline](/microsoft-store/distribute-offline-apps) to keep the applications up to date. + ## Options to configure access to Microsoft Store @@ -80,8 +83,7 @@ You can also use Group Policy to manage access to Microsoft Store. 4. On the **Turn off Store application** setting page, click **Enabled**, and then click **OK**. > [!Important] -> Enabling **Turn off Store application** policy turns off app updates from Microsoft Store. - +> Enabling **Turn off Store application** policy turns off app updates from Microsoft Store. ## Block Microsoft Store using management tool diff --git a/windows/configuration/ue-v/uev-for-windows.md b/windows/configuration/ue-v/uev-for-windows.md index 7ac31a3a1f..d6ca23c105 100644 --- a/windows/configuration/ue-v/uev-for-windows.md +++ b/windows/configuration/ue-v/uev-for-windows.md @@ -96,4 +96,4 @@ You can also [customize UE-V to synchronize settings](uev-deploy-uev-for-custom- ## Have a suggestion for UE-V? -Add or vote on suggestions on the [User Experience Virtualization feedback site](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization).
    For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc). +For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc). diff --git a/windows/configuration/wcd/wcd-assignedaccess.md b/windows/configuration/wcd/wcd-assignedaccess.md index ae8d42c8ee..ff12b64898 100644 --- a/windows/configuration/wcd/wcd-assignedaccess.md +++ b/windows/configuration/wcd/wcd-assignedaccess.md @@ -30,7 +30,7 @@ Enter the account and the application you want to use for Assigned access, using **Example**: ``` -"Account":"domain\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" +{"Account":"domain\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"} ``` ## MultiAppAssignedAccessSettings diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md index 00f8037780..b22277a8f5 100644 --- a/windows/configuration/windows-10-start-layout-options-and-policies.md +++ b/windows/configuration/windows-10-start-layout-options-and-policies.md @@ -20,7 +20,7 @@ ms.date: 06/19/2018 - Windows 10 -> **Looking for consumer information?** See [Customize the Start menu](https://windows.microsoft.com/windows-10/getstarted-see-whats-on-the-menu) +> **Looking for consumer information?** [See what's on the Start menu](https://support.microsoft.com/help/17195/windows-10-see-whats-on-the-menu) Organizations might want to deploy a customized Start and taskbar configuration to devices running Windows 10 Pro, Enterprise, or Education. A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md index aaf7da1a9a..b4166fbbf4 100644 --- a/windows/configuration/windows-spotlight.md +++ b/windows/configuration/windows-spotlight.md @@ -73,7 +73,7 @@ Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mo - In addition to the specific policy settings for Windows Spotlight, administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**. + In addition to the specific policy settings for Windows Spotlight, administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image** (Windows 10 Enterprise and Education). >[!TIP] >If you want to use a custom lock screen image that contains text, see [Resolution for custom lock screen image](#resolution-for-custom-lock-screen-image). diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index 6577188cbc..1e21d2a88c 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -218,9 +218,17 @@ ### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md) ### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md) ### [Assign devices to servicing channels for Windows 10 updates](update/waas-servicing-channels-windows-10-updates.md) +### [Get started with Windows Update](update/windows-update-overview.md) +#### [How Windows Update works](update/how-windows-update-works.md) +#### [Windows Update log files](update/windows-update-logs.md) +#### [How to troubleshoot Windows Update](update/windows-update-troubleshooting.md) +#### [Common Windows Update errors](update/windows-update-errors.md) +#### [Windows Update error code reference](update/windows-update-error-reference.md) +#### [Other Windows Update resources](update/windows-update-resources.md) ### [Optimize Windows 10 update delivery](update/waas-optimize-windows-10-updates.md) #### [Configure Delivery Optimization for Windows 10 updates](update/waas-delivery-optimization.md) #### [Configure BranchCache for Windows 10 updates](update/waas-branchcache.md) +#### [Whitepaper: Windows Updates using forward and reverse differentials](update/PSFxWhitepaper.md) ### [Best practices for feature updates on mission-critical devices](update/feature-update-mission-critical.md) #### [Deploy feature updates during maintenance windows](update/feature-update-maintenance-window.md) #### [Deploy feature updates for user-initiated installations](update/feature-update-user-install.md) @@ -232,6 +240,7 @@ #### [Walkthrough: use Group Policy to configure Windows Update for Business](update/waas-wufb-group-policy.md) #### [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure) ### [Deploy Windows 10 updates using Windows Server Update Services](update/waas-manage-updates-wsus.md) +#### [Enable FoD and language pack updates in Windows Update](update/fod-and-lang-packs.md) ### [Deploy Windows 10 updates using System Center Configuration Manager](update/waas-manage-updates-configuration-manager.md) ### [Manage device restarts after updates](update/waas-restart.md) ### [Manage additional Windows Update settings](update/waas-wu-settings.md) diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md index ded250b312..6ea42e8bc1 100644 --- a/windows/deployment/deploy-m365.md +++ b/windows/deployment/deploy-m365.md @@ -21,7 +21,7 @@ This topic provides a brief overview of Microsoft 365 and describes how to use a [Microsoft 365](https://www.microsoft.com/microsoft-365) is a new offering from Microsoft that combines [Windows 10](https://www.microsoft.com/windows/features) with [Office 365](https://products.office.com/business/explore-office-365-for-business), and [Enterprise Mobility and Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) (EMS). -For Windows 10 deployment, Microsoft 365 includes a fantasic deployment advisor that can walk you through the entire process of deploying Windows 10. The wizard supports multiple Windows 10 deployment methods, including: +For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor that can walk you through the entire process of deploying Windows 10. The wizard supports multiple Windows 10 deployment methods, including: - Windows Autopilot - In-place upgrade diff --git a/windows/deployment/images/UC_00_marketplace_search - Copy.PNG b/windows/deployment/images/UC_00_marketplace_search - Copy.PNG new file mode 100644 index 0000000000..dcdf25d38a Binary files /dev/null and b/windows/deployment/images/UC_00_marketplace_search - Copy.PNG differ diff --git a/windows/deployment/images/UC_00_marketplace_search.PNG b/windows/deployment/images/UC_00_marketplace_search.PNG new file mode 100644 index 0000000000..dcdf25d38a Binary files /dev/null and b/windows/deployment/images/UC_00_marketplace_search.PNG differ diff --git a/windows/deployment/images/UC_01_marketplace_create - Copy.PNG b/windows/deployment/images/UC_01_marketplace_create - Copy.PNG new file mode 100644 index 0000000000..4b34311112 Binary files /dev/null and b/windows/deployment/images/UC_01_marketplace_create - Copy.PNG differ diff --git a/windows/deployment/images/UC_01_marketplace_create.PNG b/windows/deployment/images/UC_01_marketplace_create.PNG new file mode 100644 index 0000000000..4b34311112 Binary files /dev/null and b/windows/deployment/images/UC_01_marketplace_create.PNG differ diff --git a/windows/deployment/images/UC_02_workspace_create - Copy.PNG b/windows/deployment/images/UC_02_workspace_create - Copy.PNG new file mode 100644 index 0000000000..ed3eeeebbb Binary files /dev/null and b/windows/deployment/images/UC_02_workspace_create - Copy.PNG differ diff --git a/windows/deployment/images/UC_02_workspace_create.PNG b/windows/deployment/images/UC_02_workspace_create.PNG new file mode 100644 index 0000000000..ed3eeeebbb Binary files /dev/null and b/windows/deployment/images/UC_02_workspace_create.PNG differ diff --git a/windows/deployment/images/UC_03_workspace_select - Copy.PNG b/windows/deployment/images/UC_03_workspace_select - Copy.PNG new file mode 100644 index 0000000000..d00864b861 Binary files /dev/null and b/windows/deployment/images/UC_03_workspace_select - Copy.PNG differ diff --git a/windows/deployment/images/UC_03_workspace_select.PNG b/windows/deployment/images/UC_03_workspace_select.PNG new file mode 100644 index 0000000000..d00864b861 Binary files /dev/null and b/windows/deployment/images/UC_03_workspace_select.PNG differ diff --git a/windows/deployment/images/UC_04_resourcegrp_deployment_successful - Copy.PNG b/windows/deployment/images/UC_04_resourcegrp_deployment_successful - Copy.PNG new file mode 100644 index 0000000000..3ea9f57531 Binary files /dev/null and b/windows/deployment/images/UC_04_resourcegrp_deployment_successful - Copy.PNG differ diff --git a/windows/deployment/images/UC_04_resourcegrp_deployment_successful .PNG b/windows/deployment/images/UC_04_resourcegrp_deployment_successful .PNG new file mode 100644 index 0000000000..3ea9f57531 Binary files /dev/null and b/windows/deployment/images/UC_04_resourcegrp_deployment_successful .PNG differ diff --git a/windows/deployment/images/UC_tile_assessing - Copy.PNG b/windows/deployment/images/UC_tile_assessing - Copy.PNG new file mode 100644 index 0000000000..2709763570 Binary files /dev/null and b/windows/deployment/images/UC_tile_assessing - Copy.PNG differ diff --git a/windows/deployment/images/UC_tile_assessing.PNG b/windows/deployment/images/UC_tile_assessing.PNG new file mode 100644 index 0000000000..2709763570 Binary files /dev/null and b/windows/deployment/images/UC_tile_assessing.PNG differ diff --git a/windows/deployment/images/UC_tile_filled - Copy.PNG b/windows/deployment/images/UC_tile_filled - Copy.PNG new file mode 100644 index 0000000000..f7e1bab284 Binary files /dev/null and b/windows/deployment/images/UC_tile_filled - Copy.PNG differ diff --git a/windows/deployment/images/UC_tile_filled.PNG b/windows/deployment/images/UC_tile_filled.PNG new file mode 100644 index 0000000000..f7e1bab284 Binary files /dev/null and b/windows/deployment/images/UC_tile_filled.PNG differ diff --git a/windows/deployment/images/UC_workspace_DO_status - Copy.PNG b/windows/deployment/images/UC_workspace_DO_status - Copy.PNG new file mode 100644 index 0000000000..fa7550f0f5 Binary files /dev/null and b/windows/deployment/images/UC_workspace_DO_status - Copy.PNG differ diff --git a/windows/deployment/images/UC_workspace_DO_status.PNG b/windows/deployment/images/UC_workspace_DO_status.PNG new file mode 100644 index 0000000000..fa7550f0f5 Binary files /dev/null and b/windows/deployment/images/UC_workspace_DO_status.PNG differ diff --git a/windows/deployment/images/UC_workspace_FU_status - Copy.PNG b/windows/deployment/images/UC_workspace_FU_status - Copy.PNG new file mode 100644 index 0000000000..14966b1d8a Binary files /dev/null and b/windows/deployment/images/UC_workspace_FU_status - Copy.PNG differ diff --git a/windows/deployment/images/UC_workspace_FU_status.PNG b/windows/deployment/images/UC_workspace_FU_status.PNG new file mode 100644 index 0000000000..14966b1d8a Binary files /dev/null and b/windows/deployment/images/UC_workspace_FU_status.PNG differ diff --git a/windows/deployment/images/UC_workspace_SU_status - Copy.PNG b/windows/deployment/images/UC_workspace_SU_status - Copy.PNG new file mode 100644 index 0000000000..3564c9b6e5 Binary files /dev/null and b/windows/deployment/images/UC_workspace_SU_status - Copy.PNG differ diff --git a/windows/deployment/images/UC_workspace_SU_status.PNG b/windows/deployment/images/UC_workspace_SU_status.PNG new file mode 100644 index 0000000000..3564c9b6e5 Binary files /dev/null and b/windows/deployment/images/UC_workspace_SU_status.PNG differ diff --git a/windows/deployment/images/UC_workspace_WDAV_status - Copy.PNG b/windows/deployment/images/UC_workspace_WDAV_status - Copy.PNG new file mode 100644 index 0000000000..40dcaef949 Binary files /dev/null and b/windows/deployment/images/UC_workspace_WDAV_status - Copy.PNG differ diff --git a/windows/deployment/images/UC_workspace_WDAV_status.PNG b/windows/deployment/images/UC_workspace_WDAV_status.PNG new file mode 100644 index 0000000000..40dcaef949 Binary files /dev/null and b/windows/deployment/images/UC_workspace_WDAV_status.PNG differ diff --git a/windows/deployment/images/UC_workspace_home.PNG b/windows/deployment/images/UC_workspace_home.PNG new file mode 100644 index 0000000000..4269eb8c4d Binary files /dev/null and b/windows/deployment/images/UC_workspace_home.PNG differ diff --git a/windows/deployment/images/UC_workspace_needs_attention - Copy.png b/windows/deployment/images/UC_workspace_needs_attention - Copy.png new file mode 100644 index 0000000000..be8033a9d6 Binary files /dev/null and b/windows/deployment/images/UC_workspace_needs_attention - Copy.png differ diff --git a/windows/deployment/images/UC_workspace_needs_attention.png b/windows/deployment/images/UC_workspace_needs_attention.png new file mode 100644 index 0000000000..be8033a9d6 Binary files /dev/null and b/windows/deployment/images/UC_workspace_needs_attention.png differ diff --git a/windows/deployment/images/UC_workspace_overview_blade - Copy.PNG b/windows/deployment/images/UC_workspace_overview_blade - Copy.PNG new file mode 100644 index 0000000000..beb04cdc18 Binary files /dev/null and b/windows/deployment/images/UC_workspace_overview_blade - Copy.PNG differ diff --git a/windows/deployment/images/UC_workspace_overview_blade.PNG b/windows/deployment/images/UC_workspace_overview_blade.PNG new file mode 100644 index 0000000000..beb04cdc18 Binary files /dev/null and b/windows/deployment/images/UC_workspace_overview_blade.PNG differ diff --git a/windows/deployment/planning/windows-10-1809-removed-features.md b/windows/deployment/planning/windows-10-1809-removed-features.md index 6d5df32e07..68efc2b293 100644 --- a/windows/deployment/planning/windows-10-1809-removed-features.md +++ b/windows/deployment/planning/windows-10-1809-removed-features.md @@ -32,7 +32,6 @@ We're removing the following features and functionalities from the installed pro |Hologram app|We've replaced the Hologram app with the [Mixed Reality Viewer](https://support.microsoft.com/help/4041156/windows-10-mixed-reality-help). If you would like to create 3D word art, you can still do that in Paint 3D and view your art in VR or Hololens with the Mixed Reality Viewer.| |limpet.exe|We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.| |Phone Companion|When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the **Phone** page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.| -|Trusted Platform Module (TPM) management console|The information previously available in the TPM management console is now available on the [**Device security**](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security) page in the [Windows Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center).| |Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 8 and Windows Embedded 8 Standard|We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/Home.aspx).| ## Features we’re no longer developing diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md index de261b876c..9e83c68e65 100644 --- a/windows/deployment/s-mode.md +++ b/windows/deployment/s-mode.md @@ -27,7 +27,7 @@ Start-ups are quick, and S mode is built to keep them that way. With Microsoft E **Choice and flexibility** -Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don’t find exactly what you want, you can easily [switch out of S mode](https://docs.microsoft.com/en-us/windows/deployment/windows-10-pro-in-s-mode) at any time and search the web for more choices. +Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don’t find exactly what you want, you can easily [switch out of S mode](https://docs.microsoft.com/en-us/windows/deployment/windows-10-pro-in-s-mode) to Home, Pro, or Enterprise at any time and search the web for more choices, as shown below. ![Switching out of S mode flow chart](images/s-mode-flow-chart.png) diff --git a/windows/deployment/update/PSFxWhitepaper.md b/windows/deployment/update/PSFxWhitepaper.md new file mode 100644 index 0000000000..4126e2c7cf --- /dev/null +++ b/windows/deployment/update/PSFxWhitepaper.md @@ -0,0 +1,203 @@ +--- +title: Windows Updates using forward and reverse differentials +description: A technique to produce compact software updates optimized for any origin and destination revision pair +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: Jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.date: 10/18/2018 +--- + +# Windows Updates using forward and reverse differentials + + +Windows 10 monthly quality updates are cumulative, containing all previously +released fixes to ensure consistency and simplicity. For an operating system +platform like Windows 10, which stays in support for multiple years, the size of +monthly quality updates can quickly grow large, thus directly impacting network +bandwidth consumption. + +Today, this problem is addressed by using express downloads, where differential +downloads for every changed file in the update are generated based on selected +historical revisions plus the base version. In this paper, we introduce a new +technique to build compact software update packages that are applicable to any +revision of the base version, and then describe how Windows 10 quality updates +uses this technique. + +## General Terms + +The following general terms apply throughout this document: + +- *Base version*: A major software release with significant changes, such as + Windows 10, version 1809 (Windows 10 Build 17763.1) + +- *Revision*: Minor releases in between the major version releases, such as + KB4464330 (Windows 10 Build 17763.55) + +- *Baseless Patch Storage Files (Baseless PSF)*: Patch storage files that + contain full binaries or files + +## Introduction + +In this paper, we introduce a new technique that can produce compact software +updates optimized for any origin/destination revision pair. It does this by +calculating forward the differential of a changed file from the base version and +its reverse differential back to the base version. Both forward and reverse +differentials are then packaged as an update and distributed to the endpoints +running the software to be updated. The update package contents can be symbolized as follows: + +![Symbolic representation of update package contents. a box containing two expressions: delta sub zero transform to sub N, followed delta sub N transform to sub zero](images/PSF1.png) + +The endpoints that have the base version of the file (V0) hydrate the target +revision (VN) by applying a simple transformation: + +![Equation: V sub zero + delta sub zero transform to sub N = V sub n](images/PSF2.png) + +The endpoints that have revision N of the file (VN), hydrate the target revision +(VR) by applying the following set of transformations: + +![Equation 1: V sub n + delta sub n transform to 0 = V sun 0; Equation 2: V sub zero + delta sub 0 transform to R = V sub R](images/PSF3.png) + +The endpoints retain the reverse differentials for the software revision they +are on, so that it can be used for hydrating and applying next revision update. + +By using a common baseline, this technique produces a single update package with +numerous advantages: + +- Compact in size + +- Applicable to all baselines + +- Simple to build + +- Efficient to install + +- Redistributable + +Historically, download sizes of Windows 10 quality updates (Windows 10, version +1803 and older supported versions of Windows 10) are optimized by using express +download. Express download is optimized such that updating Windows 10 systems +will download the minimum number of bytes. This is achieved by generating +differentials for every updated file based on selected historical base revisions +of the same file + its base or RTM version. + +For example, if the October monthly quality update has updated Notepad.exe, +differentials for Notepad.exe file changes from September to October, August to +October, July to October, June to October, and from the original feature release +to October are generated. All these differentials are stored in a Patch Storage +File (PSF, also referred to as “express download files”) and hosted or cached on +Windows Update or other update management or distribution servers (for example, +Windows Server Update Services (WSUS), System Center Configuration Manager, or a +non-Microsoft update management or distribution server that supports express +updates). A device leveraging express updates uses network protocol to determine +optimal differentials, then downloads only what is needed from the update +distribution endpoints. + +The flipside of express download is that the size of PSF files can be very large +depending on the number of historical baselines against which differentials were +calculated. Downloading and caching large PSF files to on-premises or remote +update distribution servers is problematic for most organizations, hence they +are unable to leverage express updates to keep their fleet of devices running +Windows 10 up to date. Secondly, due to the complexity of generating +differentials and size of the express files that need to be cached on update +distribution servers, it is only feasible to generate express download files for +the most common baselines, thus express updates are only applicable to selected +baselines. Finally, calculation of optimal differentials is expensive in terms +of system memory utilization, especially for low-cost systems, impacting their +ability to download and apply an update seamlessly. + +In the following sections, we describe how Windows 10 quality updates will +leverage this technique based on forward and reverse differentials for newer +releases of Windows 10 and Windows Server to overcome the challenges with +express downloads. + +## High-level Design + +### Update packaging + +Windows 10 quality update packages will contain forward differentials from +quality update RTM baselines (∆RTM→N) and reverse differentials back to RTM +(∆N→RTM) for each file that has changed since RTM. By using the RTM version as +the baseline, we ensure that all devices will have an identical payload. Update +package metadata, content manifests, and forward and reverse differentials will +be packaged into a cabinet file (.cab). This .cab file, and the applicability +logic, will also be wrapped in Microsoft Standalone Update (.msu) format. + +There can be cases where new files are added to the system during servicing. +These files will not have RTM baselines, thus forward and reverse differentials +cannot be used. In these scenarios, null differentials will be used to handle +servicing. Null differentials are the slightly compressed and optimized version +of the full binaries. Update packages can have either +forward or reverse differentials, or null differential of any given binary in +them. The following image symbolizes the content of a Windows 10 quality update installer: + +![Outer box labeled .msu containing two sub-boxes: 1) Applicability Logic, 2) box labeled .cab containg four sub-boxes: 1) update metadata, 2) content manifests, 3) delta sub RTM transform to sub N (file 1, file2, etc.), and 4) delta sub N transform to RTM (file 1, file 2, etc.)](images/PSF4.png) + +### Hydration and installation + +Once the usual applicability checks are performed on the update package and are +determined to be applicable, the Windows component servicing infrastructure will +hydrate the full files during pre-installation and then proceed with the usual +installation process. + +Below is a high-level sequence of activities that the component servicing +infrastructure will run in a transaction to complete installation of the update: + +- Identify all files that are required to install the update. + +- Hydrate each of necessary files using current version (VN) of the file, + reverse differential (VN--->RTM) of the file back to quality update RTM/base + version and forward differential (VRTM--->R) from feature update RTM/base + version to the target version. Also, use null differential hydration to + hydrate null compressed files. + +- Stage the hydrated files (full file), forward differentials (under ‘f’ + folder) and reverse differentials (under ‘r’ folder) or null compressed + files (under ‘n’ folder) in the component store (%windir%\\WinSxS folder). + +- Resolve any dependencies and install components. + +- Clean up older state (VN-1); the previous state VN is retained for + uninstallation and restoration or repair. + +### **Resilient Hydration** + +To ensure resiliency against component store corruption or missing files that +could occur due to susceptibility of certain types of hardware to file system +corruption, a corruption repair service has been traditionally used to recover +the component store automatically (“automatic corruption repair”) or on demand +(“manual corruption repair”) using an online or local repair source. This +service will continue to offer the ability to repair and recover content for +hydration and successfully install an update, if needed. + +When corruption is detected during update operations, automatic corruption +repair will start as usual and use the Baseless Patch Storage File published to +Windows Update for each update to fix corrupted manifests, binary differentials, +or hydrated or full files. Baseless patch storage files will contain reverse and +forward differentials and full files for each updated component. Integrity of +the repair files will be hash verified. + +Corruption repair will use the component manifest to detect missing files and +get hashes for corruption detection. During update installation, new registry +flags for each differential staged on the machine will be set. When automatic +corruption repair runs, it will scan hydrated files using the manifest and +differential files using the flags. If the differential cannot be found or +verified, it will be added to the list of corruptions to repair. + +### Lazy automatic corruption repair + +“Lazy automatic corruption repair” runs during update operations to detect +corrupted binaries and differentials. While applying an update, if hydration of +any file fails, "lazy" automatic corruption repair automatically starts, +identifies the corrupted binary or differential file, and then adds it to the +corruption list. Later, the update operation continues as far as it can go, so +that "lazy" automatic corruption repair can collect as many corrupted files to fix +as possible. At the end of the hydration section, the update fails, and +automatic corruption repair starts. Automatic corruption repair runs as usual +and at the end of its operation, adds the corruption list generated by "lazy" +automatic corruption repair on top of the new list to repair. Automatic +corruption repair then repairs the files on the corruption list and installation +of the update will succeed on the next attempt. diff --git a/windows/deployment/update/device-health-using.md b/windows/deployment/update/device-health-using.md index 3e28db2683..890e0c33bb 100644 --- a/windows/deployment/update/device-health-using.md +++ b/windows/deployment/update/device-health-using.md @@ -57,7 +57,7 @@ Clicking the header of the Frequently Crashing Devices blade opens a reliability Notice the filters in the left pane; they allow you to filter the crash rate shown to a particular operating system version, device model, or other parameter. >[!NOTE] ->Use caution when interpreting results filtered by model or operating system version. This is very useful for troubleshooting, but might not be accurate for *comparisons* because the crashes displayed could be of different types. The overall goal for working with crash data is to ensure that most devices have the same driver versions and that that version has a low crash rate. +>Use caution when interpreting results filtered by model or operating system version. This is very useful for troubleshooting, but might not be accurate for *comparisons* because the crashes displayed could be of different types. The overall goal for working with crash data is to ensure that most devices have the same driver versions and that the version has a low crash rate. >[!TIP] >Once you've applied a filter (for example setting OSVERSION=1607) you will see the query in the text box change to append the filter (for example, with “(OSVERSION=1607)”). To undo the filter, remove that part of the query in the text box and click the search button to the right of the text box to run the adjusted query.” diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md new file mode 100644 index 0000000000..e360ba20b9 --- /dev/null +++ b/windows/deployment/update/fod-and-lang-packs.md @@ -0,0 +1,23 @@ +--- +title: Windows 10 - How to make FoDs and language packs available when you're using WSUS/SCCM +description: Learn how to make FoDs and language packs available for updates when you're using WSUS/SCCM. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: article +ms.author: elizapo +author: lizap +ms.localizationpriority: medium +ms.date: 10/18/2018 +--- +# How to make Features on Demand and language packs available when you're using WSUS/SCCM + +> Applies to: Windows 10 + +As of Windows 10, version 1709, you can't use Windows Server Update Services (WSUS) to host [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) and language packs for Windows 10 clients. Instead, you can pull them directly from Windows Update - you just need to change a Group Policy setting that lets clients download these directly from Windows Update. You can also host Features on Demand and language packs on a network share, but starting with Windows 10, version 1809, language packs can only be installed from Windows Update. + +For Active Directory and Group Policy environments running in a WSUS\SCCM environment change the **Specify settings for optional component installation and component repair** policy to enable downloading Features on Demand directly from Windows Update or a local share. This setting is located in Computer Configuration\Administrative Templates\System in the Group Policy Editor. + +Changing this policy only enables Features on Demand and language pack downloads from Windows Update - it doesn't affect how clients get feature and quality updates. Feature and quality updates will continue to come directly from WSUS\SCCM. It also doesn't affect the schedule for your clients to receive updates. + +Learn about other client management options, including using Group Policy and ADMX, in [Manage clients in Windows 10](https://docs.microsoft.com/windows/client-management/). diff --git a/windows/deployment/update/images/PSF1.png b/windows/deployment/update/images/PSF1.png new file mode 100644 index 0000000000..3476cf6c11 Binary files /dev/null and b/windows/deployment/update/images/PSF1.png differ diff --git a/windows/deployment/update/images/PSF2.png b/windows/deployment/update/images/PSF2.png new file mode 100644 index 0000000000..1da8698dff Binary files /dev/null and b/windows/deployment/update/images/PSF2.png differ diff --git a/windows/deployment/update/images/PSF3.png b/windows/deployment/update/images/PSF3.png new file mode 100644 index 0000000000..79be89cea3 Binary files /dev/null and b/windows/deployment/update/images/PSF3.png differ diff --git a/windows/deployment/update/images/PSF4.png b/windows/deployment/update/images/PSF4.png new file mode 100644 index 0000000000..20f9a1a887 Binary files /dev/null and b/windows/deployment/update/images/PSF4.png differ diff --git a/windows/deployment/update/images/UC_00_marketplace_search.PNG b/windows/deployment/update/images/UC_00_marketplace_search.PNG new file mode 100644 index 0000000000..dcdf25d38a Binary files /dev/null and b/windows/deployment/update/images/UC_00_marketplace_search.PNG differ diff --git a/windows/deployment/update/images/UC_01_marketplace_create.PNG b/windows/deployment/update/images/UC_01_marketplace_create.PNG new file mode 100644 index 0000000000..4b34311112 Binary files /dev/null and b/windows/deployment/update/images/UC_01_marketplace_create.PNG differ diff --git a/windows/deployment/update/images/UC_02_workspace_create.PNG b/windows/deployment/update/images/UC_02_workspace_create.PNG new file mode 100644 index 0000000000..ed3eeeebbb Binary files /dev/null and b/windows/deployment/update/images/UC_02_workspace_create.PNG differ diff --git a/windows/deployment/update/images/UC_03_workspace_select.PNG b/windows/deployment/update/images/UC_03_workspace_select.PNG new file mode 100644 index 0000000000..d00864b861 Binary files /dev/null and b/windows/deployment/update/images/UC_03_workspace_select.PNG differ diff --git a/windows/deployment/update/images/UC_04_resourcegrp_deployment_successful.PNG b/windows/deployment/update/images/UC_04_resourcegrp_deployment_successful.PNG new file mode 100644 index 0000000000..3ea9f57531 Binary files /dev/null and b/windows/deployment/update/images/UC_04_resourcegrp_deployment_successful.PNG differ diff --git a/windows/deployment/update/images/UC_tile_assessing.PNG b/windows/deployment/update/images/UC_tile_assessing.PNG new file mode 100644 index 0000000000..2709763570 Binary files /dev/null and b/windows/deployment/update/images/UC_tile_assessing.PNG differ diff --git a/windows/deployment/update/images/UC_tile_filled.PNG b/windows/deployment/update/images/UC_tile_filled.PNG new file mode 100644 index 0000000000..f7e1bab284 Binary files /dev/null and b/windows/deployment/update/images/UC_tile_filled.PNG differ diff --git a/windows/deployment/update/images/UC_workspace_DO_status.PNG b/windows/deployment/update/images/UC_workspace_DO_status.PNG new file mode 100644 index 0000000000..fa7550f0f5 Binary files /dev/null and b/windows/deployment/update/images/UC_workspace_DO_status.PNG differ diff --git a/windows/deployment/update/images/UC_workspace_FU_status.PNG b/windows/deployment/update/images/UC_workspace_FU_status.PNG new file mode 100644 index 0000000000..14966b1d8a Binary files /dev/null and b/windows/deployment/update/images/UC_workspace_FU_status.PNG differ diff --git a/windows/deployment/update/images/UC_workspace_SU_status.PNG b/windows/deployment/update/images/UC_workspace_SU_status.PNG new file mode 100644 index 0000000000..3564c9b6e5 Binary files /dev/null and b/windows/deployment/update/images/UC_workspace_SU_status.PNG differ diff --git a/windows/deployment/update/images/UC_workspace_WDAV_status.PNG b/windows/deployment/update/images/UC_workspace_WDAV_status.PNG new file mode 100644 index 0000000000..40dcaef949 Binary files /dev/null and b/windows/deployment/update/images/UC_workspace_WDAV_status.PNG differ diff --git a/windows/deployment/update/images/UC_workspace_needs_attention.png b/windows/deployment/update/images/UC_workspace_needs_attention.png new file mode 100644 index 0000000000..be8033a9d6 Binary files /dev/null and b/windows/deployment/update/images/UC_workspace_needs_attention.png differ diff --git a/windows/deployment/update/images/UC_workspace_overview_blade.PNG b/windows/deployment/update/images/UC_workspace_overview_blade.PNG new file mode 100644 index 0000000000..beb04cdc18 Binary files /dev/null and b/windows/deployment/update/images/UC_workspace_overview_blade.PNG differ diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md index ae2fc715ad..595bed72af 100644 --- a/windows/deployment/update/servicing-stack-updates.md +++ b/windows/deployment/update/servicing-stack-updates.md @@ -45,3 +45,5 @@ Typically, the improvements are reliability, security, and performance improveme * Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system. * Installing servicing stack update does not require restarting the device, so installation should not be disruptive. * Servicing stack update releases are specific to the operating system version (build number), much like quality updates. +* Search to install latest available [Servicing stack update for Windows 10](https://support.microsoft.com/en-us/search?query=servicing%20stack%20update%20Windows%2010). + diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md index 9c77b0f094..c29062acb5 100644 --- a/windows/deployment/update/update-compliance-delivery-optimization.md +++ b/windows/deployment/update/update-compliance-delivery-optimization.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 03/27/2018 +ms.date: 10/04/2018 keywords: oms, operations management suite, optimization, downloads, updates, log analytics ms.localizationpriority: medium --- @@ -15,9 +15,7 @@ ms.localizationpriority: medium # Delivery Optimization in Update Compliance The Update Compliance solution of Windows Analytics provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days. ->[!Note] ->Delivery Optimization Status is currently in development. See the [Known Issues](#known-issues) section for issues we are aware of and potential workarounds. - +![DO status](images/UC_workspace_DO_status.png) ## Delivery Optimization Status @@ -27,7 +25,7 @@ The Delivery Optimization Status section includes three blades: - The **Content Distribution (%)** blade shows the percentage of bandwidth savings for each category - The **Content Distribution (GB)** blade shows the total amount of data seen from each content type broken down by the download source (peers vs non-peers). -![DO status](images/uc-DO-status.png) + ## Device Configuration blade @@ -46,8 +44,3 @@ The download sources that could be included are: - Group Bytes: Bytes downloaded from Group Peers which are other devices that belong to the same Group (available when the “Group” download mode is used) - HTTP Bytes: Non-peer bytes. The HTTP download source can be Microsoft Servers, Windows Update Servers, a WSUS server or an SCCM Distribution Point for Express Updates. -## Known Issues -Delivery Optimization is currently in development. The following issues are known: - -- DO Download Mode is not accurately portrayed in the Device Configuration blade. There is no workaround at this time. - diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md index 0235ac8cea..1bc0919648 100644 --- a/windows/deployment/update/update-compliance-feature-update-status.md +++ b/windows/deployment/update/update-compliance-feature-update-status.md @@ -5,20 +5,20 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy -author: DaniHalfin -ms.author: daniha -ms.date: 10/18/2017 +author: Jaimeo +ms.author: jaimeo +ms.date: 10/04/2018 --- # Feature Update Status -![The Feature Update Status report](images/uc-featureupdatestatus.png) +![The Feature Update Status report](images/UC_workspace_FU_status.png) -The Feature Update Status section provides information about the status of [feature updates](waas-quick-start.md#definitions) across all devices. This section tile in the [Overview Blade](update-compliance-using.md#overview-blade) gives a percentage of devices that are on the latest applicable feature update; [Servicing Channel](waas-overview.md#servicing-channels) is considered in determining applicability. Within this section are two blades; one providing a holistic view of feature updates, the other containing three **Deployment Status** tiles, each charged with tracking the deployment for a different [Servicing Channel](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#servicing-channels). +The Feature Update Status section provides information about the status of [feature updates](waas-quick-start.md#definitions) across all devices. This section tile in the [Overview Blade](update-compliance-using.md#overview-blade) gives a percentage of devices that are on the latest applicable feature update; [Servicing Channel](waas-overview.md#servicing-channels) is considered in determining applicability. Within this section are two blades; one providing a holistic view of feature updates, the other containing three **Deployment Status** tiles, each charged with tracking the deployment for a different [Servicing Channel](waas-overview.md#servicing-channels). ## Overall Feature Update Status -The Overall Feature Update Status blade breaks down how many devices are up-to-date or not, with a special callout for how many devices are running a build that is not supported (for a full list of feature updates, check out the [Windows 10 Release Information](https://technet.microsoft.com/en-us/windows/release-info.aspx) page). The table beneath the visualization breaks devices down by Servicing Channel and OS Version, then defining whether this combination is *up-to-date*, *not up-to-date* or *out of support*. Finally, the table provides a count of devices that fall into this category. +The Overall Feature Update Status blade breaks down how many devices are up-to-date or not, with a special callout for how many devices are running a build that is not supported (for a full list of feature updates, check out the [Windows 10 Release Information](https://technet.microsoft.com/en-us/windows/release-info.aspx) page). The table beneath the visualization breaks devices down by Servicing Channel and operating system version, then defining whether this combination is *up-to-date*, *not up-to-date* or *out of support*. Finally, the table provides a count of devices that fall into this category. ## Deployment Status by Servicing Channel @@ -31,4 +31,3 @@ Refer to the following list for what each state means: * Devices that have failed the given feature update installation are counted as **Update failed**. * If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. Devices not using Windows Update are the most likely devices to fall into this category. -Clicking on any row will navigate to the query relevant to that feature update. These queries are attached to [Perspectives](update-compliance-perspectives.md) that contain detailed deployment data for that update. diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index 89e5ebf0c7..37d565f4d1 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -8,76 +8,65 @@ ms.sitesec: library ms.pagetype: deploy author: Jaimeo ms.author: jaimeo -ms.date: 08/21/2018 +ms.date: 10/04/2018 ms.localizationpriority: medium --- # Get started with Update Compliance - ->[!IMPORTANT] ->**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences. See [Windows Analytics in the Azure Portal](windows-analytics-azure-portal.md) for steps to use Windows Analytics in the Azure portal. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition). - -This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance. +This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance. Steps are provided in sections that follow the recommended setup process: -1. [Add Update Compliance](#add-update-compliance-to-microsoft-operations-management-suite) to Microsoft Operations Management Suite. -2. [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics) to your organization’s devices. -3. [Use Update Compliance to monitor Windows Updates](#use-update-compliance-to-monitor-windows-updates) once your devices are enrolled. +1. Ensure you meet the [Update Compliance prerequisites](#update-compliance-prerequisites). +2. [Add Update Compliance to your Azure subscription](#add-update-compliance-to-your-azure-subscription). +3. [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics). +4. [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates, Windows Defender Antivirus status, and Delivery Optimization. +## Update Compliance prerequisites +Before you begin the process to add Update Compliance to your Azure subscription, first ensure you can meet the prerequisites: +1. Update Compliance works only with Windows 10 Professional, Education, and Enterprise editions. Update Compliance only provides data for the standard Desktop Windows 10 version and is not currently compatible with Windows Server, Surface Hub, IoT, etc. +2. Update Compliance provides detailed deployment data for devices on the Semi-Annual Channel and the Long-term Servicing Channel. Update Compliance will show Windows Insider Preview devices, but currently will not provide detailed deployment information for them. +3. Update Compliance requires at least the Basic level of diagnostic data and a Commercial ID to be enabled on the device. +4. To show device names for versions of Windows 10 starting with 1803 in Windows Analytics you must opt in. For details about this, see the "AllowDeviceNameinTelemetry (in Windows 10)" entry in the table in the [Distributing policies at scale](windows-analytics-get-started.md#deploying-windows-analytics-at-scale) section of [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). +5. To use the Windows Defender Status, devices must be E3-licensed and have Cloud Protection enabled. E5-licensed devices will not appear here. For E5 devices, you should use [Windows Defender ATP](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/windows-defender-advanced-threat-protection) instead. For more information on Windows 10 Enterprise licensing, see [Windows 10 Enterprise: FAQ for IT Professionals](https://docs.microsoft.com/en-us/windows/deployment/planning/windows-10-enterprise-faq-itpro). -## Add Update Compliance to Microsoft Operations Management Suite or Azure Log Analytics +## Add Update Compliance to your Azure subscription +Update Compliance is offered as a solution which is linked to a new or existing [Azure Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. To configure this, follow these steps: -Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/). +1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal. ->[!IMPORTANT] ->Update Compliance is a free solution for Azure subscribers. +> [!NOTE] +> Update Compliance is included at no additional cost with Windows 10 Professional, Education, and Enterprise editions. An Azure subscription is required for managing and using Update Compliance, but no Azure charges are expected to accrue to the subscription as a result of using Update Compliance. -If you are already using OMS, skip to step **6** to add Update Compliance to your workspace. +2. In the Azure portal select **+ Create a resource**, and search for “Update Compliance". You should see it in the results below. ->[!NOTE] ->If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=WaaSUpdateInsights) to go directly to the Update Compliance solution and add it to your workspace. +![Update Compliance marketplace search results](images/UC_00_marketplace_search.png) +3. Select **Update Compliance** and a blade will appear summarizing the solution’s offerings. At the bottom, select **Create** to begin adding the solution to Azure. -If you are not yet using OMS, use the following steps to subscribe to OMS Update Compliance: +![Update Compliance solution creation](images/UC_01_marketplace_create.png) -1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**. - ![Operations Management Suite bar with sign-in button](images/uc-02a.png) - -2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. - ![OMS Sign-in dialog box for account name and password](images/uc-03a.png) - -3. Create a new OMS workspace. - ![OMS dialog with buttons to create a new OMS workspace or cancel](images/uc-04a.png) - -4. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Click **Create**. - ![OMS Create New Workspace dialog](images/uc-05a.png)](images/uc-05.png) - -5. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. If you do not yet have an Azure subscription, follow [this guide](https://blogs.technet.microsoft.com/upgradeanalytics/2016/11/08/linking-operations-management-suite-workspaces-to-microsoft-azure/) to create and link an Azure subscription to an OMS workspace. - ![OMS dialog to link existing Azure subscription or create a new one](images/uc-06a.png) - -6. To add the Update Compliance solution to your workspace, go to the Solutions Gallery. While you have this dialog open, you should also consider adding the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Device Health](device-health-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions. - ![OMS workspace with Solutions Gallery tile highlighted](images/uc-07a.png) - -7. Select the **Update Compliance** tile in the gallery and then select **Add** on the solution’s details page. You might need to scroll to find **Update Compliance**. The solution is now visible in your workspace. - ![Workspace showing Solutions Gallery](images/uc-08a.png) - -8. Click the **Update Compliance** tile to configure the solution. The **Settings Dashboard** opens. - ![OMS workspace with new Update Compliance tile on the right side highlighted](images/uc-09a.png) - -9. Click **Subscribe** to subscribe to OMS Update Compliance. You will then need to distribute your Commercial ID across all your organization’s devices. More information on the Commercial ID is provided below. - ![Series of blades showing Connected Sources, Windows Diagnostic Data, and Upgrade Analytics solution with Subscribe button](images/uc-10a.png) - -After you are subscribed to OMS Update Compliance and your devices have a Commercial ID, you will begin receiving data. It will typically take 24 hours for the first data to begin appearing. The following section explains how to deploy your Commercial ID to your Windows 10 devices. +4. Choose an existing workspace or create a new workspace that will be assigned to the Update Compliance solution. + - If you already have another Windows Analytics solution, you should use the same workspace. + - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started: + - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*. + - For the resource group setting select **Create new** and use the same name you chose for your new workspace. + - For the location setting, choose the Azure region where you would prefer the data to be stored. + - For the pricing tier select **Free**. ->[!NOTE] ->You can unsubscribe from the Update Compliance solution if you no longer want to monitor your organization’s devices. User device data will continue to be shared with Microsoft while the opt-in keys are set on user devices and the proxy allows traffic. +![Update Compliance workspace creation](images/UC_02_workspace_create.png) + +5. The resource group and workspace creation process could take a few minutes. After this, you are able to use that workspace for Update Compliance. Select **Create**. + +![Update Compliance workspace selection](images/UC_03_workspace_select.png) + +6. Watch for a notification in the Azure portal that your deployment has been successful. This might take a few minutes. Then, select **Go to resource**. + +![Update Compliance deployment successful](images/UC_04_resourcegrp_deployment_successful.png) ## Enroll devices in Windows Analytics +Once you've added Update Compliance to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For Update Compliance there are two key steps for enrollment: +1. Deploy your Commercial ID (from the Update Compliance Settings page) to your Windows 10 devices (typically by using Group Policy, [Mobile Device Management](https://docs.microsoft.com/en-us/windows/client-management/windows-10-mobile-and-mdm), [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/core/understand/introduction) or similar). +2. Ensure the Windows Diagnostic Data setting on devices is set to at least Basic (typically using Group Policy or similar). For full enrollment instructions and troubleshooting, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). -Once you've added Update Compliance to Microsoft Operations Management Suite, you can now start enrolling the devices in your organization. For full instructions, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). - - -## Use Update Compliance to monitor Windows Updates - -Once your devices are enrolled, you can start to [Use Update Compliance to monitor Windows Updates](update-compliance-using.md). +After enrolling your devices (by deploying your CommercialID and Windows Diagnostic Data settings), it might take 48-72 hours for the first data to appear in the solution. Until then, Update Compliance will indicate it is still assessing devices. diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 2719e89d62..218a8cf0e9 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -8,51 +8,39 @@ ms.sitesec: library ms.pagetype: deploy author: Jaimeo ms.author: jaimeo -ms.date: 02/09/2018 +ms.date: 10/04/2018 ms.localizationpriority: medium --- -# Monitor Windows Updates and Windows Defender Antivirus with Update Compliance +# Monitor Windows Updates with Update Compliance ## Introduction -With Windows 10, organizations need to change the way they approach monitoring and deploying updates. Update Compliance is a powerful set of tools that enable organizations to monitor and track all important aspects of the new servicing strategy from Microsoft: [Windows as a Service](waas-overview.md). +Update Compliance is a [Windows Analytics solution](windows-analytics-overview.md) that enables organizations to: -Update Compliance is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service which has a flexible servicing subscription based off data usage/retention. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/documentation/articles/operations-management-suite-overview/). +* Monitor Windows 10 Professional, Education, and Enterprise security, quality, and feature updates. +* View a report of device and update issues related to compliance that need attention. +* See the status of Windows Defender Antivirus signatures and threats. +* Check bandwidth savings incurred across multiple content types by using [Delivery Optimization](waas-delivery-optimization.md). -Update Compliance uses the Windows diagnostic data that is part of all Windows 10 devices. It collects system data including update installation progress, Windows Update for Business (WUfB) configuration data, Windows Defender Antivirus data, and other update-specific information, and then sends this data privately to a secure cloud to be stored for analysis and usage within the solution. +Update Compliance is offered through the Azure portal, and is available free for devices that meet the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites). -Update Compliance provides the following: - -- Dedicated drill-downs for devices that might need attention -- An inventory of devices, including the version of Windows they are running and their update status -- The ability to track protection and threat status for Windows Defender Antivirus-enabled devices -- An overview of WUfB deferral configurations (Windows 10 Anniversary Update [1607] and later) -- Powerful built-in [log analytics](https://www.microsoft.com/en-us/cloud-platform/insight-and-analytics?WT.srch=1&WT.mc_id=AID529558_SEM_%5B_uniqid%5D&utm_source=Bing&utm_medium=CPC&utm_term=log%20analytics&utm_campaign=Hybrid_Cloud_Management) to create useful custom queries -- Cloud-connected access utilizing Windows 10 diagnostic data means no need for new complex, customized infrastructure +Update Compliance uses Windows 10 and Windows Defender Antivirus diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, Windows Defender Antivirus data, and Delivery Optimization usage data, and then sends this data to a secure cloud to be stored for analysis and usage in [Azure Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/query-language/get-started-analytics-portal). See the following topics in this guide for detailed information about configuring and using the Update Compliance solution: - [Get started with Update Compliance](update-compliance-get-started.md): How to add Update Compliance to your environment. - [Using Update Compliance](update-compliance-using.md): How to begin using Update Compliance. -Click the following link to see a video demonstrating Update Compliance features. - -[![YouTube video demonstrating Update Compliance](images/UC-vid-crop.jpg)](https://www.youtube-nocookie.com/embed/1cmF5c_R8I4) - ## Update Compliance architecture The Update Compliance architecture and data flow is summarized by the following five-step process: **(1)** User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.
    **(2)** Diagnostic data is analyzed by the Update Compliance Data Service.
    -**(3)** Diagnostic data is pushed from the Update Compliance Data Service to your OMS workspace.
    +**(3)** Diagnostic data is pushed from the Update Compliance Data Service to your Azure Log Analytics workspace.
    **(4)** Diagnostic data is available in the Update Compliance solution.
    -**(5)** You are able to monitor and troubleshoot Windows updates and Windows Defender AV in your environment.
    -These steps are illustrated in following diagram: - -![Update Compliance architecture](images/uc-01-wdav.png) >[!NOTE] >This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md index c22ccf1812..33ca94987b 100644 --- a/windows/deployment/update/update-compliance-need-attention.md +++ b/windows/deployment/update/update-compliance-need-attention.md @@ -5,34 +5,39 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy -author: DaniHalfin -ms.author: daniha -ms.date: 10/13/2017 +author: Jaimeo +ms.author: jaimeo +ms.date: 10/04/2018 --- -# Need Attention! +# Needs attention! +![Needs attention section](images/UC_workspace_needs_attention.png) -![Need Attention! report](images/uc-needattentionoverview.png) - -The “Need Attention!” section provides a breakdown of all device issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade is shown within this section that contains queries that provide values but do not fit within any other main section. +The **Needs attention!** section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but do not fit within any other main section. >[!NOTE] ->The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers may not add up. +>The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers might not add up. -The different issues are broken down by Device Issues and Update Issues, which are iterated below: +The different issues are broken down by Device Issues and Update Issues: ## Device Issues -* **Missing multiple security updates:** This issue occurs when a device is behind by two or more security updates. These devices may be more vulnerable and should be investigated and updated. -* **Out of support OS Version:** This issue occurs when a device has fallen out of support due to the version of Windows 10 it is running. When a device has fallen out of support, it will no longer be serviced, and may be vulnerable. These devices should be updated to a supported version of Windows 10. +* **Missing multiple security updates:** This issue occurs when a device is behind by two or more security updates. These devices might be more vulnerable and should be investigated and updated. +* **Out of support OS Version:** This issue occurs when a device has fallen out of support due to the version of Windows 10 it is running. When a device has fallen out of support, it will no longer receive important security updates, and might be vulnerable. These devices should be updated to a supported version of Windows 10. ## Update Issues -* **Failed:** This issue occurs when an error halts the process of downloading and applying an update on a device. Some of these errors may be transient, but should be investigated further to be sure. +* **Failed:** This issue occurs when an error halts the process of downloading and applying an update on a device. Some of these errors might be transient, but should be investigated further to be sure. +* **Cancelled**: This issue occurs when a user cancels the update process. +* **Rollback**: This issue occurs when a fatal error occurs during a feature update, and the device is rolled back to the previous version. +* **Uninstalled**: This issue occurs when a feature update is uninstalled from a device by a user or an administrator. Note that this might not be a problem if the uninstallation was intentional, but is highlighted as it might need attention. * **Progress stalled:** This issue occurs when an update is in progress, but has not completed over a period of 10 days. -Clicking on any of the issues will navigate you to the Log Search view with all devices that have the given issue. +Selecting any of the issues will take you to a [Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/query-language/get-started-analytics-portal) view with all devices that have the given issue. + +>[!NOTE] +>This blade also has a link to the [Setup Diagnostic Tool](https://docs.microsoft.com/en-us/windows/deployment/upgrade/setupdiag), a standalone tool you can use to obtain details about why a Windows 10 feature update was unsuccessful. ## List of Queries -The List of Queries blade resides within the “Need Attention!” section of Update Compliance. This blade contains a list of queries with a description and a link to the query. These queries contain important meta-information that did not fit within any specific section or were listed to serve as a good starting point for modification into custom queries. \ No newline at end of file +The **List of Queries** blade is in the **Needs Attention** section of Update Compliance. This blade contains a list of queries with a description and a link to the query. These queries contain important meta-information that did not fit within any specific section or were listed to serve as a good starting point for modification into custom queries. diff --git a/windows/deployment/update/update-compliance-security-update-status.md b/windows/deployment/update/update-compliance-security-update-status.md index 969c2e6d55..bf7d1d6795 100644 --- a/windows/deployment/update/update-compliance-security-update-status.md +++ b/windows/deployment/update/update-compliance-security-update-status.md @@ -5,28 +5,25 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy -author: DaniHalfin -ms.author: daniha -ms.date: 10/13/2017 +author: Jaimeo +ms.author: jaimeo +ms.date: 10/04/2018 --- # Security Update Status -![The Security Update Status report](images/uc-securityupdatestatus.png) +![The Security Update Status report](images/UC_workspace_SU_status.png) -The Security Update Status section provides information about [quality updates](waas-quick-start.md#definitions) across all devices. The section tile within the O[verview Blade](update-compliance-using.md#overview-blade) lists the percentage of devices on the latest security update to provide the most essential data without needing to navigate into the section. However, within the section the Overall Quality Update Status blade also considers whether devices are up-to-date on non-security updates. +The Security Update Status section provides information about [security updates](waas-quick-start.md#definitions) across all devices. The section tile within the [Overview Blade](update-compliance-using.md#overview-blade) lists the percentage of devices on the latest security update available. Meanwhile, the blades within show the percentage of devices on the latest security update for each Windows 10 version and the deployment progress toward the latest two security updates. ->[!NOTE] ->It is possible for the percentage of devices on the latest security update to differ from devices that are up-to-date on all quality updates. This is because some devices may have non-security updates that are applicable to them. - -The **Overall Quality Update Status** blade provides a visualization of devices that are and are not up-to-date on the latest quality updates (not just security updates). Below the visualization are all devices further broken down by OS Version and a count of how many are up-to-date and not up-to-date. Within the “Not up-to-date” column, the count of update failures is also given. +The **Overall Security Update Status** blade provides a visualization of devices that are and do not have the latest security updates. Below the visualization are all devices further broken down by operating system version and a count of devices that are up to date and not up to date. The **Not up to date** column also provides a count of update failures. The **Latest Security Update Status** and **Previous Security Update Status** tiles are stacked to form one blade. The **Latest Security Update Status** provides a visualization of the different deployment states devices are in regarding the latest update for each build (or version) of Windows 10, along with the revision of that update. The **Previous Security Update Status** blade provides the same information without the accompanying visualization. -What follows is a breakdown of the different deployment states reported by devices: +The various deployment states reported by devices are as follows: * **Installed** devices are devices that have completed installation for the given update. -* When a device is counted as **In Progress or Deferred**, it has either begun the installation process for the given update or has been intentionally deferred or paused using WU for Business Settings. -* Devices that have **Update Failed**, failed updating at some point during the installation process of the given security update. -* If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. Devices not using Windows Update are the most likely devices to fall into this category. +* When a device is counted as **In Progress or Deferred**, it has either begun the installation process for the given update or has been intentionally deferred or paused using Windows Update for Business Settings. +* Devices that have **Update Issues** have failed to update at some point during the installation process of the given security update or have not seen progress for a period of seven days. +* If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. This is most often devices that have not scanned for an update in some time, or devices not being managed through Windows Update. -The rows of each tile in this section are interactive; clicking on them will navigate you to the query that is representative of that row and section. These queries are also attached to [Perspectives](update-compliance-perspectives.md) with detailed deployment data for that update. \ No newline at end of file +The rows of each tile in this section are interactive; selecting them will navigate you to the query that is representative of that row and section. diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index 2bcc3b064e..d9b61d93cf 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 10/13/2017 +ms.date: 10/04/2018 ms.localizationpriority: medium --- @@ -18,64 +18,72 @@ In this section you'll learn how to use Update Compliance to monitor your device Update Compliance: -- Uses diagnostic data gathered from user devices to form an all-up view of Windows 10 devices in your organization. -- Enables you to maintain a high-level perspective on the progress and status of updates across all devices. -- Provides a workflow that can be used to quickly identify which devices require attention. -- Enables you to track deployment compliance targets for updates. -- Summarizes Windows Defender Antivirus status for devices that use it. +- Provides detailed deployment data for Windows 10 security, quality, and feature updates. +- Reports when devices have issues related to updates that need attention. +- Shows Windows Defender AV status information for devices that use it and meet the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites). +- Shows bandwidth usage and savings for devices that are configured to use [Delivery Optimization](waas-delivery-optimization.md). +- Provides all of the above data in [Log Analytics](#using-log-analytics), which affords additional querying and export capabilities. ->[!NOTE] ->Information is refreshed daily so that update progress can be monitored. Changes will be displayed about 24 hours after their occurrence, so you always have a recent snapshot of your devices. +## The Update Compliance tile +After Update Compliance has successfully been [added to your Azure subscription](update-compliance-get-started.md#add-update-compliance-to-your-azure-subscription), you’ll see this tile: -In Update Compliance, data is separated into vertically-sliced sections. Each section is referred to as a blade. Within a blade, there may or may not be multiple tiles, which serve to represent the data in different ways. Blades are summarized by their title in the upper-left corner above it. Every number displayed in OMS is the direct result of one or more queries. Clicking on data in blades will often navigate you to the query view, with the query used to produce that data. Some of these queries have perspectives attached to them; when a perspective is present, an additional tab will load in the query view. These additional tabs provide blades containing more information relevant to the results of the query. +![Update Compliance tile no data](images/UC_tile_assessing.png) -## The Update Compliance Tile +When the solution is added, data is not immediately available. Data will begin to be collected after data is sent up that belongs to the Commercial ID associated with the device. This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). After Microsoft has collected and processed any device data associated with your Commercial ID, the tile will be replaced with the following summary: -After Update Compliance has successfully been added from the solution gallery, you’ll see this tile: -![Empty Update Compliance Tile](images/uc-emptyworkspacetile.png) +![Update Compliance tile with data](images/UC_tile_filled.png) -When the solution is added, data is not immediately available. Data will begin to be collected after data is sent up that is associated with the Commercial ID associated with the device. This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). After Microsoft has collected and processed any device data associated with your Commercial ID, the tile will be replaced with the following summary: +The summary details the total number of devices that Microsoft has received data from with your Commercial ID. It also provides the number of devices that need attention if any. Finally, it details the last point at which your Update Compliance workspace was refreshed. -![Filled Update Compliance Tile](images/uc-filledworkspacetile.png) +## The Update Compliance workspace -The summary details the total number of devices that Microsoft has received data from with your Commercial ID. It also provides the number of devices that need attention if any. Finally, it details the last point at which your Update Compliance workspace was updated. +![Update Compliance workspace view](images/UC_workspace_needs_attention.png) -## The Update Compliance Workspace +When you select this tile, you will be redirected to the Update Compliance workspace. The workspace is organized with the Overview blade providing a hub from which to navigate to different reports of your devices' data. -![Update Compliance workspace view](images/uc-filledworkspaceview.png) +### Overview blade -Upon clicking the tile, you will be redirected to the Update Compliance workspace. The workspace is organized with the Overview Blade providing a hub from which to navigate to different reports of your device’s data. +![The Overview blade](images/UC_workspace_overview_blade.png) -### Overview Blade - -![The Overview Blade](images/uc-overviewblade.png) - -Update Compliance’s overview blade provides a summarization of all the data Update Compliance focuses on. It functions as a hub from which different sections can be navigated to. The total number of devices detected by Update Compliance are counted within the title of this blade. What follows is a distribution for all devices as to whether they are up to date on: -* Quality updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows 10. +Update Compliance’s overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. What follows is a distribution for all devices as to whether they are up to date on the following items: +* Security updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows 10. * Feature updates: A device is up to date on feature updates whenever it has the latest applicable feature update installed. Update Compliance considers [Servicing Channel](waas-overview.md#servicing-channels) when determining update applicability. * AV Signature: A device is up to date on Antivirus Signature when the latest Windows Defender Signatures have been downloaded. This distribution only considers devices that are running Windows Defender Antivirus. -The blade also provides the time at which your Update Compliance workspace was refreshed. +The blade also provides the time at which your Update Compliance workspace was [refreshed](#data-latency). -Below the “Last Updated” time, a list of the different sections follows that can be clicked on to view more information, they are: -* [Need Attention!](update-compliance-need-attention.md) - This section is the default section when arriving to your Update Compliance workspace. It counts the number of devices encountering issues and need attention; clicking into this provides blades that summarize the different issues that devices are encountering, and provides a List of Queries that Microsoft finds useful. -* [Security Update Status](update-compliance-security-update-status.md) - This section lists the percentage of devices that are on the latest security update released for the version of Windows 10 it is running. Clicking into this section provides blades that summarize the overall status of Quality updates across all devices; including deployment. -* [Feature Update Status](update-compliance-feature-update-status.md) - This section lists the percentage of devices that are on the latest feature update that is applicable to a given device. Clicking into this section provides blades that summarize the overall feature update status across all devices, with an emphasis on deployment progress. -* [Windows Defender AV Status](update-compliance-wd-av-status.md) - This section lists the percentage of devices running Windows Defender Antivirus that are not sufficiently protected. Clicking into this section provides a summary of signature and threat status across all devices that are running Windows Defender Antivirus. This section is not applicable to devices not running Windows Defender Antivirus. +The following is a breakdown of the different sections available in Update Compliance: +* [Need Attention!](update-compliance-need-attention.md) - This section is the default section when arriving to your Update Compliance workspace. It provides a summary of the different issues devices are facing relative to Windows 10 updates. +* [Security Update Status](update-compliance-security-update-status.md) - This section lists the percentage of devices that are on the latest security update released for the version of Windows 10 it is running. Selecting this section provides blades that summarize the overall status of security updates across all devices and a summary of their deployment progress towards the latest two security updates. +* [Feature Update Status](update-compliance-feature-update-status.md) - This section lists the percentage of devices that are on the latest feature update that is applicable to a given device. Selecting this section provides blades that summarize the overall feature update status across all devices and a summary of deployment status for different versions of Windows 10 in your environment. +* [Windows Defender AV Status](update-compliance-wd-av-status.md) - This section lists the percentage of devices running Windows Defender Antivirus that are not sufficiently protected. Selecting this section provides a summary of signature and threat status across all devices that are running Windows Defender Antivirus. This section is not applicable to devices not running Windows Defender Antivirus or devices that do not meet the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites) to be assessed. +* [Delivery Optimization Status](update-compliance-delivery-optimization.md) - This section summarizes bandwidth savings incurred by utilizing Delivery Optimization in your environment. It provides a breakdown of Delivery Optimization configuration across devices, and summarizes bandwidth savings and utilization across multiple content types. -Use [Perspectives](update-compliance-perspectives.md) for data views that provide deeper insight into your data. -## Utilizing Log Analytics +## Update Compliance data latency +Update Compliance uses Windows 10 diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear. The process that follows is as follows: -Update Compliance is built upon the Log Analytics platform that is integrated into Operations Management Suite. All data within the workspace is the direct result of a query. Understanding the tools and features at your disposal, all integrated within OMS, can deeply enhance your experience and complement Update Compliance. +Update Compliance is refreshed every 12 hours. This means that every 12 hours all data that has been gathered over the last 12-hour interval is pushed to Log Analytics. However, the rate that each data type is sent and how long it takes to be ready for Update Compliance varies, roughly outlined below. +| Data Type | Refresh Rate | Data Latency | +|--|--|--| +|WaaSUpdateStatus | Once per day |4 hours | +|WaaSInsiderStatus| Once per day |4 hours | +|WaaSDeploymentStatus|Every update event (Download, install, etc.)|24-36 hours | +|WDAVStatus|On signature update|24 hours | +|WDAVThreat|On threat detection|24 hours | +|WUDOAggregatedStatus|On update event, aggregated over time|24-36 hours | +|WUDOStatus|Once per day|12 hours | + +This means you should generally expect to see new data every 24-36 hours, except for WaaSDeploymentStatus and WUDOAggregatedStatus, which may take 36-48 hours (if it misses the 36th hour refresh, it would be in the 48th, so the data will be present in the 48th hour refresh). + +## Using Log Analytics + +Update Compliance is built on the Log Analytics platform that is integrated into Operations Management Suite. All data in the workspace is the direct result of a query. Understanding the tools and features at your disposal, all integrated within OMS, can deeply enhance your experience and complement Update Compliance. See below for a few topics related to Log Analytics: * Learn how to effectively execute custom Log Searches by referring to Microsoft Azure’s excellent documentation on [querying data in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-log-searches). * To develop your own custom data views in Operations Management Suite or [Power BI](https://powerbi.microsoft.com/); check out documentation on [analyzing data for use in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-dashboards). -* [Gain an overview of Log Analytics’ alerts](https://docs.microsoft.com/azure/log-analytics/log-analytics-alerts) and learn how to utilize it to always stay informed about the most critical issues you care about. - ->[!NOTE] ->You can use the Feedback Hub App on Windows 10 devices to [provide feedback about Update Compliance](feedback-hub://?referrer=itProDocs&tabid=2&contextid=797) and other Windows Analytics solutions. +* [Gain an overview of Log Analytics’ alerts](https://docs.microsoft.com/azure/log-analytics/log-analytics-alerts) and learn how to use it to always stay informed about the most critical issues you care about. ## Related topics diff --git a/windows/deployment/update/update-compliance-wd-av-status.md b/windows/deployment/update/update-compliance-wd-av-status.md index c0f974d0c0..aaf6b63c0c 100644 --- a/windows/deployment/update/update-compliance-wd-av-status.md +++ b/windows/deployment/update/update-compliance-wd-av-status.md @@ -7,25 +7,29 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 05/17/2018 +ms.date: 10/04/2018 --- # Windows Defender AV Status -![The Windows Defender AV Status report](images/uc-windowsdefenderavstatus.png) +![The Windows Defender AV Status report](images/UC_workspace_WDAV_status.png) The Windows Defender AV Status section deals with data concerning signature and threat status for devices that use Windows Defender Antivirus. The section tile in the [Overview Blade](update-compliance-using.md#overview-blade) provides the percentage of devices with insufficient protection – this percentage only considers devices using Windows Defender Antivirus. >[!NOTE] ->Customers with E5 licenses can monitor the Windows Defender AV status by using the Windows Defender ATP portal. For more information about monitoring devices with this portal, see [Onboard Windows 10 machines](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection). +>Update Compliance's Windows Defender Antivirus status is compatible with E3, B, F1, VL Professional and below licenses. Devices with an E5 license are not shown here; devices with an E5 license can be monitored using the [Windows Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection). If you'd like to learn more about Windows 10 licensing, see the [Windows 10 product licensing options](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx). -The **Protection Status** blade gives a count for devices that have either out-of-date signatures or real-time protection turned off. Below, it gives a more detailed breakdown of the two issues. Clicking any of these statuses will navigate you to a Log Search view containing the query. +# Windows Defender AV Status sections +The **Protection Status** blade gives a count for devices that have either out-of-date signatures or real-time protection turned off. Below, it gives a more detailed breakdown of the two issues. Selecting any of these statuses will navigate you to a Log Search view containing the query. -The **Threat Status** blade provides a visualization of, for devices that have encountered threats, how many were and were not remediated successfully. It also provides a detailed count. Clicking either of these will navigate to the respective query in Log Search for further investigation. +The **Threat Status** blade shows, among devices that have encountered threats, how many were and were not remediated successfully. It also provides a detailed count. Selecting either of these will take you to the respective query in Log Search for further investigation. -Here are some important terms to consider when utilizing the Windows Defender AV Status section of Update Compliance: -* **Signature out of date** devices are devices with signature older than 14 days. -* **No real-time protection** devices are devices who are using Windows Defender AV but have turned off Real-time protection. +Here are some important terms to consider when using the Windows Defender AV Status section of Update Compliance: +* **Signature out of date** devices are devices with a signature older than 14 days. +* **No real-time protection** devices are devices that are using Windows Defender AV but have turned off real-time protection. * **Recently disappeared** devices are devices that were previously seen by Windows Defender AV and are no longer seen in the past 7 days. -* **Remediation failed** devices are devices where Windows Defender AV failed to remediate the threat. This can be due to reason like disk full, network error, operation aborted, etc. Manual intervention may be needed from IT team. -* **Not assessed** devices are devices where either a third-party AV solution is used or it has been more than 7 days since the device recently disappeared. +* **Remediation failed** devices are devices where Windows Defender AV failed to remediate the threat. This could be due to a number of reasons, including a full disk, network error, operation aborted, etc. Manual intervention might be needed from IT team. +* **Not assessed** devices are devices where either a non-Microsoft AV solution is used or it has been more than 7 days since the device recently disappeared. + +## Windows Defender data latency +Because of the way Windows Defender is associated with the rest of Windows device data, Defender data for new devices might take much longer to appear than other data types. This process could take up to 28 days. \ No newline at end of file diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 9cfb7ab6bf..3e82500cc3 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -74,7 +74,7 @@ As part of the alignment with Windows 10 and Office 365 ProPlus, we are adopting * Long-Term Servicing Channel -  The Long-Term Servicing Branch (LTSB) will be referred to as Long-Term Servicing Channel (LTSC). >[!IMPORTANT] ->With each Semi-Annual Channel release, we recommend beginning deployment right away to devices selected for early adoption (targeted validation) and ramp up to full deployment at your discretion, regardless of the "Targeted" designation. This will enable you to gain access to new features, experiences, and integrated security as soon as possible. For nmore information, see the blog post [Windows 10 and the "disappearing" SAC-T](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-and-the-disappearing-SAC-T/ba-p/199747). +>With each Semi-Annual Channel release, we recommend beginning deployment right away to devices selected for early adoption (targeted validation) and ramp up to full deployment at your discretion, regardless of the "Targeted" designation. This will enable you to gain access to new features, experiences, and integrated security as soon as possible. For more information, see the blog post [Windows 10 and the "disappearing" SAC-T](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-and-the-disappearing-SAC-T/ba-p/199747). >[!NOTE] >For additional information, see the section about [Servicing Channels](#servicing-channels). diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md index bb2378b3a9..ed003254cc 100644 --- a/windows/deployment/update/waas-quick-start.md +++ b/windows/deployment/update/waas-quick-start.md @@ -8,7 +8,7 @@ ms.sitesec: library author: Jaimeo ms.localizationpriority: medium ms.author: jaimeo -ms.date: 05/29/2018 +ms.date: 10/17/2018 --- # Quick guide to Windows as a service @@ -35,6 +35,8 @@ Some new terms have been introduced as part of Windows as a service, so you shou See [Overview of Windows as a service](waas-overview.md) for more information. +For some interesting in-depth information about how cumulative updates work, see [Windows Updates using forward and reverse differentials](PSFxWhitepaper.md). + ## Key Concepts Windows 10 gains new functionality with twice-per-year feature update releases. Initially, organizations will use these feature update releases for pilot deployments to ensure compatibility with existing apps and infrastructure. After a period of time, typically about four months after the feature update release, broad deployment throughout the organization can begin. The exact timeframe is determined by feedback from customers, ISVs, OEMs, and others, with an explicit "ready for broad deployment" declaration signaling this to customers. diff --git a/windows/deployment/update/windows-analytics-azure-portal.md b/windows/deployment/update/windows-analytics-azure-portal.md index 34fd777734..2a37f7db2f 100644 --- a/windows/deployment/update/windows-analytics-azure-portal.md +++ b/windows/deployment/update/windows-analytics-azure-portal.md @@ -5,7 +5,7 @@ keywords: Device Health, oms, Azure, portal, operations management suite, add, m ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.date: 09/12/2018 +ms.date: 10/05/2018 ms.pagetype: deploy author: jaimeo ms.author: jaimeo @@ -26,16 +26,21 @@ Go to the [Azure portal](https://portal.azure.com), select **All services**, and ### Permissions +It's important to understand the difference between Azure Active Directory and an Azure subscription: + +**Azure Active Directory** is the directory that Azure uses. Azure Active Directory (AD) is a separate service which sits by itself and is used by all of Azure and also Office 365. + +An **Azure subscription** is a container for billing, but also acts as a security boundary. Every Azure subscription has a trust relationship with at least one Azure AD instance. This means that a subscription trusts that directory to authenticate users, services, and devices. + + >[!IMPORTANT] ->Unlike the OMS portal, the Azure portal requires access to both an Azure Log Analytics subscription and a linked Azure subscription. +>Unlike the OMS portal (which only requires permission to access the Azure Log Analytics workspace), the Azure portal also requires access to be configured to either the linked *Azure subscription* or Azure resource group. To check the Log Analytics workspaces you can access, select **Log Analytics**. You should see a grid control listing all workspaces, along with the Azure subscription each is linked to: [![Log Analytics workspace page showing accessible workspaces and linked Azure subscriptions](images/azure-portal-LAmain-wkspc-subname-sterile.png)](images/azure-portal-LAmain-wkspc-subname-sterile.png) -If you do not see your workspace in this view, you do not have access to the underlying Azure subscription. To view and assign permissions for a workspace, select its name and then, in the flyout that opens, select **Access control (IAM)**. You can view and assign permissions for a subscription similarly by selecting the subscription name and selecting **Access control (IAM)**. - -The Azure subscription requires at least "Log Analytics Reader" permission. Making changes (for example, to set app importance in Upgrade Readiness) requires "Log Analytics Contributor" permission. You can view your current role and make changes in other roles by using the Access control (IAM) tab in Azure. These permissions will be inherited by Azure Log Analytics. +If you do not see your workspace in this view, but you are able to access the workspace from the classic portal, that means you do not have access to the workspace's Azure subscription or resource group. To remedy this, you will need to find someone with admin rights to grant you access, which they can do by selecting the subscription name and selecting **Access control (IAM)** (alternatively they can configure your access at the resource group level). They should either grant you "Log Analytics Reader" access (for read-only access) or "Log Analytics Contributor" access (which enables making changes such as creating deployment plans and changing application readiness states). When permissions are configured, you can select the workspace and then select **Workspace summary** to see information similar to what was shown in the OMS overview page. @@ -60,4 +65,4 @@ From there, select the settings page to adjust specific settings: [![Settings page for Upgrade Readiness in Azure portsl](images/azure-portal-UR-settings.png)](images/azure-portal-UR-settings.png) >[!NOTE] ->To adjust these settings, both the subscription and workspace require "contributor" permissions. You can view your current role and make changes in other roles by using the **Access control (IAM)** tab in Azure. \ No newline at end of file +>To adjust these settings, both the subscription and workspace require "contributor" permissions. You can view your current role and make changes in other roles by using the **Access control (IAM)** tab in Azure. diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md index 9539a482fc..30f586c3f1 100644 --- a/windows/deployment/update/windows-analytics-get-started.md +++ b/windows/deployment/update/windows-analytics-get-started.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 10/01/2018 +ms.date: 10/08/2018 ms.localizationpriority: medium --- @@ -41,7 +41,7 @@ Microsoft uses a unique commercial ID to map information from user computers to ## Enable data sharing -To enable data sharing, configure your proxy sever to whitelist the following endpoints. You might need to get approval from your security group to do this. +To enable data sharing, configure your proxy server to whitelist the following endpoints. You might need to get approval from your security group to do this. | **Endpoint** | **Function** | |---------------------------------------------------------|-----------| @@ -53,7 +53,7 @@ To enable data sharing, configure your proxy sever to whitelist the following en | `http://adl.windows.com` | Allows the compatibility update to receive the latest compatibility data from Microsoft. | | `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. | | `https://oca.telemetry.microsoft.com` | Online Crash Analysis; required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. | -| `https://login.live.com` | Windows Error Reporting (WER); required by Device Health. **Note:** WER does *not* use login.live.com to access Microsoft Account consumer services such as Xbox Live. WER uses an anti-spoofing API at that address to enhance the integrity of error reports. | +| `https://login.live.com` | This endpoint is required by Device Health to ensure data integrity and provides a more reliable device identity for all of the Windows Analytics solutions on Windows 10. If you want to disable end-user managed service account (MSA) access, you should apply the appropriate [policy](https://docs.microsoft.com/windows/security/identity-protection/access-control/microsoft-accounts#block-all-consumer-microsoft-account-user-authentication) instead of blocking this endpoint. | | `https://www.msftncsi.com` | Windows Error Reporting (WER); required for Device Health to check connectivity. | | `https://www.msftconnecttest.com` | Windows Error Reporting (WER); required for Device Health to check connectivity. | diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md index e5eab8199a..35d32c83e9 100644 --- a/windows/deployment/upgrade/upgrade-readiness-get-started.md +++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 09/26/2018 +ms.date: 10/10/2018 ms.localizationpriority: medium --- @@ -45,7 +45,7 @@ Upgrade Readiness is offered as a *solution* which you link to a new or existing 1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal. >[!NOTE] - > Upgrade Readiness is included at no additional cost with Windows 10 [education and enterprise licensing](https://docs.microsoft.com/en-us/windows/deployment/update/device-health-monitor#device-health-licensing). An Azure subscription is required for managing and using Upgrade Readiness, but no Azure charges are expected to accrue to the subscription as a result of using Upgrade Readiness. + > Upgrade Readiness is included at no additional cost with Windows 10 Professional, Education, and Enterprise editions. An Azure subscription is required for managing and using Upgrade Readiness, but no Azure charges are expected to accrue to the subscription as a result of using Upgrade Readiness. 2. In the Azure portal select **Create a resource**, search for "Upgrade Readiness", and then select **Create** on the **Upgrade Readiness** solution. ![Azure portal page highlighting + Create a resource and with Upgrade Readiness selected](../images/UR-Azureportal1.png) diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md index 8bc47524c0..bef52aab7a 100644 --- a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md +++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md @@ -22,7 +22,7 @@ The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Wi ## Proof-of-concept environment -For the purposes of this topic, we will use four machines: DC01, CM01, and PC0003. DC01 is a domain controller and CM01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0003 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). +For the purposes of this topic, we will use three machines: DC01, CM01, and PC0003. DC01 is a domain controller and CM01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0003 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). ![figure 1](../images/upgrademdt-fig1-machines.png) diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index 2a6a86ea3d..6c0aa24941 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -382,7 +382,7 @@ WDSUTIL /Set-Server /AnswerClients:None In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example: ``` - STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=2476 TID=4636 GMTDATE=Wed Sep 14 22:11:09.363 2016 ISTR0="Configuration Manager Client Upgrade Package" ISTR1="PS100003" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS100003" SMS_DISTRIBUTION_MANAGER 9/14/2016 3:11:09 PM 4636 (0x121C) + STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=924 TID=1424 GMTDATE=Tue Oct 09 22:36:30.986 2018 ISTR0="Zero Touch WinPE x64" ISTR1="PS10000A" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS10000A" SMS_DISTRIBUTION_MANAGER 10/9/2018 3:36:30 PM 1424 (0x0590) ``` 11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab. diff --git a/windows/deployment/windows-autopilot/TOC.md b/windows/deployment/windows-autopilot/TOC.md index ac183ef6d1..fb04b62d4d 100644 --- a/windows/deployment/windows-autopilot/TOC.md +++ b/windows/deployment/windows-autopilot/TOC.md @@ -4,6 +4,7 @@ ### [Network requirements](windows-autopilot-requirements-network.md) ### [Licensing requirements](windows-autopilot-requirements-licensing.md) ## [Scenarios and Capabilities](windows-autopilot-scenarios.md) +### [Support for existing devices](existing-devices.md) ### [User-driven mode](user-driven.md) ### [Self-deploying mode](self-deploying.md) ### [Enrollment status page](enrollment-status.md) diff --git a/windows/deployment/windows-autopilot/add-devices.md b/windows/deployment/windows-autopilot/add-devices.md index d494ef7054..46641b808c 100644 --- a/windows/deployment/windows-autopilot/add-devices.md +++ b/windows/deployment/windows-autopilot/add-devices.md @@ -7,9 +7,9 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/18 +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 10/02/2018 --- # Adding devices to Windows Autopilot diff --git a/windows/deployment/windows-autopilot/configure-autopilot.md b/windows/deployment/windows-autopilot/configure-autopilot.md index 320afb60dd..7444e0b565 100644 --- a/windows/deployment/windows-autopilot/configure-autopilot.md +++ b/windows/deployment/windows-autopilot/configure-autopilot.md @@ -7,9 +7,9 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/18 +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 10/02/2018 --- # Configure Autopilot deployment diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index ca44b1c9f9..6a8c2d3e3d 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -7,9 +7,9 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft +author: greg-lindsay ms.author: greg-lindsay -ms.date: 07/13/18 +ms.date: 10/02/2018 --- # Demonstrate Autopilot deployment on a VM diff --git a/windows/deployment/windows-autopilot/enrollment-status.md b/windows/deployment/windows-autopilot/enrollment-status.md index 2f7e82b15e..fe8a3e7d65 100644 --- a/windows/deployment/windows-autopilot/enrollment-status.md +++ b/windows/deployment/windows-autopilot/enrollment-status.md @@ -6,11 +6,11 @@ ms.prod: w10 ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: +ms.pagetype: deploy ms.localizationpriority: medium -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 10/02/2018 --- # Windows Autopilot Enrollment Status page @@ -31,7 +31,7 @@ The Windows Autopilot Enrollment Status page displaying the status of the comple - Show custom error message when an error occurs. - Allow users to collect logs about installation errors. -## Installation progresss tracked +## Installation progress tracked The Enrollment Status page tracks a subset of the available MDM CSP policies that are delivered to the device as part of the complete device configuration process. The specific types of policies that are tracked include: @@ -42,7 +42,7 @@ The Enrollment Status page tracks a subset of the available MDM CSP policies tha Presently the following types of policies are not tracked: -- Intune Management Extentions PowerShell scripts. +- Intune Management Extensions PowerShell scripts. - Office 365 ProPlus installations. - System Center Configuration Manager apps, packages, and task sequences. diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md new file mode 100644 index 0000000000..1457f0b172 --- /dev/null +++ b/windows/deployment/windows-autopilot/existing-devices.md @@ -0,0 +1,300 @@ +--- +title: Windows Autopilot for existing devices +description: Listing of Autopilot scenarios +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: low +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 10/22/2018 +--- + +# Windows Autopilot for existing devices + +**Applies to: Windows 10** + +Modern desktop management with Windows Autopilot enables you to easily deploy the latest version of Windows 10 to your existing devices. The apps you need for work can be automatically installed. Your work profile is synchronized, so you can resume working right away. + +This topic describes how to convert Windows 7 domain-joined computers to Azure Active Directory-joined computers running Windows 10 by using Windows Autopilot. + +## Prerequisites + +- System Center Configuration Manager Current Branch (1806) OR System Center Configuration Manager Technical Preview (1808) +- The [Windows ADK](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) 1803 or later + - Note: Config Mgr 1806 or later is required to [support](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10#windows-10-adk) the Windows ADK 1809. +- Assigned Microsoft Intune Licenses +- Azure Active Directory Premium +- Windows 10 version 1809 or later imported into Config Mgr as an Operating System Image + +## Procedures + +### Configure the Enrollment Status Page (optional) + +If desired, you can set up an [enrollment status page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) for Autopilot using Intune. + +To enable and configure the enrollment and status page: + +1. Open [Intune in the Azure portal](https://aka.ms/intuneportal). +2. Access **Intune > Device enrollment > Windows enrollment** and [Set up an enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status). +3. Access **Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune** and [Configure automatic MDM enrollment](https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/enroll-hybrid-windows#enable-windows-10-automatic-enrollment) and configure the MDM user scope for some or all users. + +See the following examples. + +![enrollment status page](images/esp-config.png)

    +![mdm](images/mdm-config.png) + +### Create the JSON file + +>[!TIP] +>To run the following commands on a computer running Windows Server 2012/2012 R2 or Windows 7/8.1, you must first download and install the [Windows Management Framework](https://www.microsoft.com/en-us/download/details.aspx?id=54616). + +1. On an Internet connected Windows PC or Server open an elevated Windows PowerShell command window +2. Enter the following lines to install the necessary modules + + #### Install required modules + + ``` + Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force + Install-Module AzureAD -Force + Install-Module WindowsAutopilotIntune -Force + ``` + +3. Enter the following lines and provide Intune administrative credentials + - In the following command, replace the example user principal name for Azure authentication (admin@M365x373186.onmicrosoft.com) with your user account. Be sure that the user account you specify has sufficient administrative rights. + + ``` + Connect-AutopilotIntune -user admin@M365x373186.onmicrosoft.com + ``` + The password for your account will be requested using a standard Azure AD form. Type your password and then click **Sign in**. +
    See the following example: + + ![Azure AD authentication](images/pwd.png) + + If this is the first time you’ve used the Intune Graph APIs, you’ll also be prompted to enable read and write permissions for Microsoft Intune PowerShell. To enable these permissions: + - Select **Consent on behalf or your organization** + - Click **Accept** + +4. Next, retrieve and display all the Autopilot profiles available in the specified Intune tenant in JSON format: + + #### Retrieve profiles in Autopilot for existing devices JSON format + + ``` + Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON + ``` + + See the following sample output: + 
    +    PS C:\> Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON
+    {
+        "CloudAssignedTenantId":  "1537de22-988c-4e93-b8a5-83890f34a69b",
+        "CloudAssignedForcedEnrollment":  1,
+        "Version":  2049,
+        "Comment_File":  "Profile Autopilot Profile",
+        "CloudAssignedAadServerData":  "{\"ZeroTouchConfig\":{\"CloudAssignedTenantUpn\":\"\",\"ForcedEnrollment\":1,\"CloudAssignedTenantDomain\":\"M365x373186.onmicrosoft.com\"}}",
+        "CloudAssignedTenantDomain":  "M365x373186.onmicrosoft.com",
+        "CloudAssignedDomainJoinMethod":  0,
+        "CloudAssignedOobeConfig":  28,
+        "ZtdCorrelationId":  "7F9E6025-1E13-45F3-BF82-A3E8C5B59EAC"
+    }
    + + Each profile is encapsulated within braces **{ }**. In the previous example, a single profile is displayed. + + See the following table for a description of properties used in the JSON file. + + | Property | Description | + | --- | --- | + | Version (number, optional) | The version number that identifies the format of the JSON file. For Windows 10 1809, the version specified must be 2049. | + | CloudAssignedTenantId (guid, required) | The Azure Active Directory tenant ID that should be used. This is the GUID for the tenant, and can be found in properties of the tenant. The value should not include braces. | + | CloudAssignedTenantDomain (string, required) | The Azure Active Directory tenant name that should be used, e.g. tenant.onmicrosoft.com. | + | CloudAssignedOobeConfig (number, required) | This is a bitmap that shows which Autopilot settings were configured. Values include: SkipCortanaOptIn = 1, OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4, SkipOemRegistration = 8, SkipEula = 16 | + | CloudAssignedDomainJoinMethod (number, required) | This property should be set to 0 and specifies that the device should join Azure AD. | + | CloudAssignedForcedEnrollment (number, required) | Specifies that the device should require AAD Join and MDM enrollment.
    0 = not required, 1 = required. | + | ZtdCorrelationId (guid, required) | A unique GUID (without braces) that will be provided to Intune as part of the registration process. ZtdCorrelationId will be included in enrollment message as “OfflineAutoPilotEnrollmentCorrelator”. This attribute will be present only if the enrollment is taking place on a device registered with Zero Touch Provisioning via offline registration.| + | CloudAssignedAadServerData (encoded JSON string, required) | An embedded JSON string used for branding. It requires AAD corp branding enabled.
    Example value: "CloudAssignedAadServerData": "{\"ZeroTouchConfig\":{\"CloudAssignedTenantUpn\":\"\",\"CloudAssignedTenantDomain\":\"tenant.onmicrosoft.com\"}}"| + | CloudAssignedDeviceName (string, optional) | The name automatically assigned to the computer. This follows the naming pattern convention that can be configured in Intune as part of the Autopilot profile, or can specify an explicit name to use. | + +5. The Autopilot profile must be saved as a JSON file in ASCII or ANSI format. Windows PowerShell defaults to Unicode format, so if you attempt to redirect output of the commands to a file, you must also specify the file format. For example, to save the file in ASCII format using Windows PowerShell, you can create a directory (ex: c:\Autopilot) and save the profile as shown below: + + ``` + Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON | Out-File c:\Autopilot\AutopilotConfigurationFile.json -Encoding ASCII + ``` + **IMPORTANT**: The file name must be named **AutopilotConfigurationFile.json** in addition to being encoded as ASCII/ANSI. + + If preferred, you can save the profile to a text file and edit in Notepad. In Notepad, when you choose **Save as** you must select Save as type: **All Files** and choose ANSI from the drop-down list next to **Encoding**. See the following example. + + ![Notepad JSON](images/notepad.png) + + After saving the file, move the file to a location suitable as an SCCM package source. + + >[!IMPORTANT] + >Multiple JSON profile files can be used, but each must be named **AutopilotConfigurationFile.json** in order for OOBE to follow the Autopilot experience. The file also must be encoded as ANSI.

    **Saving the file with Unicode or UTF-8 encoding or saving it with a different file name will cause Windows 10 OOBE to not follow the Autopilot experience**.
    + + +### Create a package containing the JSON file + +1. In Configuration Manager, navigate to **\Software Library\Overview\Application Management\Packages** +2. On the ribbon, click **Create Package** +3. In the **Create Package and Program Wizard** enter the following **Package** and **Program Type** details:
    + - Name: **Autopilot for existing devices config** + - Select the **This package contains source files** checkbox + - Source folder: Click **Browse** and specify a UNC path containing the AutopilotConfigurationFile.json file. + - Click **OK** and then click **Next**. + - Program Type: **Do not create a program** +4. Click **Next** twice and then click **Close**. + +**NOTE**: If you change user-driven Autopilot profile settings in Intune at a later date, you must also update the JSON file and redistribute the associated Config Mgr package. + +### Create a target collection + +>[!NOTE] +>You can also choose to reuse an existing collection + +1. Navigate to **\Assets and Compliance\Overview\Device Collections** +2. On the ribbon, click **Create** and then click **Create Device Collection** +3. In the **Create Device Collection Wizard** enter the following **General** details: + - Name: **Autopilot for existing devices collection** + - Comment: (optional) + - Limiting collection: Click **Browse** and select **All Systems** + + >[!NOTE] + >You can optionally choose to use an alternative collection for the limiting collection. The device to be upgraded must be running the ConfigMgr agent in the collection that you select. + +4. Click **Next**, then enter the following **Membership Rules** details: + - Click **Add Rule** and specify either a direct or query based collection rule to add the target test Windows 7 devices to the new collection. + - For example, if the hostname of the computer to be wiped and reloaded is PC-01 and you wish to use Name as the attribute, click **Add Rule > Direct Rule > (wizard opens) > Next** and then enter **PC-01** next to **Value**. Click **Next** and then choose **PC-01** under **Resources**. See the following examples. + + ![Named resource1](images/pc-01a.png) + ![Named resource2](images/pc-01b.png) + +5. Continue creating the device collection with the default settings: + - Use incremental updates for this collection: not selected + - Schedule a full update on this collection: default + - Click **Next** twice and then click **Close** + +### Create an Autopilot for existing devices Task Sequence + +>[!TIP] +>The next procedure requires a boot image for Windows 10 1803 or later. Review your available boot images in the Configuration Manager conole under **Software Library\Overview\Operating Systems\Boot images** and verify that the **OS Version** is 10.0.17134.1 (Windows 10 version 1803) or later. + +1. In the Configuration Manager console, navigate to **\Software Library\Overview\Operating Systems\Task Sequences** +2. On the Home ribbon, click **Create Task Sequence** +3. Select **Install an existing image package** and then click **Next** +4. In the Create Task Sequence Wizard enter the following details: + - Task sequence name: **Autopilot for existing devices** + - Boot Image: Click **Browse** and select a Windows 10 boot image (1803 or later) + - Click **Next**, and then on the Install Windows page click **Browse** and select a Windows 10 **Image package** and **Image Index**, version 1803 or later. + - Select the **Partition and format the target computer before installing the operating system** checkbox. + - Select or clear **Configure task sequence for use with Bitlocker** checkbox. This is optional. + - Product Key and Server licensing mode: Optionally enter a product key and server licencing mode. + - Randomly generate the local administrator password and disable the account on all support platforms (recommended): Optional. + - Enable the account and specify the local administrator password: Optional. + - Click **Next**, and then on the Configure Network page choose **Join a workgroup** and specify a name (ex: workgroup) next to **Workgroup**. + + >[!IMPORTANT] + >The Autopilot for existing devices task sequence will run the **Prepare Windows for capture** action which calls the System Preparation Tool (syeprep). This action will fail if the target machine is joined to a domain. + +5. Click **Next** and then click **Next** again to accept the default settings on the Install Configuration Manager page. +6. On the State Migration page, enter the following details: + - Clear the **Capture user settings and files** checkbox. + - Clear the **Capture network settings** checkbox. + - Clear the **Capture Microsoft Windows settings** checkbox. + - Click **Next**. + + >[!NOTE] + >The Autopilot for existing devices task sequence will result in an Azure Active Directory Domain (AAD) joined device. The User State Migration Toolkit (USMT) does not support AAD joined devices. + +7. On the Include Updates page, choose one of the three available options. This selection is optional. +8. On the Install applications page, add applications if desired. This is optional. +9. Click **Next**, confirm settings, click **Next** and then click **Close**. +10. Right click on the Autopilot for existing devices task sequence and click **Edit**. +11. In the Task Sequence Editor under the **Install Operating System** group, click the **Apply Windows Settings** action. +12. Click **Add** then click **New Group**. +13. Change the group **Name** from **New Group** to **Autopilot for existing devices config**. +14. Click **Add**, point to **General**, then click **Run Command Line**. +15. Verify that the **Run Command Line** step is nested under the **Autopilot for existing devices config** group. +16. Change the **Name** to **Apply Autopilot for existing devices config file** and paste the following into the **Command line** text box, and then click **Apply**: + ``` + cmd.exe /c xcopy AutopilotConfigurationFile.json %OSDTargetSystemDrive%\windows\provisioning\Autopilot\ /c + ``` + - **AutopilotConfigurationFile.json** must be the name of the JSON file present in the Autopilot for existing devices package created earlier. + +17. In the **Apply Autopilot for existing devices config file** step, select the **Package** checkbox and then click **Browse**. +18. Select the **Autopilot for existing devices config** package created earlier and click **OK**. An example is displayed at the end of this section. +19. Under the **Setup Operating System** group, click the **Setup Windows and Configuration Manager** task. +20. Click **Add** and then click **New Group**. +21. Change **Name** from **New Group** to **Prepare Device for Autopilot** +22. Verify that the **Prepare Device for Autopilot** group is the very last step in the task sequence. Use the **Move Down** button if necessary. +23. With the **Prepare device for Autopilot** group selected, click **Add**, point to **Images** and then click **Prepare ConfigMgr Client for Capture**. +24. Add a second step by clicking **Add**, pointing to **Images**, and clicking **Prepare Windows for Capture**. Use the following settings in this step: + - Automatically build mass storage driver list: **Not selected** + - Do not reset activation flag: **Not selected** + - Shutdown the computer after running this action: **Optional** + + ![Autopilot task sequence](images/ap-ts-1.png) + +25. Click **OK** to close the Task Sequence Editor. + +### Deploy Content to Distribution Points + +Next, ensure that all content required for the task sequence is deployed to distribution points. + +1. Right click on the **Autopilot for existing devices** task sequence and click **Distribute Content**. +2. Click **Next**, **Review the content to distribute** and then click **Next**. +3. On the Specify the content distribution page click **Add** to specify either a **Distribution Point** or **Distribution Point Group**. +4. On the a Add Distribution Points or Add Distribution Point Groups wizard specify content destinations that will allow the JSON file to be retrieved when the task sequence is run. +5. When you are finished specifying content distribution, click **Next** twice then click **Close**. + +### Deploy the OS with Autopilot Task Sequence + +1. Right click on the **Autopilot for existing devices** task sequence and then click **Deploy**. +2. In the Deploy Software Wizard enter the following **General** and **Deployment Settings** details: + - Task Sequence: **Autopilot for existing devices**. + - Collection: Click **Browse** and then select **Autopilot for existing devices collection** (or another collection you prefer). + - Click **Next** to specify **Deployment Settings**. + - Action: **Install**. + - Purpose: **Available**. You can optionally select **Required** instead of **Available**. This is not recommended during the test owing to the potential impact of inadvertent configurations. + - Make available to the following: **Only Configuration Manager Clients**. Note: Choose the option here that is relevant for the context of your test. If the target client does not have the Configuration Manager agent or Windows installed, you will need to select an option that includes PXE or Boot Media. + - Click **Next** to specify **Scheduling** details. + - Schedule when this deployment will become available: Optional + - Schedule when this deployment will expire: Optional + - Click **Next** to specify **User Experience** details. + - Show Task Sequence progress: Selected. + - Software Installation: Not selected. + - System restart (if required to complete the installation): Not selected. + - Commit changed at deadline or during a maintenance windows (requires restart): Optional. + - Allow task sequence to be run for client on the Internet: Optional + - Click **Next** to specify **Alerts** details. + - Create a deployment alert when the threshold is higher than the following: Optional. + - Click **Next** to specify **Distribution Points** details. + - Deployment options: **Download content locally when needed by the running task sequence**. + - When no local distribution point is available use a remote distribution point: Optional. + - Allow clients to use distribution points from the default site boundary group: Optional. + - Click **Next**, confirm settings, click **Next**, and then click **Close**. + +### Complete the client installation process + +1. Open the Software Center on the target Windows 7 client computer. You can do this by clicking Start and then typing **software** in the search box, or by typing the following at a Windows PowerShell or command prompt: + + ``` + C:\Windows\CCM\SCClient.exe + ``` + +2. In the software library, select **Autopilot for existing devices** and click **Install**. See the following example: + + ![Named resource2](images/sc.png) + ![Named resource2](images/sc1.png) + +The Task Sequence will download content, reboot, format the drives and install Windows 10. The device will then proceed to be prepared for Autopilot. Once the task sequence has completed the device will boot into OOBE and provide an Autopilot experience. + +![refresh-1](images/up-1.png) +![refresh-2](images/up-2.png) +![refresh-3](images/up-3.png) + +### Register the device for Windows Autopilot + +Devices provisioned through Autopilot will only receive the guided OOBE Autopilot experience on first boot. There is currently no automatic registration into Windows Autopilot. Therefore, once updated to Windows 10, the device should be registered to ensure a continued Autopilot experience in the event of PC reset. + +For more information, see [Adding devices to Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/add-devices). diff --git a/windows/deployment/windows-autopilot/images/ap-ts-1.png b/windows/deployment/windows-autopilot/images/ap-ts-1.png new file mode 100644 index 0000000000..5f4c33fd51 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/ap-ts-1.png differ diff --git a/windows/deployment/windows-autopilot/images/ap-ts.png b/windows/deployment/windows-autopilot/images/ap-ts.png new file mode 100644 index 0000000000..7c343176d0 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/ap-ts.png differ diff --git a/windows/deployment/windows-autopilot/images/esp-config.png b/windows/deployment/windows-autopilot/images/esp-config.png new file mode 100644 index 0000000000..eb9f94661f Binary files /dev/null and b/windows/deployment/windows-autopilot/images/esp-config.png differ diff --git a/windows/deployment/windows-autopilot/images/mdm-config.png b/windows/deployment/windows-autopilot/images/mdm-config.png new file mode 100644 index 0000000000..0b2dd14a53 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/mdm-config.png differ diff --git a/windows/deployment/windows-autopilot/images/notepad.png b/windows/deployment/windows-autopilot/images/notepad.png new file mode 100644 index 0000000000..0f243f95d6 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/notepad.png differ diff --git a/windows/deployment/windows-autopilot/images/pc-01a.png b/windows/deployment/windows-autopilot/images/pc-01a.png new file mode 100644 index 0000000000..a3d0f4cdea Binary files /dev/null and b/windows/deployment/windows-autopilot/images/pc-01a.png differ diff --git a/windows/deployment/windows-autopilot/images/pc-01b.png b/windows/deployment/windows-autopilot/images/pc-01b.png new file mode 100644 index 0000000000..07eda6e4bb Binary files /dev/null and b/windows/deployment/windows-autopilot/images/pc-01b.png differ diff --git a/windows/deployment/windows-autopilot/images/pwd.png b/windows/deployment/windows-autopilot/images/pwd.png new file mode 100644 index 0000000000..c9b0e7837c Binary files /dev/null and b/windows/deployment/windows-autopilot/images/pwd.png differ diff --git a/windows/deployment/windows-autopilot/images/sc.png b/windows/deployment/windows-autopilot/images/sc.png new file mode 100644 index 0000000000..bb326e6406 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/sc.png differ diff --git a/windows/deployment/windows-autopilot/images/sc1.png b/windows/deployment/windows-autopilot/images/sc1.png new file mode 100644 index 0000000000..380887a45c Binary files /dev/null and b/windows/deployment/windows-autopilot/images/sc1.png differ diff --git a/windows/deployment/windows-autopilot/images/up-1.PNG b/windows/deployment/windows-autopilot/images/up-1.PNG new file mode 100644 index 0000000000..c1284c53d2 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/up-1.PNG differ diff --git a/windows/deployment/windows-autopilot/images/up-2.PNG b/windows/deployment/windows-autopilot/images/up-2.PNG new file mode 100644 index 0000000000..4891a3873a Binary files /dev/null and b/windows/deployment/windows-autopilot/images/up-2.PNG differ diff --git a/windows/deployment/windows-autopilot/images/up-3.PNG b/windows/deployment/windows-autopilot/images/up-3.PNG new file mode 100644 index 0000000000..8b1e356f92 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/up-3.PNG differ diff --git a/windows/deployment/windows-autopilot/profiles.md b/windows/deployment/windows-autopilot/profiles.md index 4868e24cd2..c733e6576d 100644 --- a/windows/deployment/windows-autopilot/profiles.md +++ b/windows/deployment/windows-autopilot/profiles.md @@ -7,9 +7,9 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/18 +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 10/02/2018 --- # Configure Autopilot profiles diff --git a/windows/deployment/windows-autopilot/rip-and-replace.md b/windows/deployment/windows-autopilot/rip-and-replace.md deleted file mode 100644 index 0f85771ec9..0000000000 --- a/windows/deployment/windows-autopilot/rip-and-replace.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Rip and Replace -description: Listing of Autopilot scenarios -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: low -ms.sitesec: library -ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 ---- - -# Rip and replace - -**Applies to: Windows 10** - -DO NOT PUBLISH. Just a placeholder for now, coming with 1809. \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/self-deploying.md b/windows/deployment/windows-autopilot/self-deploying.md index deba1e8e5e..59087c0cd6 100644 --- a/windows/deployment/windows-autopilot/self-deploying.md +++ b/windows/deployment/windows-autopilot/self-deploying.md @@ -8,9 +8,9 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: ms.localizationpriority: medium -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 10/02/2018 --- # Windows Autopilot Self-Deploying mode (Preview) diff --git a/windows/deployment/windows-autopilot/troubleshooting.md b/windows/deployment/windows-autopilot/troubleshooting.md index 2ea0af92da..2e98298d23 100644 --- a/windows/deployment/windows-autopilot/troubleshooting.md +++ b/windows/deployment/windows-autopilot/troubleshooting.md @@ -7,9 +7,9 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 10/02/2018 --- # Troubleshooting Windows Autopilot diff --git a/windows/deployment/windows-autopilot/user-driven-aad.md b/windows/deployment/windows-autopilot/user-driven-aad.md index 91d9bbf472..6da9e99b33 100644 --- a/windows/deployment/windows-autopilot/user-driven-aad.md +++ b/windows/deployment/windows-autopilot/user-driven-aad.md @@ -7,13 +7,13 @@ ms.mktglfcycl: deploy ms.localizationpriority: low ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 10/02/2018 --- # Windows Autopilot user-driven mode for Azure Active Directory **Applies to: Windows 10** -DO NOT PUBLISH. This eventually will contain the AAD-specific instuctions currently in user-driven.md. +PLACEHOLDER. This topic is a placeholder for the AAD-specific instuctions currently in user-driven.md. diff --git a/windows/deployment/windows-autopilot/user-driven-hybrid.md b/windows/deployment/windows-autopilot/user-driven-hybrid.md index 091783afa4..90ed790b77 100644 --- a/windows/deployment/windows-autopilot/user-driven-hybrid.md +++ b/windows/deployment/windows-autopilot/user-driven-hybrid.md @@ -7,9 +7,9 @@ ms.mktglfcycl: deploy ms.localizationpriority: low ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 10/02/2018 --- @@ -17,4 +17,8 @@ ms.date: 06/01/2018 **Applies to: Windows 10** -DO NOT PUBLISH. This eventually will contain the AD-specific (hybrid) instuctions. This will be in preview at a later point in time. +<<<<<<< HEAD +PLACEHOLDER. This topic is a placeholder for the AD-specific (hybrid) instuctions. +======= +Placeholder. Content coming. +>>>>>>> 01422d156afc7ab2286b8769aee1c4c39351a5f6 diff --git a/windows/deployment/windows-autopilot/user-driven.md b/windows/deployment/windows-autopilot/user-driven.md index bb9b722bb6..d12042b321 100644 --- a/windows/deployment/windows-autopilot/user-driven.md +++ b/windows/deployment/windows-autopilot/user-driven.md @@ -7,15 +7,12 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 +author: greg-lindsay +ms.date: 10/02/2018 +ms.author: greg-lindsay +ms.date: 10/02/2018 --- -# Windows Autopilot User-Driven Mode - -**Applies to: Windows 10 version 1703 and above** - Windows Autopilot user-driven mode is designed to enable new Windows 10 devices to be transformed from their initial state, directly from the factory, into a ready-to-use state without requiring that IT personnel ever touch the device. The process is designed to be simple so that anyone can complete it, enabling devices to be shipped or distributed to the end user directly with simple instructions: - Unbox the device, plug it in, and turn it on. diff --git a/windows/deployment/windows-autopilot/windows-10-autopilot.md b/windows/deployment/windows-autopilot/windows-10-autopilot.md index 810bdf70be..9ad26de9d0 100644 --- a/windows/deployment/windows-autopilot/windows-10-autopilot.md +++ b/windows/deployment/windows-autopilot/windows-10-autopilot.md @@ -7,9 +7,9 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 08/22/2018 +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 10/02/2018 --- # Overview of Windows Autopilot diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md index 919b0f5efa..a3c71ae225 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md @@ -7,9 +7,9 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 10/02/2018 --- # Windows Autopilot configuration requirements diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md index 8cd71d80c3..a9eb506a51 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md @@ -7,10 +7,11 @@ ms.mktglfcycl: deploy ms.localizationpriority: high ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 ---- +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 10/02/2018 +ms.author: greg-lindsay +ms.date: 10/02/2018 # Windows Autopilot licensing requirements diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md index 6ed585912e..2344d56268 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md @@ -7,9 +7,9 @@ ms.mktglfcycl: deploy ms.localizationpriority: high ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 10/02/2018 --- # Windows Autopilot networking requirements diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md index 1ffd9e4582..3b1ede0e05 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md @@ -7,9 +7,9 @@ ms.mktglfcycl: deploy ms.localizationpriority: high ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 10/02/2018 --- # Windows Autopilot requirements diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md index b8259e9016..c97d79add8 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md @@ -8,9 +8,9 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: ms.localizationpriority: medium -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 10/02/2018 --- # Reset devices with local Windows Autopilot Reset diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md b/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md index 7efd53c9f0..1f7cca216f 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md @@ -8,9 +8,9 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: ms.localizationpriority: medium -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 10/02/2018 --- # Reset devices with remote Windows Autopilot Reset (Preview) diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset.md b/windows/deployment/windows-autopilot/windows-autopilot-reset.md index 4417198067..9e83d32bbb 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-reset.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-reset.md @@ -8,9 +8,9 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: ms.localizationpriority: medium -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 10/02/2018 --- # Windows Autopilot Reset diff --git a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md index b832512df1..2b0a3d2ac3 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md @@ -7,9 +7,9 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 10/02/2018 --- # Windows Autopilot scenarios diff --git a/windows/deployment/windows-autopilot/windows-autopilot.md b/windows/deployment/windows-autopilot/windows-autopilot.md index 39eb571f2a..37f8070dad 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot.md +++ b/windows/deployment/windows-autopilot/windows-autopilot.md @@ -7,9 +7,9 @@ ms.mktglfcycl: deploy ms.localizationpriority: high ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 10/02/2018 --- # Overview of Windows Autopilot diff --git a/windows/eulas/TOC.yml b/windows/eulas/TOC.yml new file mode 100644 index 0000000000..b5ef71ac32 --- /dev/null +++ b/windows/eulas/TOC.yml @@ -0,0 +1,2 @@ +- name: Index + href: index.md \ No newline at end of file diff --git a/windows/eulas/breadcrumb/toc.yml b/windows/eulas/breadcrumb/toc.yml new file mode 100644 index 0000000000..61d8fca61e --- /dev/null +++ b/windows/eulas/breadcrumb/toc.yml @@ -0,0 +1,3 @@ +- name: Docs + tocHref: / + topicHref: / \ No newline at end of file diff --git a/windows/eulas/docfx.json b/windows/eulas/docfx.json new file mode 100644 index 0000000000..ff3ab96c92 --- /dev/null +++ b/windows/eulas/docfx.json @@ -0,0 +1,47 @@ +{ + "build": { + "content": [ + { + "files": [ + "**/*.md", + "**/*.yml" + ], + "exclude": [ + "**/obj/**", + "**/includes/**", + "_themes/**", + "_themes.pdf/**", + "README.md", + "LICENSE", + "LICENSE-CODE", + "ThirdPartyNotices" + ] + } + ], + "resource": [ + { + "files": [ + "**/*.png", + "**/*.jpg" + ], + "exclude": [ + "**/obj/**", + "**/includes/**", + "_themes/**", + "_themes.pdf/**" + ] + } + ], + "overwrite": [], + "externalReference": [], + "globalMetadata": { + "breadcrumb_path": "/windows/eulas/breadcrumb/toc.json", + "extendBreadcrumb": true, + "feedback_system": "None" + }, + "fileMetadata": {}, + "template": [], + "dest": "eula-vsts", + "markdownEngineName": "markdig" + } +} \ No newline at end of file diff --git a/windows/eulas/index.md b/windows/eulas/index.md new file mode 100644 index 0000000000..7d6b50323c --- /dev/null +++ b/windows/eulas/index.md @@ -0,0 +1 @@ +# Welcome to eula-vsts! \ No newline at end of file diff --git a/windows/hub/index.md b/windows/hub/index.md index 531d071af4..16c86b4a0f 100644 --- a/windows/hub/index.md +++ b/windows/hub/index.md @@ -71,10 +71,12 @@ The Windows 10 operating system introduces a new way to build, deploy, and servi These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. - [Read more about Windows as a Service](/windows/deployment/update/waas-overview) +- [Read how much space does Windows 10 take](https://www.microsoft.com/en-us/windows/windows-10-specifications) ## Related topics [Windows 10 TechCenter](https://go.microsoft.com/fwlink/?LinkId=620009) +   diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 371890febb..9a9140a764 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -28,7 +28,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: - +- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) - [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) @@ -334,7 +334,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove -This event indicates Indicates that the DecisionApplicationFile object is no longer present. +This event indicates that the DecisionApplicationFile object is no longer present. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -670,7 +670,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync -This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. +This event indicates that a new set of InventoryApplicationFileAdd events will be sent. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -4388,7 +4388,7 @@ The following fields are available: - **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. - **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). - **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 665450f693..f1ca2eae5e 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 09/10/2018 +ms.date: 10/10/2018 --- @@ -29,6 +29,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: +- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) - [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) @@ -76,9 +77,9 @@ The following fields are available: - **SystemProcessorNx** The count of the number of this particular object type present on this device. - **SystemProcessorPrefetchW** The count of SystemProcessorPrefetchW objects present on this machine. - **SystemProcessorSse2** The count of SystemProcessorSse2 objects present on this machine. -- **SystemTouch** The count of SystemTouch objects present on this machine. +- **SystemTouch** The count of the number of this particular object type present on this device. - **SystemWim** The count of SystemWim objects present on this machine. -- **SystemWindowsActivationStatus** The count of SystemWindowsActivationStatus objects present on this machine. +- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. - **SystemWlan** The count of the number of this particular object type present on this device. - **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. - **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device. @@ -358,7 +359,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove -This event indicates Indicates that the DecisionApplicationFile object is no longer present. +This event indicates that the DecisionApplicationFile object is no longer present. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -705,7 +706,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync -This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. +This event indicates that a new set of InventoryApplicationFileAdd events will be sent. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -1544,14 +1545,14 @@ This event provides information on about security settings used to help keep Win The following fields are available: - **AvailableSecurityProperties** This field helps to enumerate and report state on the relevant security properties for Device Guard. -- **CGRunning** Credential Guard isolates and hardens key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. This field tells if Credential Guard is running. +- **CGRunning** Is Credential Guard running? - **DGState** This field summarizes the Device Guard state. - **HVCIRunning** Is HVCI running? - **IsSawGuest** Indicates whether the device is running as a Secure Admin Workstation Guest. - **IsSawHost** Indicates whether the device is running as a Secure Admin Workstation Host. - **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security. -- **SecureBootCapable** Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting. -- **VBSState** Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to isolate/protect secrets, and kernel-mode code integrity validation. VBS has a tri-state that can be Disabled, Enabled, or Running. +- **SecureBootCapable** Is this device capable of running Secure Boot? +- **VBSState** Is virtualization-based security enabled, disabled, or running? ### Census.Speech @@ -2956,6 +2957,19 @@ The following fields are available: ## Sediment events +### Microsoft.Windows.Sediment.Info.DetailedState + +This event is sent when detailed state information is needed from an update trial run. + +The following fields are available: + +- **Data** Data relevant to the state, such as what percent of disk space the directory takes up. +- **Id** Identifies the trial being run, such as a disk related trial. +- **ReleaseVer** The version of the component. +- **State** The state of the reporting data from the trial, such as the top-level directory analysis. +- **Time** The time the event was fired. + + ### Microsoft.Windows.Sediment.OSRSS.UrlState This event indicates the state the Operating System Remediation System Service (OSRSS) is in while attempting a download from the URL. @@ -3579,14 +3593,14 @@ The following fields are available: - **BIOSVendor** The vendor of the BIOS. - **BiosVersion** The version of the BIOS. - **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRepeatFailFlag** Has this particular update bundle previously failed to install? +- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to install. - **BundleRevisionNumber** Identifies the revision number of the content bundle. - **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. - **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. - **ClientVersion** The version number of the software distribution client. - **CSIErrorType** The stage of CBS installation where it failed. -- **CurrentMobileOperator** Mobile operator that device is currently connected to. -- **DeviceModel** What is the device model. +- **CurrentMobileOperator** The mobile operator to which the device is currently connected. +- **DeviceModel** The device model. - **DriverPingBack** Contains information about the previous driver and system state. - **EventInstanceID** A globally unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. @@ -3602,21 +3616,21 @@ The following fields are available: - **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device. - **HomeMobileOperator** The mobile operator that the device was originally intended to work with. - **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **IsDependentSet** Is the driver part of a larger System Hardware/Firmware update? -- **IsFinalOutcomeEvent** Does this event signal the end of the update/upgrade process? -- **IsFirmware** Is this update a firmware update? -- **IsSuccessFailurePostReboot** Did it succeed and then fail after a restart? +- **IsDependentSet** Indicates whether the driver is part of a larger System Hardware/Firmware update. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether this update is a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. - **IsWUfBDualScanEnabled** Is Windows Update for Business dual scan enabled on the device? - **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. -- **MergedUpdate** Was the OS update and a BSP update merged for installation? +- **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. - **MsiAction** The stage of MSI installation where it failed. - **MsiProductCode** The unique identifier of the MSI installer. - **PackageFullName** The package name of the content being installed. - **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced. -- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. -- **QualityUpdatePause** Are quality OS updates paused on the device? +- **ProcessName** The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one -- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to install. +- **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. - **RevisionNumber** The revision number of this specific piece of content. - **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). - **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. @@ -3626,8 +3640,8 @@ The following fields are available: - **SystemBIOSMinorRelease** Minor version of the BIOS. - **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. - **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **TransactionCode** The ID which represents a given MSI installation -- **UpdateId** Unique update ID +- **TransactionCode** The ID that represents a given MSI installation. +- **UpdateId** Unique update ID. - **UpdateID** An identifier associated with the specific piece of content. - **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. - **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive. @@ -3995,7 +4009,7 @@ The following fields are available: - **ScenarioId** Indicates the update scenario. - **SessionId** Unique value for each update attempt. - **SetupMode** Mode of setup to be launched. -- **UpdateId** Unique ID for each update. +- **UpdateId** Unique ID for each Update. - **UserSession** Indicates whether install was invoked by user actions. @@ -4014,7 +4028,7 @@ The following fields are available: - **CV** Correlation vector. - **DetectorVersion** Most recently run detector version for the current campaign. - **GlobalEventCounter** Client side counter that indicates the ordering of events sent by this user. -- **key1** Interaction data for the UI +- **key1** UI interaction data - **key10** UI interaction data - **key11** UI interaction data - **key12** UI interaction data @@ -4025,7 +4039,7 @@ The following fields are available: - **key17** UI interaction data - **key18** UI interaction data - **key19** UI interaction data -- **key2** Interaction data for the UI +- **key2** UI interaction data - **key20** UI interaction data - **key21** Interaction data for the UI - **key22** UI interaction data @@ -4036,13 +4050,13 @@ The following fields are available: - **key27** UI interaction data - **key28** UI interaction data - **key29** UI interaction data -- **key3** Interaction data for the UI +- **key3** UI interaction data - **key30** UI interaction data -- **key4** Interaction data for the UI +- **key4** UI interaction data - **key5** UI interaction data - **key6** UI interaction data -- **key7** Interaction data for the UI -- **key8** Interaction data for the UI +- **key7** UI interaction data +- **key8** UI interaction data - **key9** UI interaction data - **PackageVersion** Current package version of the update notification. - **schema** UI interaction type. @@ -4194,9 +4208,9 @@ The following fields are available: - **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. - **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled - **TestId** A string to uniquely identify a group of events. - **WuId** Windows Update client ID. @@ -4352,7 +4366,7 @@ The following fields are available: - **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. - **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). - **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. @@ -4388,17 +4402,17 @@ This event provides the results from the WaaSMedic engine The following fields are available: - **detectionSummary** Result of each applicable detection that was run. -- **featureAssessmentImpact** WaaS Assessment impact for feature updates. +- **featureAssessmentImpact** Windows as a Service (WaaS) Assessment impact on feature updates - **hrEngineResult** Indicates the WaaSMedic engine operation error codes -- **insufficientSessions** Device not eligible for diagnostics. -- **isManaged** Device is managed for updates. -- **isWUConnected** Device is connected to Windows Update. -- **noMoreActions** No more applicable diagnostics. -- **qualityAssessmentImpact** WaaS Assessment impact for quality updates. +- **insufficientSessions** True, if the device has enough activity to be eligible for update diagnostics. False, if otherwise +- **isManaged** Indicates the device is managed for updates +- **isWUConnected** Indicates the device is connected to Windows Update +- **noMoreActions** All available WaaSMedic diagnostics have run. There are no pending diagnostics and corresponding actions +- **qualityAssessmentImpact** Windows as a Service (WaaS) Assessment impact for quality updates - **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on. -- **usingBackupFeatureAssessment** Relying on backup feature assessment. -- **usingBackupQualityAssessment** Relying on backup quality assessment. -- **versionString** Version of the WaaSMedic engine. +- **usingBackupFeatureAssessment** The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup feature assessments, which are determined programmatically on the client +- **usingBackupQualityAssessment** The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup quality assessments, which are determined programmatically on the client +- **versionString** Installed version of the WaaSMedic engine ## Windows Store events @@ -4667,9 +4681,9 @@ FulfillmentComplete event is fired at the end of an app install or update. We us The following fields are available: - **FailedRetry** Tells us if the retry for an install or update was successful or not. -- **HResult** Resulting HResult error/success code of this call -- **PFN** Package Family Name of the app that being installed or updated -- **ProductId** Product Id of the app that is being updated or installed +- **HResult** The HResult code of the operation. +- **PFN** The Package Family Name of the app that is being installed or updated. +- **ProductId** The product ID of the app that is being updated or installed. ### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate @@ -5028,14 +5042,14 @@ This event collects information regarding the install phase of the new device ma The following fields are available: -- **errorCode** The error code returned for the current install phase -- **flightId** The unique identifier for each flight -- **objectId** Unique value for each Update Agent mode -- **relatedCV** Correlation vector value generated from the latest scan -- **result** Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled -- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate -- **sessionId** Unique value for each Update Agent mode attempt -- **updateId** Unique ID for each update +- **errorCode** The error code returned for the current install phase. +- **flightId** Unique ID for each flight. +- **objectId** Unique value for each diagnostics session. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **result** Outcome of the install phase of the update. +- **scenarioId** Indicates the update scenario. +- **sessionId** Unique value for each update session. +- **updateId** Unique ID for each Update. ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart @@ -5108,7 +5122,7 @@ The following fields are available: - **interactive** Indicates whether the session was user initiated. - **revisionNumber** Update revision number. - **updateId** Update ID. -- **updateScenarioType** Device ID +- **updateScenarioType** Update Session type - **wuDeviceid** Device ID diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 2f0e8fbb61..404f217af2 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -28,7 +28,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: - +- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) - [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) - [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) @@ -369,7 +369,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove -This event indicates Indicates that the DecisionApplicationFile object is no longer present. +This event indicates that the DecisionApplicationFile object is no longer present. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -701,7 +701,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync -This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. +This event indicates that a new set of InventoryApplicationFileAdd events will be sent. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -4538,7 +4538,7 @@ The following fields are available: - **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. - **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). - **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 634376dd9a..f840faba43 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 09/10/2018 +ms.date: 10/03/2018 --- @@ -666,7 +666,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove -This event indicates Indicates that the DecisionApplicationFile object is no longer present. +This event indicates that the DecisionApplicationFile object is no longer present. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -1013,7 +1013,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync -This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. +This event indicates that a new set of InventoryApplicationFileAdd events will be sent. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -1818,18 +1818,14 @@ The following fields are available: - **AdvertisingId** Current state of the advertising ID setting. - **AppDiagnostics** Current state of the app diagnostics setting. - **Appointments** Current state of the calendar setting. -- **AppointmentsSystem** Current state of the calendar setting. - **Bluetooth** Current state of the Bluetooth capability setting. - **BluetoothSync** Current state of the Bluetooth sync capability setting. - **BroadFileSystemAccess** Current state of the broad file system access setting. - **CellularData** Current state of the cellular data capability setting. - **Chat** Current state of the chat setting. -- **ChatSystem** Current state of the chat setting. - **Contacts** Current state of the contacts setting. -- **ContactsSystem** Current state of the Contacts setting. - **DocumentsLibrary** Current state of the documents library setting. - **Email** Current state of the email setting. -- **EmailSystem** Current state of the email setting. - **FindMyDevice** Current state of the "find my device" setting. - **GazeInput** Current state of the gaze input setting. - **HumanInterfaceDevice** Current state of the human interface device setting. @@ -1841,7 +1837,6 @@ The following fields are available: - **Microphone** Current state of the microphone setting. - **PhoneCall** Current state of the phone call setting. - **PhoneCallHistory** Current state of the call history setting. -- **PhoneCallHistorySystem** Current state of the call history setting. - **PicturesLibrary** Current state of the pictures library setting. - **Radios** Current state of the radios setting. - **SensorsCustom** Current state of the custom sensor setting. @@ -1851,7 +1846,6 @@ The following fields are available: - **USB** Current state of the USB setting. - **UserAccountInformation** Current state of the account information setting. - **UserDataTasks** Current state of the tasks setting. -- **UserDataTasksSystem** Current state of the tasks setting. - **UserNotificationListener** Current state of the notifications setting. - **VideosLibrary** Current state of the videos library setting. - **Webcam** Current state of the camera setting. @@ -1985,18 +1979,14 @@ The following fields are available: - **AdvertisingId** Current state of the advertising ID setting. - **AppDiagnostics** Current state of the app diagnostics setting. - **Appointments** Current state of the calendar setting. -- **AppointmentsSystem** Current state of the calendar setting. - **Bluetooth** Current state of the Bluetooth capability setting. - **BluetoothSync** Current state of the Bluetooth sync capability setting. - **BroadFileSystemAccess** Current state of the broad file system access setting. - **CellularData** Current state of the cellular data capability setting. - **Chat** Current state of the chat setting. -- **ChatSystem** Current state of the chat setting. - **Contacts** Current state of the contacts setting. -- **ContactsSystem** Current state of the contacts setting. - **DocumentsLibrary** Current state of the documents library setting. - **Email** Current state of the email setting. -- **EmailSystem** Current state of the email setting. - **GazeInput** Current state of the gaze input setting. - **HumanInterfaceDevice** Current state of the human interface device setting. - **InkTypeImprovement** Current state of the improve inking and typing setting. @@ -2008,7 +1998,6 @@ The following fields are available: - **Microphone** Current state of the microphone setting. - **PhoneCall** Current state of the phone call setting. - **PhoneCallHistory** Current state of the call history setting. -- **PhoneCallHistorySystem** Current state of the call history setting. - **PicturesLibrary** Current state of the pictures library setting. - **Radios** Current state of the radios setting. - **SensorsCustom** Current state of the custom sensor setting. @@ -2018,7 +2007,6 @@ The following fields are available: - **USB** Current state of the USB setting. - **UserAccountInformation** Current state of the account information setting. - **UserDataTasks** Current state of the tasks setting. -- **UserDataTasksSystem** Current state of the tasks setting. - **UserNotificationListener** Current state of the notifications setting. - **VideosLibrary** Current state of the videos library setting. - **Webcam** Current state of the camera setting. diff --git a/windows/privacy/windows-personal-data-services-configuration.md b/windows/privacy/windows-personal-data-services-configuration.md index 3743dc7b3b..4c786622c8 100644 --- a/windows/privacy/windows-personal-data-services-configuration.md +++ b/windows/privacy/windows-personal-data-services-configuration.md @@ -123,7 +123,7 @@ This setting determines whether a device shows notifications about Windows diagn ### Configure telemetry opt-in setting user interface -This setting determines whether people can change their own Windows diagnostic data level in in *Start > Settings > Privacy > Diagnostics & feedback*. +This setting determines whether people can change their own Windows diagnostic data level in *Start > Settings > Privacy > Diagnostics & feedback*. #### Group Policy @@ -193,7 +193,7 @@ The following settings determine whether fixed and removable drives are protecte >| | | >|:-|:-| >| **MDM CSP** | BitLocker | ->| **Policy** | RemovableDrivesRequireEncryption | +>| **Policy** | FixedDrivesRequireEncryption | >| **Default setting** | Disabled | >| **Recommended** | Enabled (see [instructions](/windows/client-management/mdm/bitlocker-csp#fixeddrivesrequireencryption)) | diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index 97f8ceee36..f33d7bbf02 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -131,7 +131,7 @@ In the Windows 10, version 1703, the PIN complexity Group Policy settings have m ## Review Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Widows 10 Creators Editions) +* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Windows 10 Creators Editions) * Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User) * Confirm you configure the Use Certificate enrollment for on-premises authentication policy setting. * Confirm you configure automatic certificate enrollment to the scope that matches your deployment (Computer vs. User) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 00a4885e90..eef0b8f4a8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -23,10 +23,10 @@ Hybrid environments are distributed systems that enable organizations to use on- The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: * [Directories](#directories) -* [Public Key Infrastucture](#public-key-infastructure) +* [Public Key Infrastructure](#public-key-infrastructure) * [Directory Synchronization](#directory-synchronization) * [Federation](#federation) -* [MultiFactor Authetication](#multifactor-authentication) +* [MultiFactor Authentication](#multifactor-authentication) * [Device Registration](#device-registration) ## Directories ## @@ -114,9 +114,9 @@ Organizations wanting to deploy hybrid key trust need their domain joined device
    ### Next Steps ### -Follow the Windows Hello for Business hybrid key trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Basline**. +Follow the Windows Hello for Business hybrid key trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Baseline**. -For environments transitioning from on-premises to hybrid, start with **Configure Azure Directory Syncrhonization**. +For environments transitioning from on-premises to hybrid, start with **Configure Azure Directory Synchronization**. For federated and non-federated environments, start with **Configure Windows Hello for Business settings**. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md index bbc808feae..f9c8f46088 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md @@ -104,7 +104,7 @@ In the Windows 10, version 1703, the PIN complexity Group Policy settings have m ## Review Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Widows 10 Creators Editions) +* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Windows 10 Creators Editions) * Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User) * Confirm you configure the Use Certificate enrollment for on-premises authentication policy setting. * Confirm you configure automatic certificate enrollment to the scope that matches your deployment (Computer vs. User) diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index 36ee129b4c..35f2f574ec 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -157,6 +157,8 @@ If you don't use Group Policy in your organization, or if not all your remote ho mstsc.exe /remoteGuard ``` +> [!NOTE] +> The user must be part of administrators group. ## Considerations when using Windows Defender Remote Credential Guard diff --git a/windows/security/information-protection/TOC.md b/windows/security/information-protection/TOC.md index 00aaec6903..d1af453ff6 100644 --- a/windows/security/information-protection/TOC.md +++ b/windows/security/information-protection/TOC.md @@ -30,28 +30,29 @@ ## [Kernel DMA Protection for Thunderbolt™ 3](kernel-dma-protection-for-thunderbolt.md) ## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md) -### [Create a Windows Information Protection (WIP) policy using Microsoft Intune](windows-information-protection\overview-create-wip-policy.md) -#### [Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md) -##### [Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune.md) -##### [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md) -#### [Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md) -##### [Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune-azure.md) -##### [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md) -#### [Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-mam-intune-azure.md) -### [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](windows-information-protection\overview-create-wip-policy-sccm.md) -#### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md) -### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md) -### [Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](windows-information-protection\wip-app-enterprise-context.md) -### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](windows-information-protection\mandatory-settings-for-wip.md) -### [Testing scenarios for Windows Information Protection (WIP)](windows-information-protection\testing-scenarios-for-wip.md) -### [Limitations while using Windows Information Protection (WIP)](windows-information-protection\limitations-with-wip.md) -### [How to collect Windows Information Protection (WIP) audit event logs](windows-information-protection\collect-wip-audit-event-logs.md) -### [General guidance and best practices for Windows Information Protection (WIP)](windows-information-protection\guidance-and-best-practices-wip.md) -#### [Enlightened apps for use with Windows Information Protection (WIP)](windows-information-protection\enlightened-microsoft-apps-and-wip.md) -#### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](windows-information-protection\app-behavior-with-wip.md) -#### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](windows-information-protection\recommended-network-definitions-for-wip.md) -#### [Using Outlook Web Access with Windows Information Protection (WIP)](windows-information-protection\using-owa-with-wip.md) -### [Fine-tune Windows Information Protection (WIP) with WIP Learning](windows-information-protection\wip-learning.md) +### [Create a WIP policy using Microsoft Intune](windows-information-protection\overview-create-wip-policy.md) +#### [Create a WIP policy using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md) +##### [Deploy your WIP policy using the classic console for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune.md) +##### [Associate and deploy a VPN policy for WIP using the classic console for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md) +#### [Create a WIP policy with MDM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md) +##### [Deploy your WIP policy using the Azure portal for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune-azure.md) +##### [Associate and deploy a VPN policy for WIP using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md) +#### [Create a WIP policy with MAM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-mam-intune-azure.md) +### [Create a WIP policy using System Center Configuration Manager](windows-information-protection\overview-create-wip-policy-sccm.md) +#### [Create and deploy a WIP policy using System Center Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md) +### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md) +### [Determine the Enterprise Context of an app running in WIP](windows-information-protection\wip-app-enterprise-context.md) +### [Mandatory tasks and settings required to turn on WIP](windows-information-protection\mandatory-settings-for-wip.md) +### [Testing scenarios for WIP](windows-information-protection\testing-scenarios-for-wip.md) +### [Limitations while using WIP](windows-information-protection\limitations-with-wip.md) +### [How to collect WIP audit event logs](windows-information-protection\collect-wip-audit-event-logs.md) +### [General guidance and best practices for WIP](windows-information-protection\guidance-and-best-practices-wip.md) +#### [Enlightened apps for use with WIP](windows-information-protection\enlightened-microsoft-apps-and-wip.md) +#### [Unenlightened and enlightened app behavior while using WIP](windows-information-protection\app-behavior-with-wip.md) +#### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with WIP](windows-information-protection\recommended-network-definitions-for-wip.md) +#### [Using Outlook Web Access with WIP](windows-information-protection\using-owa-with-wip.md) +### [Fine-tune WIP Learning](windows-information-protection\wip-learning.md) +### [How WIP works with sensitivity labels](windows-information-protection\how-wip-works-with-labels.md) ## [Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md) diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md index 91d9c277db..d4ebe56664 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md +++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md @@ -98,7 +98,7 @@ It requires direct ethernet connectivity to an enterprise Windows Deployment Ser There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. -This kernel DMA protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS. +This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS. You can use the System Information desktop app (MSINFO32) to check if a device has kernel DMA protection enabled: @@ -107,7 +107,7 @@ You can use the System Information desktop app (MSINFO32) to check if a device h If kernel DMA protection *not* enabled, follow these steps to protect Thunderbolt™ 3 enabled ports: 1. Require a password for BIOS changes -2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings +2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Please refer to [Intel Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) 3. Additional DMA security may be added by deploying policy (beginning with Windows 10 version 1607): - MDM: [DataProtection/AllowDirectMemoryAccess](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) policy @@ -188,4 +188,4 @@ For secure administrative workstations, Microsoft recommends TPM with PIN protec - [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d) - [BitLocker Group Policy settings](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings) -- [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) \ No newline at end of file +- [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) diff --git a/windows/security/information-protection/index.md b/windows/security/information-protection/index.md index 5c7a8d5795..8d7bde1868 100644 --- a/windows/security/information-protection/index.md +++ b/windows/security/information-protection/index.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: brianlic-msft -ms.date: 09/17/2018 +ms.date: 10/10/2018 --- # Information protection @@ -16,7 +16,7 @@ Learn more about how to secure documents and other data across your organization | Section | Description | |-|-| | [BitLocker](bitlocker/bitlocker-overview.md)| Provides information about BitLocker, which is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. | -| [Encrypted Hard Drive](bitlocker/bitlocker-overview.md)| Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. | +| [Encrypted Hard Drive](encrypted-hard-drive.md)| Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. | | [Kernel DMA Protection for Thunderbolt™ 3](kernel-dma-protection-for-thunderbolt.md)| Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports. | | [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)|Provides info about how to create a Windows Information Protection policy that can help protect against potential corporate data leakage.| | [Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)| Windows 10 supports features to help prevent rootkits and bootkits from loading during the startup process. | diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 17127719eb..3f71393153 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: aadake -ms.date: 09/19/2018 +ms.date: 10/03/2018 --- # Kernel DMA Protection for Thunderbolt™ 3 @@ -19,7 +19,7 @@ Drive-by DMA attacks can lead to disclosure of sensitive information residing on This feature does not protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, ExpressCard, and so on. -For Thunderbolt DMA protection on earlier Windows versions and other platforms that lack support for Kernel DMA Protection, please refer to Intel documentation. +For Thunderbolt DMA protection on earlier Windows versions and other platforms that lack support for Kernel DMA Protection, please refer to [Intel Thunderbolt™ 3 Security documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf). ## Background @@ -61,11 +61,11 @@ Systems released prior to Windows 10 version 1803 do not support Kernel DMA Prot >[!NOTE] >Kernel DMA Protection is not compatible with other BitLocker DMA attacks countermeasures. It is recommended to disable the BitLocker DMA attacks countermeasures if the system supports Kernel DMA Protection. Kernel DMA Protection provides higher security bar for the system over the BitLocker DMA attack countermeasures, while maintaining usability of external peripherals. -## Enabling Kernel DMA protection +## How to check if Kernel DMA Protection is enabled Systems running Windows 10 version 1803 that do support Kernel DMA Protection do have this security feature enabled automatically by the OS with no user or IT admin configuration required. -**To check if a device supports kernel DMA protection** +**To check if a device supports Kernel DMA Protection** 1. Launch MSINFO32.exe in a command prompt, or in the Windows search bar. 2. Check the value of **Kernel DMA Protection**. @@ -73,14 +73,16 @@ Systems running Windows 10 version 1803 that do support Kernel DMA Protection do 3. If the current state of **Kernel DMA Protection** is OFF and **Virtualization Technology in Firmware** is NO: - Reboot into BIOS settings - Turn on Intel Virtualization Technology. - - Turn on Intel Virtualization Technology for I/O (VT-d). In Windows 10 version 1803, only Intel VT-d is supported. Other platforms can use DMA attack mitigations described in BitLocker Countermeasures. + - Turn on Intel Virtualization Technology for I/O (VT-d). In Windows 10 version 1803, only Intel VT-d is supported. Other platforms can use DMA attack mitigations described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md). - Reboot system into Windows 10. -4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature. +4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature. + +For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection. ## Frequently asked questions -### Do in-market systems support Kernel DMA protection for Thunderbolt™ 3? -In market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees. +### Do in-market systems support Kernel DMA Protection for Thunderbolt™ 3? +In market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees. For these systems, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection. ### Does Kernel DMA Protection prevent drive-by DMA attacks during Boot? No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot. diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md index 1ff26cb46d..1cc72bd01d 100644 --- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md +++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md @@ -75,7 +75,7 @@ The adoption of new authentication technology requires that identity providers a Identity providers have flexibility in how they provision credentials on client devices. For example, an organization might provision only those devices that have a TPM so that the organization knows that a TPM protects the credentials. The ability to distinguish a TPM from malware acting like a TPM requires the following TPM capabilities (see Figure 1): -• **Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that that manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM. +• **Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that the manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM. • **Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios. diff --git a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md index 1c8b475572..ed7d4a50ad 100644 --- a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md @@ -136,4 +136,4 @@ This table includes info about how enlightened apps might behave, based on your >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md index 92e3401948..7c0b4e23ef 100644 --- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md +++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md @@ -65,86 +65,86 @@ Here are a few examples of responses from the Reporting CSP. #### File ownership on a file is changed from work to personal ``` -110SyncHdr200212Replace200314Get200414./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logsxml<?xml version="1.0" encoding="utf-8"?> -<Reporting Version="com.contoso/2.0/MDM/Reporting"> - <User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com"> - <Log ProviderType="EDPAudit" LogType="ProtectionRemoved" TimeStamp="131357166318347527"> - <Policy>Protection removed</Policy> - <Justification>NULL</Justification> - <FilePath>C:\Users\TestUser\Desktop\tmp\demo\Work document.docx</FilePath> - </Log> - </User> -</Reporting> +110SyncHdr200212Replace200314Get200414./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logsxml + + + + Protection removed + NULL + C:\Users\TestUser\Desktop\tmp\demo\Work document.docx + + + ``` #### A work file is uploaded to a personal webpage in Edge ``` -110SyncHdr200212Replace200314Get200414./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logsxml<?xml version="1.0" encoding="utf-8"?> -<Reporting Version="com.contoso/2.0/MDM/Reporting"> - <User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com"> - <Log ProviderType="EDPAudit" LogType="DataCopied" TimeStamp="131357192409318534"> - <Policy>CopyPaste</Policy> - <Justification>NULL</Justification> - <SourceApplicationName>NULL</SourceApplicationName> - <DestinationEnterpriseID>NULL</DestinationEnterpriseID> - <DestinationApplicationName>mail.contoso.com</DestinationApplicationName> - <DataInfo>C:\Users\TestUser\Desktop\tmp\demo\Work document.docx</DataInfo> - </Log> - </User> -</Reporting> +110SyncHdr200212Replace200314Get200414./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logsxml + + + + CopyPaste + NULL + NULL + NULL + mail.contoso.com + C:\Users\TestUser\Desktop\tmp\demo\Work document.docx + + + ``` #### Work data is pasted into a personal webpage ``` -110SyncHdr200212Replace200314Get200414./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logsxml<?xml version="1.0" encoding="utf-8"?> -<Reporting Version="com.contoso/2.0/MDM/Reporting"> - <User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com"> - <Log ProviderType="EDPAudit" LogType="DataCopied" TimeStamp="131357193734179782"> - <Policy>CopyPaste</Policy> - <Justification>NULL</Justification> - <SourceApplicationName>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT OFFICE 2016\WINWORD.EXE\16.0.8027.1000</SourceApplicationName> - <DestinationEnterpriseID>NULL</DestinationEnterpriseID> - <DestinationApplicationName>mail.contoso.com</DestinationApplicationName> - <DataInfo>EnterpriseDataProtectionId|Object Descriptor|Rich Text Format|HTML Format|AnsiText|Text|EnhancedMetafile|Embed Source|Link Source|Link Source Descriptor|ObjectLink|Hyperlink</DataInfo> - </Log> - </User> -</Reporting> +110SyncHdr200212Replace200314Get200414./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logsxml + + + + CopyPaste + NULL + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT OFFICE 2016\WINWORD.EXE\16.0.8027.1000 + NULL + mail.contoso.com + EnterpriseDataProtectionId|Object Descriptor|Rich Text Format|HTML Format|AnsiText|Text|EnhancedMetafile|Embed Source|Link Source|Link Source Descriptor|ObjectLink|Hyperlink + + + ``` #### A work file is opened with a personal application ``` -110SyncHdr200212Replace200314Get200414./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logsxml<?xml version="1.0" encoding="utf-8"?> -<Reporting Version="com.contoso/2.0/MDM/Reporting"> - <User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com"> - <Log ProviderType="EDPAudit" LogType="ApplicationGenerated" TimeStamp="131357194991209469"> - <Policy>NULL</Policy> - <Justification></Justification> - <Object>C:\Users\TestUser\Desktop\tmp\demo\Work document.docx</Object> - <Action>1</Action> - <SourceName>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2</SourceName> - <DestinationEnterpriseID>Personal</DestinationEnterpriseID> - <DestinationName>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2</DestinationName> - <Application>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2</Application> - </Log> - </User> -</Reporting> +110SyncHdr200212Replace200314Get200414./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logsxml + + + + NULL + + C:\Users\TestUser\Desktop\tmp\demo\Work document.docx + 1 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2 + Personal + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2 + + + ``` #### Work data is pasted into a personal application ``` -110SyncHdr200212Replace200314Get200414./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logsxml<?xml version="1.0" encoding="utf-8"?> -<Reporting Version="com.contoso/2.0/MDM/Reporting"> - <User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com"> - <Log ProviderType="EDPAudit" LogType="DataCopied" TimeStamp="131357196076537270"> - <Policy>CopyPaste</Policy> - <Justification>NULL</Justification> - <SourceApplicationName>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT OFFICE 2016\WINWORD.EXE\16.0.8027.1000</SourceApplicationName> - <DestinationEnterpriseID>NULL</DestinationEnterpriseID> - <DestinationApplicationName></DestinationApplicationName> - <DataInfo>EnterpriseDataProtectionId|Object Descriptor|Rich Text Format|HTML Format|AnsiText|Text|EnhancedMetafile|Embed Source|Link Source|Link Source Descriptor|ObjectLink|Hyperlink</DataInfo> - </Log> - </User> -</Reporting> +110SyncHdr200212Replace200314Get200414./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logsxml + + + + CopyPaste + NULL + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT OFFICE 2016\WINWORD.EXE\16.0.8027.1000 + NULL + + EnterpriseDataProtectionId|Object Descriptor|Rich Text Format|HTML Format|AnsiText|Text|EnhancedMetafile|Embed Source|Link Source|Link Source Descriptor|ObjectLink|Hyperlink + + + ``` ## Collect WIP audit logs by using Windows Event Forwarding (for Windows desktop domain-joined devices only) diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md index c554266f44..06c6f03b54 100644 --- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md @@ -70,4 +70,4 @@ After you’ve created your VPN policy, you'll need to deploy it to the same gro ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png) >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md index 990c0c34c4..faaddea437 100644 --- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md +++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md @@ -113,7 +113,7 @@ The final step to making your VPN configuration work with WIP, is to link your t >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 06be6ec2fb..addb2e2df0 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -325,7 +325,7 @@ If you're running into compatibility issues where your app is incompatible with **To exempt a Store app, a Desktop app, or an AppLocker policy file from the Protected apps list** -1. In **Mobile apps - App protection policies**, click **Exempt apps**. +1. In **Client apps - App protection policies**, click **Exempt apps**. ![Exempt apps](images/exempt-apps.png) @@ -546,4 +546,4 @@ Optionally, if you don’t want everyone in your organization to be able to shar - [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/) >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md index d75ea228ef..6593dc47a3 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md @@ -476,4 +476,4 @@ After you've decided where your protected apps can access enterprise data on you - [What is Azure Rights Management?]( https://docs.microsoft.com/information-protection/understand-explore/what-is-azure-rms) >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md index 5d23640044..1462462e93 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md @@ -50,7 +50,7 @@ After you’ve set up Intune for your organization, you must create a WIP-specif The Microsoft Intune Overview blade appears. -2. Click **Mobile apps**, click **App protection policies**, and then click **Add a policy**. +2. Click **Client apps**, click **App protection policies**, and then click **Add a policy**. ![Microsoft Intune management console: App policy link](images/wip-azure-portal-start-mam.png) @@ -71,12 +71,12 @@ After you’ve set up Intune for your organization, you must create a WIP-specif 4. Click **Create**. - The policy is created and appears in the table on the **Mobile apps - App protection policies** blade. + The policy is created and appears in the table on the **Client apps - App protection policies** blade. >[!NOTE] >Optionally, you can also add your apps and set your settings from the **Add a policy** blade, but for the purposes of this documentation, we recommend instead that you create the policy first, and then use the subsequent menus that become available. -## Add apps to your Allowed apps list +## Add apps to your Protected apps list During the policy-creation process in Intune, you can choose the apps you want to allow, as well as deny, access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. The steps to add your apps are based on the type of template being applied. You can add a recommended app, a store app (also known as a Universal Windows Platform (UWP) app), or a signed Windows desktop app. You can also import a list of approved apps or add exempt apps. @@ -84,19 +84,19 @@ The steps to add your apps are based on the type of template being applied. You In addition, you can create an app deny list related to the policy based on an **action** value. The action can be either **Allow** or **Deny**. When you specify the deny action for an app using the policy, corporate access is denied to the app. >[!Important] ->Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

    Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **Allowed apps** list. If you don’t get this statement, it’s possible that you could experience app compatibility issues due to an app losing the ability to access a necessary file after revocation. +>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

    Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **Protected apps** list. If you don’t get this statement, it’s possible that you could experience app compatibility issues due to an app losing the ability to access a necessary file after revocation. -### Add a Recommended app to your Allowed apps list -For this example, we’re going to add a few recommended apps to the **Allowed apps** list. +### Add a Recommended app to your Protected apps list +For this example, we’re going to add a few recommended apps to the **Protected apps** list. **To add a recommended app** -1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears. +1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Protected apps** from the menu that appears. - The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy. + The **Protected apps** blade appears, showing you any apps that are already included in the list for this policy. ![Microsoft Intune management console: Viewing the recommended apps that you can add to your policy](images/wip-azure-allowed-apps-pane.png) -2. From the **Allowed apps** blade, click **Add apps**. +2. From the **Protected apps** blade, click **Add apps**. The **Add apps** blade appears, showing you all **Recommended apps**. @@ -104,27 +104,27 @@ For this example, we’re going to add a few recommended apps to the **Allowed a 3. Select each app you want to access your enterprise data, and then click **OK**. - The **Allowed apps** blade updates to show you your selected apps. + The **Protected apps** blade updates to show you your selected apps. - ![Microsoft Intune management console: Allowed apps blade with recommended apps](images/wip-azure-allowed-apps-with-apps.png) + ![Microsoft Intune management console: Protected apps blade with recommended apps](images/wip-azure-allowed-apps-with-apps.png) -4. Click **Save** to save the **Allowed apps** list to your policy. +4. Click **Save** to save the **Protected apps** list to your policy. -### Add a Store app to your Allowed apps list -For this example, we’re going to add Microsoft Power BI, a Windows store app, to the **Allowed apps** list. +### Add a Store app to your Protected apps list +For this example, we’re going to add Microsoft Power BI, a Windows store app, to the **Protected apps** list. **To add a Store app** -1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears. +1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Protected apps** from the menu that appears. - The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy. + The **Protected apps** blade appears, showing you any apps that are already included in the list for this policy. -2. From the **Allowed apps** blade, click **Add apps**. +2. From the **Protected apps** blade, click **Add apps**. 3. On the **Add apps** blade, click **Store apps** from the dropdown list. 4. Type the friendly name of the app, the publisher info, and the product name. For this example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.MicrosoftPowerBIForWindows`. -5. After you’ve entered the info into the fields, click **OK** to add the app to your **Allowed apps** list, and then click **Save** to save the **Allowed apps** list to your policy. +5. After you’ve entered the info into the fields, click **OK** to add the app to your **Protected apps** list, and then click **Save** to save the **Protected apps** list to your policy. >[!NOTE] >To add multiple Store apps at the same time, you can click the menu **(…)** at the end of the app row, and continue to add more apps. When you’re done, click **OK**. @@ -180,15 +180,15 @@ If you don't know the publisher or product name for your Store app, you can find >The JSON file might also return a windowsPhoneLegacyId value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as windowsPhoneLegacyId, and set the **Publisher Name** as CN= followed by the windowsPhoneLegacyId.

    For example:
    {
    "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
    }     -### Add a Desktop app to your Allowed apps list -For this example, we’re going to add WordPad, a Desktop app, to the **Allowed apps** list. +### Add a Desktop app to your Protected apps list +For this example, we’re going to add WordPad, a Desktop app, to the **Protected apps** list. **To add a Desktop app** -1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears. +1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Protected apps** from the menu that appears. - The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy. + The **Protected apps** blade appears, showing you any apps that are already included in the list for this policy. -2. From the **Allowed apps** blade, click **Add apps**. +2. From the **Protected apps** blade, click **Add apps**. 3. On the **Add apps** blade, click **Desktop apps** from the dropdown list. @@ -233,7 +233,7 @@ For this example, we’re going to add WordPad, a Desktop app, to the **Allowed -4. After you’ve entered the info into the fields, click **OK** to add the app to your **Allowed apps** list, and then click **Save** to save the **Allowed apps** list to your policy. +4. After you’ve entered the info into the fields, click **OK** to add the app to your **Protected apps** list, and then click **Save** to save the **Protected apps** list to your policy. >[!Note] >To add multiple Desktop apps at the same time, you can click the menu **(…)** at the end of the app row, and then continue to add more apps. When you’re done, click **OK**. @@ -257,10 +257,10 @@ Path Publisher ``` Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter into the **Publisher** box and `WORDPAD.EXE` is the text to enter into the **File** box. -### Import a list of apps to your Allowed apps list -For this example, we’re going to add an AppLocker XML file to the **Allowed apps** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content. +### Import a list of apps to your Protected apps list +For this example, we’re going to add an AppLocker XML file to the **Protected apps** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content. -**To create a list of Allowed apps using the AppLocker tool** +**To create a list of Protected apps using the AppLocker tool** 1. Open the Local Security Policy snap-in (SecPol.msc). @@ -334,9 +334,9 @@ For this example, we’re going to add an AppLocker XML file to the **Allowed ap 12. After you’ve created your XML file, you need to import it by using Microsoft Intune. -**To import your list of Allowed apps using Microsoft Intune** +**To import your list of Protected apps using Microsoft Intune** -1. From the **Allowed apps** area, click **Import apps**. +1. From the **Protected apps** area, click **Import apps**. The blade changes to let you add your import file. @@ -349,7 +349,7 @@ For this example, we’re going to add an AppLocker XML file to the **Allowed ap ### Add exempt apps to your policy If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. -**To exempt a Store app, a Desktop app, or an AppLocker policy file from the Allowed apps list** +**To exempt a Store app, a Desktop app, or an AppLocker policy file from the Protected apps list** 1. From the **App policy** blade, click the name of your policy, and then click **Exempt apps** from the menu that appears. @@ -361,13 +361,13 @@ If you're running into compatibility issues where your app is incompatible with 3. Fill out the rest of the app info, based on the type of app you’re adding: - - **Recommended app.** Follow the instructions in the [Add a Recommended app to your Allowed apps list](#add-a-recommended-app-to_your-allowed-apps-list) section of this topic. + - **Recommended app.** Follow the instructions in the [Add a Recommended app to your Protected apps list](#add-a-recommended-app-to_your-allowed-apps-list) section of this topic. - - **Store app.** Follow the instructions in the [Add a Store app to your Allowed apps list](#add-a-store-app-to_your-allowed-apps-list) section of this topic. + - **Store app.** Follow the instructions in the [Add a Store app to your Protected apps list](#add-a-store-app-to_your-allowed-apps-list) section of this topic. - - **Desktop app.** Follow the instructions in the [Add a Desktop app to your Allowed apps list](#add-a-desktop-app-to_your-allowed-apps-list) section of this topic. + - **Desktop app.** Follow the instructions in the [Add a Desktop app to your Protected apps list](#add-a-desktop-app-to_your-allowed-apps-list) section of this topic. - - **AppLocker policy file.** Follow the instructions to create your app list in the [Import a list of apps to your Allowed apps list](#import-a-list-of-apps-to_your-allowed-apps-list) section of this topic, using a list of exempted apps. + - **AppLocker policy file.** Follow the instructions to create your app list in the [Import a list of apps to your Protected apps list](#import-a-list-of-apps-to_your-allowed-apps-list) section of this topic, using a list of exempted apps. 4. Click **OK**. @@ -384,7 +384,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi **To add your protection mode** -1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Required settings** from the menu that appears. +1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Required settings** from the menu that appears. The **Required settings** blade appears. @@ -406,7 +406,7 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor **To change your corporate identity** -1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Required settings** from the menu that appears. +1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Required settings** from the menu that appears. The **Required settings** blade appears. @@ -427,7 +427,7 @@ Intune will add SharePoint sites that are discovered through the Graph API. You **To define where your allowed apps can find and send enterprise data on you network** -1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears. +1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears. The **Advanced settings** blade appears. @@ -501,7 +501,7 @@ After you create and deploy your WIP policy to your employees, Windows begins to >Using a DRA certificate isn’t mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) topic. **To upload your DRA certificate** -1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears. +1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears. The **Advanced settings** blade appears. @@ -514,7 +514,7 @@ After you've decided where your protected apps can access enterprise data on you **To set your optional settings** -1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears. +1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears. The **Advanced settings** blade appears. @@ -572,7 +572,7 @@ You can turn on Windows Hello for Business, letting your employees use it as a s **To turn on and configure Windows Hello for Business** -1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears. +1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears. The **Advanced settings** blade appears. @@ -636,7 +636,7 @@ After you’ve created your policy, you'll need to deploy it to your employees. **To deploy your policy** -1. On the **Mobile apps - App protection policies** pane, click your newly-created policy, click **Assignments** from the menu that appears, and then click **Select groups**. +1. On the **Client apps - App protection policies** pane, click your newly-created policy, click **Assignments** from the menu that appears, and then click **Select groups**. A list of user groups, made up of all of the security groups in your Azure Active Directory, appear in the **Add user group** pane. diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md index d686c6df22..3ff66496cf 100644 --- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security author: justinha ms.localizationpriority: medium -ms.date: 09/11/2017 +ms.date: 10/15/2018 --- # Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune @@ -22,19 +22,17 @@ After you’ve created your Windows Information Protection (WIP) policy, you'll **To deploy your WIP policy** -1. On the **App policy** pane, click your newly-created policy, click **User groups** from the menu that appears, and then click **Add user group**. - - A list of user groups, made up of all of the security groups in your Azure Active Directory, appear in the **Add user group** pane. +1. On the **App protection policies** pane, click your newly-created policy, click **Assignments**, and then select groups to include or exclude from the policy. 2. Choose the group you want your policy to apply to, and then click **Select** to deploy the policy. - The policy is deployed to the selected users' devices. + The policy is deployed to the selected users' devices. - ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png) + ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png) >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). ## Related topics - [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md index 26b5ff9472..6d41dd0d2a 100644 --- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md +++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md @@ -35,7 +35,7 @@ The added people move to the **Selected Groups** list on the right-hand pane. The policy is deployed to the selected users' devices. >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). ## Related topics - [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index e91d6c96e7..52503527a1 100644 --- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security author: justinha ms.localizationpriority: medium -ms.date: 05/30/2018 +ms.date: 10/11/2018 --- # List of enlightened Microsoft apps for use with Windows Information Protection (WIP) @@ -32,7 +32,7 @@ Apps can be enlightened or unenlightened: - Windows **Save As** experiences only allow you to save your files as enterprise. -- **WIP-work only apps** are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions. +- **WIP-work only apps** are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions without device enrollment. Unenlightened apps that are targeted by WIP without enrollment run under personal mode. ## List of enlightened Microsoft apps Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following: @@ -82,7 +82,7 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li |PowerPoint Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
    **Product Name:** Microsoft.Office.PowerPoint
    **App Type:** Universal app | |OneNote |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
    **Product Name:** Microsoft.Office.OneNote
    **App Type:** Universal app | |Outlook Mail and Calendar |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
    **Product Name:** microsoft.windowscommunicationsapps
    **App Type:** Universal app | -|Office 365 ProPlus|Office 365 ProPlus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](https://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for WIP.
    We don't recommend setting up Office by using individual paths or publisher rules.| +|Office 365 ProPlus and Office 2019 Professional Plus |Office 365 ProPlus and Office 2019 Professional Plus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](https://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for WIP.
    We don't recommend setting up Office by using individual paths or publisher rules.| |Microsoft Photos |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
    **Product Name:** Microsoft.Windows.Photos
    **App Type:** Universal app | |Groove Music |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
    **Product Name:** Microsoft.ZuneMusic
    **App Type:** Universal app | |Microsoft Movies & TV |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
    **Product Name:** Microsoft.ZuneVideo
    **App Type:** Universal app | @@ -97,4 +97,4 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md index 8e0e18f98a..f02c43a630 100644 --- a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md +++ b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md @@ -29,4 +29,4 @@ This section includes info about the enlightened Microsoft apps, including how t |[Using Outlook on the web with Windows Information Protection (WIP)](using-owa-with-wip.md) |Options for using Outlook on the web with Windows Information Protection (WIP). | >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md new file mode 100644 index 0000000000..67d918b484 --- /dev/null +++ b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md @@ -0,0 +1,88 @@ +--- +title: How Windows Information Protection (WIP) protects files with a sensitivity label (Windows 10) +description: Explains how Windows Information Protection works with other Microsoft information protection technologies to protect files that have a sensitivity label. +keywords: sensitivity, labels, WIP, Windows Information Protection, EDP, Enterprise Data Protection +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: justinha +ms.localizationpriority: medium +ms.date: 10/12/2018 +--- + +# How Windows Information Protection protects files with a sensitivity label + +**Applies to:** + +- Windows 10, version 1809 + +This topic explains how Windows Information Protection works with other Microsoft information protection technologies to protect files that have a sensitivity label. +Microsoft information protection technologies work together as an integrated solution to help enterprises: + +- Discover corporate data on endpoint devices +- Classify and label information based on its content and context +- Protect corporate data from unintentionally leaving to non-business environments +- Enable audit reports of user interactions with corporate data on endpoint devices + +Microsoft information protection technologies include: + +- [Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) is built in to Windows 10 and protects data at rest on endpoint devices, and manages apps to protect data in use. + +- [Office 365 Information Protection](https://docs.microsoft.com/office365/securitycompliance/office-365-info-protection-for-gdpr-overview) is a solution to classify, protect, and monitor personal data in Office 365 and other first-party or third-party Software-as-a-Service (SaaS) apps. + +- [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection) is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. End users can choose and apply sensitivity labels from a bar that appears below the ribbon in Office apps: + + ![Sensitivity labels](images/sensitivity-labels.png) + +## Default WIP behaviors for a sensitivity label + +Enterprises can create and manage sensitivity labels on the **Labels** page in the Office 365 Security & Compliance Center. +When you create a sensitivity label, you can specify that endpoint protection should apply to content with that label. +WIP enforces default endpoint protection depending on how the sensitivity label is configured: + +- When the sensitivity label is configured for endpoint protection of content that includes business data, the device enforces work protection for documents with the label +- When the sensitivity label is *not configured* for endpoint protection, the device reverts to whatever WIP policy has been defined in Intune or System Center Configuration Manager (SCCM): + - If the document is downloaded from a work site, the device enforces work protection + - If the document is downloaded from a personal site, no work protection is applied + +For more information about labels, see [Overview of labels](https://docs.microsoft.com/office365/securitycompliance/labels). + +## Use cases + +This section covers how WIP works with sensitivity labels in specific use cases. + +### User downloads from or creates a document on a work site + +If WIP policy is deployed, any document that is downloaded from a work site, or created on a work site, will have WIP protection regradless of whether the document has a sensitivity label. + +If the document also has a sensitivity label, which can be Office or PDF files, WIP protection is applied according to the label. + +### User downloads a confidential Office or PDF document from a personal site + +Windows Defender Advanced Threat Protection (Windows Defender ATP) scans for any file that gets modified or created, including files that were created on a personal site. +If the file has a sensitivity label, the corresponding WIP protection gets applied even though the file came from a personal site. +For example: + +1. Sara creates a PDF file on a Mac and labels it as **Confidential**. +2. She emails the PDF from her Gmail account to Laura. +3. Laura opens the PDF file on her Windows 10 device. +4. WIP policy gets applied and the file is protected. + +The PDF file doesn't need any work context beyond the sensitivity label. + +## Prerequisites + +- Windows 10, version 1809 +- [Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) scans content for a label and applies corresponding WIP protection +- [Sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) need to be configured in the Office 365 Security & Compliance Center +- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [System Center Configuration Manager (SCCM)](overview-create-wip-policy-sccm.md). + + + + + + + + + diff --git a/windows/security/information-protection/windows-information-protection/images/access-wip-learning-report.png b/windows/security/information-protection/windows-information-protection/images/access-wip-learning-report.png index cf48ea50fc..12d4f6eefd 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/access-wip-learning-report.png and b/windows/security/information-protection/windows-information-protection/images/access-wip-learning-report.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/sensitivity-labels.png b/windows/security/information-protection/windows-information-protection/images/sensitivity-labels.png new file mode 100644 index 0000000000..89a133bcbe Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/sensitivity-labels.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-user-groups.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-user-groups.png index 08afdf96b5..f453431070 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-user-groups.png and b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-user-groups.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png b/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png index e0dc52bd86..fdbc950c9e 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png and b/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-learning-select-report.png b/windows/security/information-protection/windows-information-protection/images/wip-learning-select-report.png index 4f5a81b9a2..926a3c4473 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-learning-select-report.png and b/windows/security/information-protection/windows-information-protection/images/wip-learning-select-report.png differ diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md index accb65ae90..4005e8742f 100644 --- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md @@ -1,7 +1,7 @@ --- title: Mandatory tasks and settings required to turn on Windows Information Protection (WIP) (Windows 10) description: This list provides all of the tasks that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP) in your enterprise. -keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection, protected apps, protected app list, App Rules, Allowed apps list +keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection, protected apps, protected app list, App Rules, Protected apps list ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -24,7 +24,7 @@ This list provides all of the tasks and settings that are required for the opera |Task|Description| |----|-----------| -|Add at least one app to the **Allowed apps** list in your WIP policy.|You must have at least one app added to your **Allowed apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Allowed apps list** section of the policy creation topics.| +|Add at least one app to the **Protected apps** list in your WIP policy.|You must have at least one app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics.| |Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Hide Overrides**. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection mode for your enterprise data** section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| |Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it’s incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics. |Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.

    Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.| @@ -33,4 +33,4 @@ This list provides all of the tasks and settings that are required for the opera >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md index 6ebcf8b468..8ce020a25f 100644 --- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md +++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md @@ -77,7 +77,7 @@ WIP gives you a new way to manage data policy enforcement for apps and documents - **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device. - - **Using allowed apps.** Managed apps (apps that you've included on the **Allowed apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem. + - **Using allowed apps.** Managed apps (apps that you've included on the **Protected apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem. - **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your allowed apps list, the app is trusted with enterprise data. All apps not on this list are stopped from accessing your enterprise data, depending on your WIP management-mode. @@ -147,4 +147,4 @@ After deciding to use WIP in your enterprise, you need to: >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md index d9b56f7ad3..e352e66a52 100644 --- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.author: justinha -ms.date: 05/30/2018 +ms.date: 10/18/2018 ms.localizationpriority: medium --- @@ -20,7 +20,7 @@ ms.localizationpriority: medium >Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). -We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP). +We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings when you create a WIP policy. If you are using Intune, the SharePoint entries may be added automatically. ## Recommended Enterprise Cloud Resources This table includes the recommended URLs to add to your Enterprise Cloud Resources network setting, based on the apps you use in your organization. diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md index f9318f3384..fda5027ad2 100644 --- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md @@ -170,4 +170,4 @@ You can try any of the processes included in these scenarios, but you should foc >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md index 429aa1c479..b38f4e82d9 100644 --- a/windows/security/information-protection/windows-information-protection/wip-learning.md +++ b/windows/security/information-protection/windows-information-protection/wip-learning.md @@ -8,9 +8,16 @@ ms.prod: w10 ms.mktglfcycl: ms.sitesec: library ms.pagetype: security +<<<<<<< HEAD author: coreyp-at-msft ms.localizationpriority: medium ms.date: 08/08/2018 +======= +author: justinha +ms.author: justinha +ms.localizationpriority: medium +ms.date: 10/15/2018 +>>>>>>> refs/remotes/origin/master --- # Fine-tune Windows Information Protection (WIP) with WIP Learning @@ -27,6 +34,7 @@ In the **Website learning report**, you can view a summary of the devices that h ## Access the WIP Learning reports +<<<<<<< HEAD 1. Open the [Azure portal](http://portal.azure.com/). Choose **All services**. Type **Intune** in the text box filter. 2. Choose **Intune** > **Mobile Apps**. @@ -40,6 +48,19 @@ In the **Website learning report**, you can view a summary of the devices that h 5. Finally, select either **App learning report for Windows Information Protection**, or **Website learning report for Windows Information Protection**. ![Image showing the UI with for app and website learning reports](images/wip-learning-select-report.png) +======= +1. Open the [Azure portal](http://portal.azure.com/). + +1. Click **All services**, type **Intune** in the text box filter, and click the star to add it to **Favorites**. + +1. Click **Intune** > **Client apps** > **App protection status** > **Reports**. + + ![Image showing the UI path to the WIP report](images/access-wip-learning-report.png) + +1. Select either **App learning report for Windows Information Protection** or **Website learning report for Windows Information Protection**. + + ![Image showing the UI with for app and website learning reports](images/wip-learning-select-report.png) +>>>>>>> refs/remotes/origin/master Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies. Next, we'll look at how to do that in Operations Management Suite (OMS). @@ -98,4 +119,8 @@ Here, you can copy the **WipAppid** and use it to adjust your WIP protection pol When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes) >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file +<<<<<<< HEAD +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +======= +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +>>>>>>> refs/remotes/origin/master diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index fdc4981748..a48a31d0b7 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -17,6 +17,11 @@ #### [Endpoint detection and response](windows-defender-atp/overview-endpoint-detection-response.md) ##### [Security operations dashboard](windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md) +##### [Incidents queue](windows-defender-atp/incidents-queue.md) +###### [View and organize the Incidents queue](windows-defender-atp/view-incidents-queue.md) +###### [Manage incidents](windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md) +###### [Investigate incidents](windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md) + ##### Alerts queue ###### [View and organize the Alerts queue](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) @@ -90,11 +95,11 @@ ####### [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md) ####### [Get alert related IP information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md) ####### [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md) -#######Domain -######## [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md) -######## [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md) -######## [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md) -######## [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md) +######Domain +####### [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md) +####### [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md) +####### [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md) +####### [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md) ######File ####### [Block file API](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md) @@ -130,6 +135,10 @@ ####### [Restrict app execution API](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md) ####### [Run antivirus scan API](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md) ####### [Stop and quarantine file API](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md) +######Machines Security States +####### [Get MachineSecurityStates collection](windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md) +######Machine Groups +####### [Get MachineGroups collection](windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md) ######User ####### [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md) @@ -137,6 +146,10 @@ ####### [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md) ####### [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md) +######Windows updates (KB) info +####### [Get KbInfo collection](windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md) +######Common Vulnerabilities and Exposures (CVE) to KB map +####### [Get CVE-KB map](windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md) ##### [Managed security service provider support](windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md) @@ -394,6 +407,12 @@ #### [Software developer FAQ](intelligence/developer-faq.md) #### [Software developer resources](intelligence/developer-resources.md) +## Windows Certifications + +### [FIPS 140 Validations](fips-140-validation.md) +### [Common Criteria Certifications](windows-platform-common-criteria.md) + + ## More Windows 10 security ### [The Windows Security app](windows-defender-security-center/windows-defender-security-center.md) @@ -449,6 +468,7 @@ ##### [Planning and deploying advanced security audit policies](auditing/planning-and-deploying-advanced-security-audit-policies.md) ##### [Advanced security auditing FAQ](auditing/advanced-security-auditing-faq.md) ###### [Which editions of Windows support advanced audit policy configuration](auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md) +###### [How to list XML elements in ](auditing/how-to-list-xml-elements-in-eventdata.md) ###### [Using advanced security auditing options to monitor dynamic access control objects](auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) ####### [Monitor the central access policies that apply on a file server](auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md) @@ -487,7 +507,7 @@ ####### [Event 4752 S: A member was removed from a security-disabled global group.](auditing/event-4752.md) ####### [Event 4753 S: A security-disabled global group was deleted.](auditing/event-4753.md) ###### [Audit Other Account Management Events](auditing/audit-other-account-management-events.md) -####### [Event 4782 S: The password hash an account was accessed.](auditing/event-4782.md) +####### [Event 4782 S: The password hash of an account was accessed.](auditing/event-4782.md) ####### [Event 4793 S: The Password Policy Checking API was called.](auditing/event-4793.md) ###### [Audit Security Group Management](auditing/audit-security-group-management.md) ####### [Event 4731 S: A security-enabled local group was created.](auditing/event-4731.md) @@ -961,14 +981,12 @@ ###### [Take ownership of files or other objects](security-policy-settings/take-ownership-of-files-or-other-objects.md) - - - - ### [Windows security baselines](windows-security-baselines.md) #### [Security Compliance Toolkit](security-compliance-toolkit-10.md) #### [Get support](get-support-for-security-baselines.md) +### [MBSA removal and alternatives](mbsa-removal-and-guidance.md) + ### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md) ## [Change history for Threat protection](change-history-for-threat-protection.md) diff --git a/windows/security/threat-protection/auditing/audit-other-account-management-events.md b/windows/security/threat-protection/auditing/audit-other-account-management-events.md index 01d32dee4a..2118e8090b 100644 --- a/windows/security/threat-protection/auditing/audit-other-account-management-events.md +++ b/windows/security/threat-protection/auditing/audit-other-account-management-events.md @@ -30,13 +30,13 @@ This subcategory allows you to audit next events: | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | No | Yes | No | The only reason to enable Success auditing on domain controllers is to monitor “[4782](event-4782.md)(S): The password hash an account was accessed.”
    This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Domain Controller | Yes | No | Yes | No | The only reason to enable Success auditing on domain controllers is to monitor “[4782](event-4782.md)(S): The password hash of an account was accessed.”
    This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | | Member Server | No | No | No | No | The only event which is generated on Member Servers is “[4793](event-4793.md)(S): The Password Policy Checking API was called.”, this event is a typical information event with little to no security relevance.
    This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | | Workstation | No | No | No | No | The only event which is generated on Workstations is “[4793](event-4793.md)(S): The Password Policy Checking API was called.”, this event is a typical information event with little to no security relevance.
    This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | **Events List:** -- [4782](event-4782.md)(S): The password hash an account was accessed. +- [4782](event-4782.md)(S): The password hash of an account was accessed. - [4793](event-4793.md)(S): The Password Policy Checking API was called. diff --git a/windows/security/threat-protection/auditing/event-4778.md b/windows/security/threat-protection/auditing/event-4778.md index 686af7ea86..5459b8a5c7 100644 --- a/windows/security/threat-protection/auditing/event-4778.md +++ b/windows/security/threat-protection/auditing/event-4778.md @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using [Fast User Switching](https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/fast_user_switching.mspx?mfr=true). +This event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using [Fast User Switching](https://docs.microsoft.com/en-us/windows-hardware/drivers/display/fast-user-switching). This event also generates when user reconnects to virtual host Hyper-V Enhanced Session, for example. diff --git a/windows/security/threat-protection/auditing/event-4779.md b/windows/security/threat-protection/auditing/event-4779.md index 338bb36e87..ace9821d2e 100644 --- a/windows/security/threat-protection/auditing/event-4779.md +++ b/windows/security/threat-protection/auditing/event-4779.md @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using [Fast User Switching](https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/fast_user_switching.mspx?mfr=true). +This event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using [Fast User Switching](https://docs.microsoft.com/windows-hardware/drivers/display/fast-user-switching). This event also generated when user disconnects from virtual host Hyper-V Enhanced Session, for example. diff --git a/windows/security/threat-protection/auditing/event-4782.md b/windows/security/threat-protection/auditing/event-4782.md index b41a078e08..7139478b3a 100644 --- a/windows/security/threat-protection/auditing/event-4782.md +++ b/windows/security/threat-protection/auditing/event-4782.md @@ -1,6 +1,6 @@ --- -title: 4782(S) The password hash an account was accessed. (Windows 10) -description: Describes security event 4782(S) The password hash an account was accessed. +title: 4782(S) The password hash of an account was accessed. (Windows 10) +description: Describes security event 4782(S) The password hash of an account was accessed. ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy @@ -10,7 +10,7 @@ author: Mir0sh ms.date: 04/19/2017 --- -# 4782(S): The password hash an account was accessed. +# 4782(S): The password hash of an account was accessed. **Applies to** - Windows 10 @@ -108,7 +108,7 @@ Typically **“Subject\\Security ID”** is the SYSTEM account. ## Security Monitoring Recommendations -For 4782(S): The password hash an account was accessed. +For 4782(S): The password hash of an account was accessed. - Monitor for all events of this type, because any actions with account’s password hashes should be planned. If this action was not planned, investigate the reason for the change. diff --git a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md new file mode 100644 index 0000000000..7bfef9f9db --- /dev/null +++ b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md @@ -0,0 +1,129 @@ +--- +title: How to get a list of XML data name elements in (Windows 10) +description: This reference topic for the IT professional explains how to use PowerShell to get a list of XML data name elements that can appear in . +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: tedhardyMSFT +ms.date: 10/22/2018 +--- + +# How to get a list of XML data name elements in EventData + +**Applies to** +- Windows 10 + +The Security log uses a manifest where you can get all of the event schema. + +Run the following from an elevated PowerShell prompt: + +```powershell +$secEvents = get-winevent -listprovider "microsoft-windows-security-auditing" +``` + +The .events property is a collection of all of the events listed in the manifest on the local machine. + +For each event, there is a .Template property for the XML template used for the event properties (if there are any). + +For example: + +```powershell +PS C:\WINDOWS\system32> $SecEvents.events[100] + + +Id : 4734 +Version : 0 +LogLink : System.Diagnostics.Eventing.Reader.EventLogLink +Level : System.Diagnostics.Eventing.Reader.EventLevel +Opcode : System.Diagnostics.Eventing.Reader.EventOpcode +Task : System.Diagnostics.Eventing.Reader.EventTask +Keywords : {} +Template : + +Description : A security-enabled local group was deleted. + + Subject: + Security ID: %4 + Account Name: %5 + Account Domain: %6 + Logon ID: %7 + + Group: + Security ID: %3 + Group Name: %1 + Group Domain: %2 + + Additional Information: + Privileges: %8 + + + +PS C:\WINDOWS\system32> $SecEvents.events[100].Template + + +``` + +## Mapping data name elements to the names in an event description + +You can use the <Template> and <Description> to map the data name elements that appear in XML view to the names that appear in the event description. + +The <Description> is just the format string (if you’re used to Console.Writeline or sprintf statements) and the <Template> is the source of the input parameters for the <Description>. + +Using Security event 4734 as an example: + +```xml +Template : + +Description : A security-enabled local group was deleted. + + Subject: + Security ID: %4 + Account Name: %5 + Account Domain: %6 + Logon ID: %7 + + Group: + Security ID: %3 + Group Name: %1 + Group Domain: %2 + + Additional Information: + Privileges: %8 + +``` + +For the **Subject: Security Id:** text element, it will use the fourth element in the Template, **SubjectUserSid**. + +For **Additional Information Privileges:**, it would use the eighth element **PrivilegeList**. + +A caveat to this is an oft-overlooked property of events called Version (in the <SYSTEM> element) that indicates the revision of the event schema and description. Most events have 1 version (all events have Version =0 like the Security/4734 example) but a few events like Security/4624 or Security/4688 have at least 3 versions (versions 0, 1, 2) depending on the OS version where the event is generated. Only the latest version is used for generating events in the Security log. In any case, the Event Version where the Template is taken from should use the same Event Version for the Description. + diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md new file mode 100644 index 0000000000..cdd262ce1c --- /dev/null +++ b/windows/security/threat-protection/fips-140-validation.md @@ -0,0 +1,7085 @@ +--- +title: FIPS 140 Validation +description: This topic provides information on how Microsoft products and cryptographic modules comply with the U.S. Federal government standard FIPS 140. +ms.prod: w10 +ms.localizationpriority: medium +ms.author: daniha +author: danihalfin +ms.date: 04/03/2018 +--- + + +# FIPS 140 Validation + +On this page + + - [Introduction](https://technet.microsoft.com/en-us/library/cc750357.aspx#id0eo) + - [FIPS 140 Overview](https://technet.microsoft.com/en-us/library/cc750357.aspx#id0ebd) + - [Microsoft Product Validation (Information for Procurement Officers and Auditors)](https://technet.microsoft.com/en-us/library/cc750357.aspx#id0ezd) + - [Information for System Integrators](https://technet.microsoft.com/en-us/library/cc750357.aspx#id0eve) + - [Information for Software Developers](https://technet.microsoft.com/en-us/library/cc750357.aspx#id0eibac) + - [FIPS 140 FAQ](https://technet.microsoft.com/en-us/library/cc750357.aspx#id0eqcac) + - [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/en-us/library/cc750357.aspx#id0ewfac) + - [Cryptographic Algorithms](https://technet.microsoft.com/en-us/library/cc750357.aspx#id0erobg) + +Updated: March 2018 + +  + +## Introduction + +This document provides information on how Microsoft products and cryptographic modules comply with the U.S. Federal government standard, *Federal Information Processing Standard (FIPS) 140 – Security Requirements for Cryptographic Modules* \[FIPS 140\]. + +### Audience + +This document is primarily focused on providing information for three parties: + +[Procurement Officer](https://technet.microsoft.com/en-us/library/cc750357.aspx#_microsoft_product_validation) – Responsible for verifying that Microsoft products (or even third-party applications) are either FIPS 140 validated or utilize a Microsoft FIPS 140 validated cryptographic module. + +[System Integrator](https://technet.microsoft.com/en-us/library/cc750357.aspx#_information_for_system) – Responsible for ensuring that Microsoft Products are configured properly to use only FIPS 140 validated cryptographic modules. + +[Software Developer](https://technet.microsoft.com/en-us/library/cc750357.aspx#_information_for_software) – Responsible for building software products that utilize Microsoft FIPS 140 validated cryptographic modules. + +### Document Map + +This document is broken into seven major sections: + +[FIPS 140 Overview](https://technet.microsoft.com/en-us/library/cc750357.aspx#_fips_140_overview) – Provides an overview of the FIPS 140 standard as well as provides some historical information about the standard. + +[Microsoft Product Validation (Information for Procurement Officers and Auditors)](https://technet.microsoft.com/en-us/library/cc750357.aspx#_microsoft_product_validation) – Provides information on how Microsoft products are FIPS 140 validated. + +[Information for System Integrators](https://technet.microsoft.com/en-us/library/cc750357.aspx#_information_for_system) – Describes how to configure and verify that Microsoft Products are being used in a manner consistent with the product’s FIPS 140 Security Policy. + +[Information for Software Developers](https://technet.microsoft.com/en-us/library/cc750357.aspx#_information_for_software) – Identifies how developers can leverage the Microsoft FIPS 140 validated cryptographic modules. + +[FAQ](https://technet.microsoft.com/en-us/library/cc750357.aspx#_fips_140_faq) – Frequently Asked Questions. + +[Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/en-us/library/cc750357.aspx#_microsoft_fips_140) – Explains Microsoft cryptographic architecture and identifies specific modules that are FIPS 140 validated. + +[Cryptographic Algorithms](https://technet.microsoft.com/en-us/library/cc750357.aspx#_cryptographic_algorithms) – Lists the cryptographic algorithm, modes, states, key sizes, Windows versions, and corresponding cryptographic algorithm validation certificates. + +## FIPS 140 Overview + +### FIPS 140 Standard + +FIPS 140 is a US government and Canadian government standard that defines a minimum set of the security requirements for products that implement cryptography. This standard is designed for cryptographic modules that are used to secure sensitive but unclassified information. Testing against the FIPS 140 standard is maintained by the Cryptographic Module Validation Program (CMVP), a joint effort between the US National Institute of Standards and Technology (NIST) and the Communications Security Establishment of Canada (CSEC). + +The current standard defines four-levels of increasing security, 1 through 4. Most software products (including all Microsoft products) are tested against the Level 1 security requirements. + +### Applicability of the FIPS standard + +Within the US Federal government, the FIPS 140 standard applies to any security system (whether hardware, firmware, software, or a combination thereof) to be used by agencies for protecting sensitive but unclassified information. Some agencies have expanded its use by requiring that the modules to be procured for secret systems also meet the FIPS 140 requirements. + +The FIPS 140 standard has also been used by different standards bodies, specification groups, nations, and private institutions as a requirement or guideline for those products (e.g. – Digital Cinema Systems Specification). + +### History of 140-1 + +FIPS 140-1 is the original working version of the standard made official on January 11, 1994. The standard remained in effect until FIPS 140-2 became mandatory for new products on May 25, 2002. + +### FIPS 140-2 + +FIPS 140-2 is currently the active version of the standard. + +### Microsoft FIPS Support Policy + +Microsoft actively maintains FIPS 140 validation for its cryptographic modules. + +### FIPS Mode of Operation + +The common term “FIPS mode” is used in this document and Security Policy documents. When a cryptographic module contains both FIPS-approved and non-FIPS approved security methods, it must have a "FIPS mode of operation" to ensure only FIPS-approved security methods may be used. When a module is in "FIPS mode", a non-FIPS approved method cannot be used instead of a FIPS-approved method. + +## Microsoft Product Validation (Information for Procurement Officers and Auditors) + +This section provides information for Procurement Officers and Auditors who are responsible for ensuring that Microsoft products with FIPS 140 validated cryptographic modules are used in their organization. The goal of this section is to provide an overview of the Microsoft developed products and modules and explain how the validated cryptographic modules are used. + +### Microsoft Product Relationship with CNG and CAPI libraries + +Rather than validate individual components and products, Microsoft chooses to validate only the underlying cryptographic modules. Subsequently, many Windows components and Microsoft products are built to rely on the Cryptographic API: Next Generation (CNG) and legacy Cryptographic API (CAPI) FIPS 140 validated cryptographic modules. Windows components and Microsoft products use the documented application programming interfaces (APIs) for each of the modules to access various cryptographic services. + +The following list contains some of the Windows components and Microsoft products that rely on FIPS 140 validated cryptographic modules: + + - Schannel Security Package + - Remote Desktop Protocol (RDP) Client + - Encrypting File System (EFS) + - Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.) + - BitLocker® Drive Full-volume Encryption + - IPsec Settings of Windows Firewall + +## Information for System Integrators + +This section provides information for System Integrators and Auditors who are responsible for deploying Microsoft products in a manner consistent with the product’s FIPS 140 Security Policy. + +There are two steps to ensure that Microsoft products operate in FIPS mode: + +1. Selecting/Installing FIPS 140 validated cryptographic modules +2. Setting FIPS local/group security policy flag. + +### Step 1 – Selecting/Installing FIPS 140 Validated Cryptographic Modules + +Systems Integrators must ensure that all cryptographic modules installed are, in fact, FIPS 140 validated. This can be accomplished by cross-checking the version number of the installed module with the list of validated binaries. The list of validated CAPI binaries is identified in the [CAPI Validated Cryptographic Modules](https://technet.microsoft.com/en-us/library/cc750357.aspx#_capi_validated_cryptographic) section below and the list of validated CNG binaries is identified in the [CNG Validated Cryptographic Modules](https://technet.microsoft.com/en-us/library/cc750357.aspx#_cng_validated_cryptographic) section below. There are similar sections for all other validated cryptographic modules. + +The version number of the installed binary is found by right-clicking the module file and clicking on the Version or Details tab. Cryptographic modules are stored in the "windows\\system32" or "windows\\system32\\drivers" directory. + +### Step 2 – Setting FIPS Local/Group Security Policy Flag + +The Windows operating system provides a group (or local) security policy setting, “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing”, which is used by many Microsoft products to determine whether to operate in a FIPS-approved mode. When this policy is set, the validated cryptographic modules in Windows will also operate in a FIPS-approved mode. + +**Note** – There is no enforcement of the FIPS policy by the operating system or the validated cryptographic modules. Instead, each individual application must check this flag and enforce the Security Policy of the validated cryptographic modules. + +#### Instructions on Setting the FIPS Local/Group Security Policy Flag + +While there are alternative methods for setting the FIPS local/group security policy flag, the following method is included as a guide to users with Administrative privileges. This description is for the Local Security Policy, but the Group Security Policy may be set in a similar manner. + +1. Open the 'Run' menu by pressing the combination 'Windows Key + R'. +2. Type 'secpol.msc' and press 'Enter' or click the 'Ok' button. +3. In the Local Security Policy management console window that opens, use the left tab to navigate to the Local Policies -\> Security Options. +4. Scroll down the right pane and double-click 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing'. +5. In the properties window, select the 'Enabled' option and click the 'Apply' button. + +#### Microsoft Components and Products That Utilize FIPS Local/Group Security Policy + +The following list details some of the Microsoft components that use the cryptographic functionality implemented by either CNG or legacy CAPI. When the FIPS Local/Group Security Policy is set, the following components will enforce the validated module Security Policy. + + - Schannel Security Package + - Remote Desktop Protocol (RDP) Client + - Encrypting File System (EFS) + - Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.) + - BitLocker® Drive Full-volume Encryption + - IPsec Settings of Windows Firewall + +#### Effects of Setting FIPS Local/Group Security Policy Flag + +When setting the FIPS local/group security policy flag, the behavior of several Microsoft components and products are affected. The most noticeable difference will be that the components enforcing this setting will only use those algorithms approved or allowed in FIPS mode. The specific changes to the products listed above are: + + - Schannel Security Package forced to negotiate sessions using TLS. The following supported Cipher Suites are disabled: + + - - TLS\_RSA\_WITH\_RC4\_128\_SHA + - TLS\_RSA\_WITH\_RC4\_128\_MD5 + - SSL\_CK\_RC4\_128\_WITH\_MD5 + - SSL\_CK\_DES\_192\_EDE3\_CBC\_WITH\_MD5 + - TLS\_RSA\_WITH\_NULL\_MD5 + - TLS\_RSA\_WITH\_NULL\_SHA + + - The set of cryptographic algorithms that a Remote Desktop Protocol (RDP) server will use is scoped to: + + - - CALG\_RSA\_KEYX - RSA public key exchange algorithm + - CALG\_3DES - Triple DES encryption algorithm + - CALG\_AES\_128 - 128 bit AES + - CALG\_AES\_256 - 256 bit AES + - CALG\_SHA1 - SHA hashing algorithm + - CALG\_SHA\_256 - 256 bit SHA hashing algorithm + - CALG\_SHA\_384 - 384 bit SHA hashing algorithm + - CALG\_SHA\_512 - 512 bit SHA hashing algorithm + + - Any Microsoft .NET Framework applications, such as Microsoft ASP.NET or Windows Communication Foundation (WCF), only allow algorithm implementations that are validated to FIPS 140, meaning only classes that end in "CryptoServiceProvider" or "Cng" can be used. Any attempt to create an instance of other cryptographic algorithm classes or create instances that use non-allowed algorithms will cause an InvalidOperationException exception. + + - Verification of ClickOnce applications fails unless the client computer has .NET Framework 2.0 SP1 or later service pack installed or .NET Framework 3.5 or later installed. + + - On Windows Vista and Windows Server 2008 and later, BitLocker Drive Encryption switches from AES-128 using the elephant diffuser to using the approved AES-256 encryption. Recovery passwords are not created or backed up. Instead, backup a recovery key on a local drive or on a network share. To use the recovery key, put the key on a USB device and plug the device into the computer. + +Please be aware that selection of FIPS mode can limit product functionality (See ). + +## Information for Software Developers + +This section is targeted at developers who wish to build their own applications using the FIPS 140 validated cryptographic modules. + +Each of the validated cryptographic modules defines a series of rules that must be followed. The security rules for each validated cryptographic module are specified in the Security Policy document. Links to each of the Security Policy documents is provided in the [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/en-us/library/cc750357.aspx#_microsoft_fips_140) section below. Generally, the restriction in Microsoft validated cryptographic modules is limiting the use of cryptography to only FIPS Approved cryptographic algorithms, modes, and key sizes. + +### Using Microsoft Cryptographic Modules in a FIPS mode of operation + +No matter whether developing with native languages or using .NET, it is important to first check whether the CNG modules for the target system are FIPS validated. The list of validated CNG binaries is identified in the [CNG Validated Cryptographic Modules](https://technet.microsoft.com/en-us/library/cc750357.aspx#_cng_validated_cryptographic) section. + +When developing using CNG directly, it is the responsibility of the developer to follow the security rules outlined in the FIPS 140 Security Policy for each module. The security policy for each module is provided on the CMVP website. Links to each of the Security Policy documents is provided in the tables below. It is important to remember that setting the FIPS local/group security policy Flag (discussed above) does not affect the behavior of the modules when used for developing custom applications. + +If you are developing your application using .NET instead of using the native libraries, then setting the FIPS local policy flag will generate an exception when an improper .NET class is used for cryptography (i.e. the cryptographic classes whose names end in "Managed"). The names of these allowed classes end with "Cng", which use the CNG binaries or "CryptoServiceProvider", which use the legacy CAPI binaries. + +### Key Strengths and Validity Periods + +NIST Special Publication 800-131A Revision 1, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, dated November 2015, \[[SP 800-131A](http://dx.doi.org/10.6028/nist.sp.800-131ar1)\], offers guidance for moving to stronger cryptographic keys and algorithms. This does not replace NIST SP 800-57, Recommendation for Key Management Part 1: General, \[[SP 800-57](http://csrc.nist.gov/publications/pubssps.html#800-57-part1)\], but gives more specific guidance. One of the most important topics discussed in these publications deals with the key strengths of FIPS Approved algorithms and their validity periods. When developing applications that use FIPS Approved algorithms, it is also extremely important to select appropriate key sizes based on the security lifetimes recommended by NIST. + +## FIPS 140 FAQ + +The following are answers to commonly asked questions for the FIPS 140-2 validation of Microsoft products. + +1. How does FIPS 140 relate to the Common Criteria? + **Answer:** These are two separate security standards with different, but complementary, purposes. FIPS 140 is a standard designed specifically for validating product modules that implement cryptography. On the other hand, Common Criteria is designed to help evaluate security functions in IT products. + In many cases, Common Criteria evaluations will rely on FIPS 140 validations to provide assurance that cryptographic functionality is implemented properly. +2. How does FIPS 140 relate to Suite B? + **Answer:** Suite B is simply a set of cryptographic algorithms defined by the U.S. National Security Agency (NSA) as part of its Cryptographic Modernization Program. The set of Suite B cryptographic algorithms are to be used for both unclassified information and most classified information. + The Suite B cryptographic algorithms are a subset of the FIPS Approved cryptographic algorithms as allowed by the FIPS 140 standard. +3. There are so many modules listed on the NIST website for each release, how are they related and how do I tell which one applies to me? + **Answer:** Microsoft strives to validate all releases of its cryptographic modules. Each module provides a different set of cryptographic algorithms. If you are required to use only FIPS validated cryptographic modules, you simply need to verify that the version being used appears on the validation list. + Please see the [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/en-us/library/cc750357.aspx#_microsoft_fips_140)section for a complete list of Microsoft validated modules. +4. My application links against crypt32.dll, cryptsp.dll, advapi32.dll, bcrypt.dll, bcryptprimitives.dll, or ncrypt.dll. What do I need to do to assure I’m using FIPS 140 validated cryptographic modules? + **Answer:** crypt32.dll, cryptsp.dll, advapi32.dll, and ncrypt.dll are intermediary libraries that will offload all cryptographic operations to the FIPS validated cryptographic modules. Bcrypt.dll itself is a validated cryptographic module for Windows Vista and Windows Server 2008. For Windows 7 and Windows Server 2008 R2 and later, bcryptprimitives.dll is the validated module, but bcrypt.dll remains as one of the libraries to link against. + You must first verify that the underlying CNG cryptographic module is validated. Once verified, you'll need to confirm that you're using the module correctly in FIPS mode (See [Information for Software Developers](https://technet.microsoft.com/en-us/library/cc750357.aspx#_information_for_software) section for details). +5. What does "When operated in FIPS mode" mean on certificates? + **Answer:** This caveat identifies that a required configuration and security rules must be followed in order to use the cryptographic module in a manner consistent with its FIPS 140 Security Policy. The security rules are defined in the Security Policy for the module and usually revolve around using only FIPS Approved cryptographic algorithms and key sizes. Please see the Security Policy for the specific security rules for each cryptographic module (See [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/en-us/library/cc750357.aspx#_microsoft_fips_140) section for links to each policy). +6. Which FIPS validated module is called when Windows 7 or Windows 8 is configured to use the FIPS setting in the wireless configuration? + **Answer:** CNG is used. This setting tells the wireless driver to call FIPS 140-2 validated cryptographic modules instead of using the driver’s own cryptography, if any. +7. Is BitLocker to Go FIPS 140-2 validated? + **Answer:** There are two separate parts for BitLocker to Go. One part is simply a native feature of BitLocker and as such, it uses FIPS 140-2 validated cryptographic modules. The other part is the BitLocker to Go Reader application for down-level support of older operating systems such as Windows XP and Windows Vista. The Reader application does not use FIPS 140-2 validated cryptographic modules. +8. Are applications FIPS 140-2 validated? + **Answer:** Microsoft only has low-level cryptographic modules in Windows FIPS 140-2 validated, not high-level applications. A better question is whether a certain application calls a FIPS 140-2 validated cryptographic module in the underlying Windows OS. That question needs to be directed to the company/product group that created the application of interest. +9. How can Systems Center Operations Manager 2012 be configured to use FIPS 140-2 validated cryptographic modules? + **Answer:** See [http://technet.microsoft.com/en-us/library/hh914094.aspx](https://technet.microsoft.com/en-us/library/hh914094.aspx) + +## Microsoft FIPS 140 Validated Cryptographic Modules + +### Modules By Operating System + +The following tables identify the Cryptographic Modules for an operating system. + +#### Windows + +##### Windows 10 Creators Update (Version 1703) + +Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.15063#3095

    FIPS Approved algorithms: AES (Cert. #4624); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2522); SHS (Cert. #3790); Triple-DES (Cert. #2459)
    +
    +Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

    +

    Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #1133); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #2521); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #1281); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #1278)

    Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.15063#3094

    #3094

    +

    FIPS Approved algorithms: AES (Certs. #4624 and #4626); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2523); SHS (Cert. #3790); Triple-DES (Cert. #2459)
    +
    +Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

    +

    Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert.#1133); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert.#2521); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert.#1281)

    Boot Manager10.0.15063#3089

    FIPS Approved algorithms: AES (Certs. #4624 and #4625); CKG (vendor affirmed); HMAC (Cert. #3061); PBKDF (vendor affirmed); RSA (Cert. #2523); SHS (Cert. #3790)

    +

    Other algorithms: PBKDF (vendor affirmed); VMK KDF (vendor affirmed)

    Windows OS Loader10.0.15063#3090

    FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790)

    +

    Other algorithms: NDRNG

    Windows Resume[1]10.0.15063#3091FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790)
    BitLocker® Dump Filter[2]10.0.15063#3092FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2522); SHS (Cert. #3790)
    Code Integrity (ci.dll)10.0.15063#3093

    FIPS Approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790)

    +

    Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. #1282)

    Secure Kernel Code Integrity (skci.dll)[3]10.0.15063#3096

    FIPS Approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790)

    +

    Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. #1282)

    + + +\[1\] Applies only to Home, Pro, Enterprise, Education and S + +\[2\] Applies only to Pro, Enterprise, Education, S, Mobile and Surface Hub + +\[3\] Applies only to Pro, Enterprise Education and S + +##### Windows 10 Anniversary Update (Version 1607) + +Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.14393#2937

    FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
    +
    +Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

    +

    Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #886)

    Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.14393#2936

    FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
    +
    +Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

    +

    Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887)

    Boot Manager10.0.14393#2931

    FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)

    +

    Other algorithms: MD5; PBKDF (non-compliant); VMK KDF

    BitLocker® Windows OS Loader (winload)10.0.14393#2932FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
    +
    +Other algorithms: NDRNG; MD5
    BitLocker® Windows Resume (winresume)[1]10.0.14393#2933FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
    +
    +Other algorithms: MD5
    BitLocker® Dump Filter (dumpfve.sys)[2]10.0.14393#2934FIPS Approved algorithms: AES (Certs. #4061 and #4064)
    Code Integrity (ci.dll)10.0.14393#2935

    FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
    +
    +Other algorithms: AES (non-compliant); MD5

    +

    Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888)

    Secure Kernel Code Integrity (skci.dll)[3]10.0.14393#2938

    FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
    +
    +Other algorithms: MD5

    +

    Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888)

    + + +\[1\] Applies only to Home, Pro, Enterprise and Enterprise LTSB + +\[2\] Applies only to Pro, Enterprise, Enterprise LTSB and Mobile + +\[3\] Applies only to Pro, Enterprise and Enterprise LTSB + +##### Windows 10 November 2015 Update (Version 1511) + +Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.10586#2606

    FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs. #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
    +
    +Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

    +

    Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #664)

    Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.10586#2605

    FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs.  #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
    +
    +Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

    +

    Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663)

    Boot Manager[4]10.0.10586#2700FIPS Approved algorithms: AES (Certs. #3653); HMAC (Cert. #2381); PBKDF (vendor affirmed); RSA (Cert. #1871); SHS (Certs. #3047 and #3048)
    +
    +Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
    BitLocker® Windows OS Loader (winload)[5]10.0.10586#2701FIPS Approved algorithms: AES (Certs. #3629 and #3653); RSA (Cert. #1871); SHS (Cert. #3048)
    +
    +Other algorithms: MD5; NDRNG
    BitLocker® Windows Resume (winresume)[6]10.0.10586#2702FIPS Approved algorithms: AES (Certs. #3653); RSA (Cert. #1871); SHS (Cert. #3048)
    +
    +Other algorithms: MD5
    BitLocker® Dump Filter (dumpfve.sys)[7]10.0.10586#2703FIPS Approved algorithms: AES (Certs. #3653)
    Code Integrity (ci.dll)10.0.10586#2604

    FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
    +
    +Other algorithms: AES (non-compliant); MD5

    +

    Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665)

    Secure Kernel Code Integrity (skci.dll)[8]10.0.10586#2607

    FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
    +
    +Other algorithms: MD5

    +

    Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665)

    + + +\[4\] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub + +\[5\] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub + +\[6\] Applies only to Home, Pro and Enterprise + +\[7\] Applies only to Pro, Enterprise, Mobile and Surface Hub + +\[8\] Applies only to Enterprise and Enterprise LTSB + +##### Windows 10 (Version 1507) + +Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface Hub + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.10240#2606

    FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
    +
    +Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

    +

    Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #575)

    Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.10240#2605

    FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
    +
    +Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

    +

    Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576)

    Boot Manager[9]10.0.10240#2600FIPS Approved algorithms: AES (Cert. #3497); HMAC (Cert. #2233); KTS (AES Cert. #3498); PBKDF (vendor affirmed); RSA (Cert. #1784); SHS (Certs. #2871 and #2886)
    +
    +Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
    BitLocker® Windows OS Loader (winload)[10]10.0.10240#2601FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
    +
    +Other algorithms: MD5; NDRNG
    BitLocker® Windows Resume (winresume)[11]10.0.10240#2602FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
    +
    +Other algorithms: MD5
    BitLocker® Dump Filter (dumpfve.sys)[12]10.0.10240#2603FIPS Approved algorithms: AES (Certs. #3497 and #3498)
    Code Integrity (ci.dll)10.0.10240#2604

    FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
    +
    +Other algorithms: AES (non-compliant); MD5

    +

    Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572)

    Secure Kernel Code Integrity (skci.dll)[13]10.0.10240#2607

    FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
    +
    +Other algorithms: MD5

    +

    Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572)

    + + +\[9\] Applies only to Home, Pro, Enterprise and Enterprise LTSB + +\[10\] Applies only to Home, Pro, Enterprise and Enterprise LTSB + +\[11\] Applies only to Home, Pro, Enterprise and Enterprise LTSB + +\[12\] Applies only to Pro, Enterprise and Enterprise LTSB + +\[13\] Applies only to Enterprise and Enterprise LTSB + +##### Windows 8.1 + +Validated Editions: RT, Pro, Enterprise, Phone, Embedded + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)6.3.9600 6.3.9600.17031#2357

    FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
    +
    +Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)#2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)

    +

    Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #323)

    Kernel Mode Cryptographic Primitives Library (cng.sys)6.3.9600 6.3.9600.17042#2356

    FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
    +
    +Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)

    +

    Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289)

    Boot Manager6.3.9600 6.3.9600.17031#2351FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
    +
    +Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
    BitLocker® Windows OS Loader (winload)6.3.9600 6.3.9600.17031#2352FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
    +
    +Other algorithms: MD5; NDRNG
    BitLocker® Windows Resume (winresume)[14]6.3.9600 6.3.9600.17031#2353FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
    +
    +Other algorithms: MD5
    BitLocker® Dump Filter (dumpfve.sys)6.3.9600 6.3.9600.17031#2354FIPS Approved algorithms: AES (Cert. #2832)
    +
    +Other algorithms: N/A
    Code Integrity (ci.dll)6.3.9600 6.3.9600.17031#2355#2355

    FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
    +
    +Other algorithms: MD5

    +

    Validated Component Implementations: PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289)

    + + +\[14\] Applies only to Pro, Enterprise, and Embedded 8. + +##### Windows 8 + +Validated Editions: RT, Home, Pro, Enterprise, Phone + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)6.2.9200#1892FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
    +
    +Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258); DSA (Cert. ); ECDSA (Cert. ); HMAC (Cert. ); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
    +
    +
    Kernel Mode Cryptographic Primitives Library (cng.sys)6.2.9200#1891FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
    +
    +Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258 and ); ECDSA (Cert. ); HMAC (Cert. ); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RNG (Cert. ); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
    +
    +Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
    Boot Manager6.2.9200#1895FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
    +
    +Other algorithms: MD5
    BitLocker® Windows OS Loader (WINLOAD)6.2.9200#1896FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
    +
    +Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNG
    BitLocker® Windows Resume (WINRESUME)[15]6.2.9200#1898FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
    +
    +Other algorithms: MD5
    BitLocker® Dump Filter (DUMPFVE.SYS)6.2.9200#1899FIPS Approved algorithms: AES (Certs. #2196 and #2198)
    +
    +Other algorithms: N/A
    Code Integrity (CI.DLL)6.2.9200#1897FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
    +
    +Other algorithms: MD5
    Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)6.2.9200#1893FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
    +
    +Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#1902); Triple-DES (Cert. ); Triple-DES MAC (Triple-DES Cert. , vendor affirmed)
    +
    +Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. , key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
    Enhanced Cryptographic Provider (RSAENH.DLL)6.2.9200#1894FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
    +
    +Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
    + + +\[15\] Applies only to Home and Pro + +**Windows 7** + +Validated Editions: Windows 7, Windows 7 SP1 + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)

    6.1.7600.16385

    +

    6.1.7601.17514

    		1329FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); DSA (Cert. #386); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
    +
    +Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4#559 and ); SHS (Cert. ); Triple-DES (Cert. )
    +
    +Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
    Kernel Mode Cryptographic Primitives Library (cng.sys)

    6.1.7600.16385

    +

    6.1.7600.16915

    +

    6.1.7600.21092

    +

    6.1.7601.17514

    +

    6.1.7601.17725

    +

    6.1.7601.17919

    +

    6.1.7601.21861

    +

    6.1.7601.22076

    		1328FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
    +
    +Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
    Boot Manager

    6.1.7600.16385

    +

    6.1.7601.17514

    		1319FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #557); SHS (Cert. #1081)
    +
    +Other algorithms: MD5#1168 and ); HMAC (Cert. ); RSA (Cert. ); SHS (Cert. )
    +
    +Other algorithms: MD5
    Winload OS Loader (winload.exe)

    6.1.7600.16385

    +

    6.1.7600.16757

    +

    6.1.7600.20897

    +

    6.1.7600.20916

    +

    6.1.7601.17514

    +

    6.1.7601.17556

    +

    6.1.7601.21655

    +

    6.1.7601.21675

    		1326FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #557); SHS (Cert. #1081)
    +
    +Other algorithms: MD5
    BitLocker™ Drive Encryption

    6.1.7600.16385

    +

    6.1.7600.16429

    +

    6.1.7600.16757

    +

    6.1.7600.20536

    +

    6.1.7600.20873

    +

    6.1.7600.20897

    +

    6.1.7600.20916

    +

    6.1.7601.17514

    +

    6.1.7601.17556

    +

    6.1.7601.21634

    +

    6.1.7601.21655

    +

    6.1.7601.21675

    		1332FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
    +
    +Other algorithms: Elephant Diffuser
    Code Integrity (CI.DLL)

    6.1.7600.16385

    +

    6.1.7600.17122

    +

    6.1.7600.21320

    +

    6.1.7601.17514

    +

    6.1.7601.17950

    +

    6.1.7601.22108

    		1327FIPS Approved algorithms: RSA (Cert. #557); SHS (Cert. #1081)
    +
    +Other algorithms: MD5
    Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)6.1.7600.16385
    +(no change in SP1)    		1331FIPS Approved algorithms: DSA (Cert. #385); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
    +
    +Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4
    Enhanced Cryptographic Provider (RSAENH.DLL)6.1.7600.16385
    +(no change in SP1)    		1330FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #673); SHS (Cert. #1081); RSA (Certs. #557 and #559); Triple-DES (Cert. #846)
    +
    +Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256-bits of encryption strength; non-compliant less than 112 bits of encryption strength)
    + + +##### Windows Vista SP1 + +Validated Editions: Ultimate Edition + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Boot Manager (bootmgr)6.0.6001.18000 and 6.0.6002.18005978FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #354); SHS (Cert. #753)
    Winload OS Loader (winload.exe)6.0.6001.18000, 6.0.6001.18027, 6.0.6001.18606, 6.0.6001.22125, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411 and 6.0.6002.22596979FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #354); SHS (Cert. #753)
    +
    +Other algorithms: MD5
    Code Integrity (ci.dll)6.0.6001.18000, 6.0.6001.18023, 6.0.6001.22120, and 6.0.6002.18005980FIPS Approved algorithms: RSA (Cert. #354); SHS (Cert. #753)
    +
    +Other algorithms: MD5
    Kernel Mode Security Support Provider Interface (ksecdd.sys)6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.228691000

    FIPS Approved algorithms: AES (Certs. #739 and #756); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)#739 and ); ECDSA (Cert. ); HMAC (Cert. ); RNG (Cert.  and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )

    +

    Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

    Cryptographic Primitives Library (bcrypt.dll)6.0.6001.22202, 6.0.6002.18005, and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005, and 6.0.6002.228721001

    FIPS Approved algorithms: AES (Certs. #739 and #756); DSA (Cert. #283); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90, vendor affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)

    +

    Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)

    Enhanced Cryptographic Provider (RSAENH)6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.180051002

    FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #407); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #354); SHS (Cert. #753); Triple-DES (Cert. #656)

    +

    Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

    Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.180051003

    FIPS Approved algorithms: DSA (Cert. #281); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)

    +

    Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4

    + + +##### Windows Vista + +Validated Editions: Ultimate Edition + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Enhanced Cryptographic Provider (RSAENH)6.0.6000.16386893FIPS Approved algorithms: AES (Cert. #553); HMAC (Cert. #297); RNG (Cert. #321); RSA (Certs. #255 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
    +
    +Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
    Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.0.6000.16386894FIPS Approved algorithms: DSA (Cert. #226); RNG (Cert. #321); SHS (Cert. #618); Triple-DES (Cert. #549); Triple-DES MAC (Triple-DES Cert. #549, vendor affirmed)
    +
    +Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4
    BitLocker™ Drive Encryption6.0.6000.16386947FIPS Approved algorithms: AES (Cert. #715); HMAC (Cert. #386); SHS (Cert. #737)
    +
    +Other algorithms: Elephant Diffuser
    Kernel Mode Security Support Provider Interface (ksecdd.sys)6.0.6000.16386, 6.0.6000.16870 and 6.0.6000.21067891FIPS Approved algorithms: AES (Cert. #553); ECDSA (Cert. #60); HMAC (Cert. #298); RNG (Cert. #321); RSA (Certs. #257 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
    +
    +Other algorithms: DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides 128 to 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; HMAC MD5
    + + +##### Windows XP SP3 + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Kernel Mode Cryptographic Module (FIPS.SYS)5.1.2600.5512997

    FIPS Approved algorithms: HMAC (Cert. #429); RNG (Cert. #449); SHS (Cert. #785); Triple-DES (Cert. #677); Triple-DES MAC (Triple-DES Cert. #677, vendor affirmed)

    +

    Other algorithms: DES; MD5; HMAC MD5

    Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.1.2600.5507990

    FIPS Approved algorithms: DSA (Cert. #292); RNG (Cert. #448); SHS (Cert. #784); Triple-DES (Cert. #676); Triple-DES MAC (Triple-DES Cert. #676, vendor affirmed)

    +

    Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits); MD5; RC2; RC4

    Enhanced Cryptographic Provider (RSAENH)5.1.2600.5507989

    FIPS Approved algorithms: AES (Cert. #781); HMAC (Cert. #428); RNG (Cert. #447); RSA (Cert. #371); SHS (Cert. #783); Triple-DES (Cert. #675); Triple-DES MAC (Triple-DES Cert. #675, vendor affirmed)

    +

    Other algorithms: DES; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits)

    + + +##### Windows XP SP2 + + ++++++ + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    DSS/Diffie-Hellman Enhanced Cryptographic Provider5.1.2600.2133240

    FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #29)

    +

    Other algorithms: DES (Cert. #66); RC2; RC4; MD5; DES40; Diffie-Hellman (key agreement)

    Microsoft Enhanced Cryptographic Provider5.1.2600.2161238

    FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)

    +

    Other algorithms: DES (Cert. #156); RC2; RC4; MD5

    + + +##### Windows XP SP1 + + ++++++ + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Microsoft Enhanced Cryptographic Provider5.1.2600.1029238

    FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)

    +

    Other algorithms: DES (Cert. #156); RC2; RC4; MD5

    + + +##### Windows XP + + ++++++ + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Kernel Mode Cryptographic Module5.1.2600.0241

    FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #35); HMAC-SHA-1 (Cert. #35, vendor affirmed)

    +

    Other algorithms: DES (Cert. #89)

    + + +##### Windows 2000 SP3 + + ++++++ + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Kernel Mode Cryptographic Module (FIPS.SYS)5.0.2195.1569106

    FIPS Approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35)

    +

    Other algorithms: DES (Certs. #89)

    Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider

    (Base DSS: 5.0.2195.3665 [SP3])

    +

    (Base: 5.0.2195.3839 [SP3])

    +

    (DSS/DH Enh: 5.0.2195.3665 [SP3])

    +

    (Enh: 5.0.2195.3839 [SP3]

    		103

    FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

    +

    Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5

    + + +##### Windows 2000 SP2 + + ++++++ + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Kernel Mode Cryptographic Module (FIPS.SYS)5.0.2195.1569106

    FIPS Approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35)

    +

    Other algorithms: DES (Certs. #89)

    Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider

    (Base DSS:

    +

    5.0.2195.2228 [SP2])

    +

    (Base:

    +

    5.0.2195.2228 [SP2])

    +

    (DSS/DH Enh:

    +

    5.0.2195.2228 [SP2])

    +

    (Enh:

    +

    5.0.2195.2228 [SP2])

    		103

    FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

    +

    Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5

    + + +##### Windows 2000 SP1 + + ++++++ + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider

    (Base DSS: 5.0.2150.1391 [SP1])

    +

    (Base: 5.0.2150.1391 [SP1])

    +

    (DSS/DH Enh: 5.0.2150.1391 [SP1])

    +

    (Enh: 5.0.2150.1391 [SP1])

    		103

    FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

    +

    Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5

    + + +##### Windows 2000 + + ++++++ + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enchanced Cryptographic Provider, and Enhanced Cryptographic Provider5.0.2150.176

    FIPS Approved algorithms: Triple-DES (vendor affirmed); DSA/SHA-1 (Certs. #28 and 29); RSA (vendor affirmed)

    +

    Other algorithms: DES (Certs. #65, 66, 67 and 68); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)

    + + +##### Windows 95 and Windows 98 + + ++++++ + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enchanced Cryptographic Provider, and Enhanced Cryptographic Provider5.0.1877.6 and 5.0.1877.775

    FIPS Approved algorithms: Triple-DES (vendor affirmed); SHA-1 (Certs. #20 and 21); DSA/SHA-1 (Certs. #25 and 26); RSA (vendor- affirmed)

    +

    Other algorithms: DES (Certs. #61, 62, 63 and 64); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)

    + + +##### Windows NT 4.0 + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Base Cryptographic Provider5.0.1877.6 and 5.0.1877.768FIPS Approved algorithms: SHA-1 (Certs. #20 and 21); DSA/SHA- 1 (Certs. #25 and 26); RSA (vendor affirmed)
    +
    +Other algorithms: DES (Certs. #61, 62, 63 and 64); Triple-DES (allowed for US and Canadian Government use); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)
    + + +#### Windows Server + +##### Windows Server 2016 + +Validated Editions: Standard, Datacenter, Storage Server + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.143932937FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
    +
    +Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
    Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.143932936FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
    +
    +Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
    Boot Manager10.0.143932931

    FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)

    +

    Other algorithms: MD5; PBKDF (non-compliant); VMK KDF

    BitLocker® Windows OS Loader (winload)10.0.143932932FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
    +
    +Other algorithms: NDRNG; MD5
    BitLocker® Windows Resume (winresume)10.0.143932933FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
    +
    +Other algorithms: MD5
    BitLocker® Dump Filter (dumpfve.sys)10.0.143932934FIPS Approved algorithms: AES (Certs. #4061 and #4064)
    Code Integrity (ci.dll)10.0.143932935FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
    +
    +Other algorithms: AES (non-compliant); MD5
    Secure Kernel Code Integrity (skci.dll)10.0.143932938FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
    +
    +Other algorithms: MD5
    + + +##### Windows Server 2012 R2 + +Validated Editions: Server, Storage Server, + +**StorSimple 8000 Series, Azure StorSimple Virtual Array Windows Server 2012 R2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)6.3.9600 6.3.9600.170312357FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
    +
    +Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
    Kernel Mode Cryptographic Primitives Library (cng.sys)6.3.9600 6.3.9600.170422356FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
    +
    +Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
    Boot Manager6.3.9600 6.3.9600.170312351FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
    +
    +Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
    BitLocker® Windows OS Loader (winload)6.3.9600 6.3.9600.170312352FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
    +
    +Other algorithms: MD5; NDRNG
    BitLocker® Windows Resume (winresume)[16]6.3.9600 6.3.9600.170312353FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
    +
    +Other algorithms: MD5
    BitLocker® Dump Filter (dumpfve.sys)[17]6.3.9600 6.3.9600.170312354FIPS Approved algorithms: AES (Cert. #2832)
    +
    +Other algorithms: N/A
    Code Integrity (ci.dll)6.3.9600 6.3.9600.170312355FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
    +
    +Other algorithms: MD5
    + + +\[16\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2** + +\[17\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2** + +**Windows Server 2012** + +Validated Editions: Server, Storage Server + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)6.2.92001892FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
    +
    +Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#687); ECDSA (Cert. ); HMAC (Cert. #); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
    +
    +Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
    Kernel Mode Cryptographic Primitives Library (cng.sys)6.2.92001891FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
    +
    +Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#1110); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
    +
    +Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
    Boot Manager6.2.92001895FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
    +
    +Other algorithms: MD5
    BitLocker® Windows OS Loader (WINLOAD)6.2.92001896FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
    +
    +Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNG
    BitLocker® Windows Resume (WINRESUME)6.2.92001898FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
    +
    +Other algorithms: MD5
    BitLocker® Dump Filter (DUMPFVE.SYS)6.2.92001899FIPS Approved algorithms: AES (Certs. #2196 and #2198)
    +
    +Other algorithms: N/A
    Code Integrity (CI.DLL)6.2.92001897FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
    +
    +Other algorithms: MD5
    Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)6.2.92001893FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
    +
    +Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
    Enhanced Cryptographic Provider (RSAENH.DLL)6.2.92001894FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
    +
    +Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
    + + +##### Windows Server 2008 R2 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Boot Manager (bootmgr)6.1.7600.16385 or 6.1.7601.175146.1.7600.16385 or 6.1.7601.175141321FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #568); SHS (Cert. #1081)
    +
    +Other algorithms: MD5
    Winload OS Loader (winload.exe)6.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.216756.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.216751333FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #568); SHS (Cert. #1081)
    +
    +Other algorithms: MD5
    Code Integrity (ci.dll)6.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.221086.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.221081334FIPS Approved algorithms: RSA (Cert. #568); SHS (Cert. #1081)
    +
    +Other algorithms: MD5
    Kernel Mode Cryptographic Primitives Library (cng.sys)6.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.220766.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.220761335FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
    +
    +-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
    Cryptographic Primitives Library (bcryptprimitives.dll)66.1.7600.16385 or 6.1.7601.1751466.1.7600.16385 or 6.1.7601.175141336FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); DSA (Cert. #391); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
    +
    +Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; HMAC MD5; MD2; MD4; MD5; RC2; RC4
    Enhanced Cryptographic Provider (RSAENH)6.1.7600.163851337FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #687); SHS (Cert. #1081); RSA (Certs. #559 and #568); Triple-DES (Cert. #846)
    +
    +Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
    Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.1.7600.163851338FIPS Approved algorithms: DSA (Cert. #390); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
    +
    +Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4
    BitLocker™ Drive Encryption6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.216756.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.216751339FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
    +
    +Other algorithms: Elephant Diffuser
    + + +##### Windows Server 2008 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Boot Manager (bootmgr)6.0.6001.18000, 6.0.6002.18005 and 6.0.6002.224976.0.6001.18000, 6.0.6002.18005 and 6.0.6002.224971004FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #355); SHS (Cert. #753)
    +
    +Other algorithms: N/A
    Winload OS Loader (winload.exe)6.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.225966.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.225961005FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #355); SHS (Cert. #753)
    +
    +Other algorithms: MD5
    Code Integrity (ci.dll)6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.180051006FIPS Approved algorithms: RSA (Cert. #355); SHS (Cert. #753)
    +
    +Other algorithms: MD5
    Kernel Mode Security Support Provider Interface (ksecdd.sys)6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.228691007FIPS Approved algorithms: AES (Certs. #739 and #757); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90 AES-CTR, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
    +
    +Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#83); HMAC (Cert. ); RNG (Cert.  and SP800-90 AES-CTR, vendor affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
    +
    +Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
    Cryptographic Primitives Library (bcrypt.dll)6.0.6001.22202, 6.0.6002.18005 and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005 and 6.0.6002.228721008FIPS Approved algorithms: AES (Certs. #739 and #757); DSA (Cert. #284); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
    +
    +Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)
    Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.180051009FIPS Approved algorithms: DSA (Cert. #282); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)
    +
    +-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4
    Enhanced Cryptographic Provider (RSAENH)6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.180051010FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #408); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #355); SHS (Cert. #753); Triple-DES (Cert. #656)
    +
    +Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
    + + +##### Windows Server 2003 SP2 + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.2.3790.3959875

    FIPS Approved algorithms: DSA (Cert. #221); RNG (Cert. #314); RSA (Cert. #245); SHS (Cert. #611); Triple-DES (Cert. #543)

    +

    Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC4

    Kernel Mode Cryptographic Module (FIPS.SYS)5.2.3790.3959869

    FIPS Approved algorithms: HMAC (Cert. #287); RNG (Cert. #313); SHS (Cert. #610); Triple-DES (Cert. #542)

    +

    Other algorithms: DES; HMAC-MD5

    Enhanced Cryptographic Provider (RSAENH)5.2.3790.3959868

    FIPS Approved algorithms: AES (Cert. #548); HMAC (Cert. #289); RNG (Cert. #316); RSA (Cert. #245); SHS (Cert. #613); Triple-DES (Cert. #544)

    +

    Other algorithms: DES; RC2; RC4; MD2; MD4; MD5; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

    + + +##### Windows Server 2003 SP1 + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Kernel Mode Cryptographic Module (FIPS.SYS)5.2.3790.1830 [SP1]405

    FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])

    +

    Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)

    +

    [1] x86
    +[2] SP1 x86, x64, IA64

    Enhanced Cryptographic Provider (RSAENH)5.2.3790.1830 [Service Pack 1])382

    FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])

    +

    Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5

    +

    [1] x86
    +[2] SP1 x86, x64, IA64

    Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.2.3790.1830 [Service Pack 1]381

    FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)

    +

    Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40

    +

    [1] x86
    +[2] SP1 x86, x64, IA64

    + + +##### Windows Server 2003 + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Kernel Mode Cryptographic Module (FIPS.SYS)5.2.3790.0405

    FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])

    +

    Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)

    +

    [1] x86
    +[2] SP1 x86, x64, IA64

    Enhanced Cryptographic Provider (RSAENH)5.2.3790.0382

    FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])

    +

    Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5

    +

    [1] x86
    +[2] SP1 x86, x64, IA64

    Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.2.3790.0381

    FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)

    +

    Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40

    +

    [1] x86
    +[2] SP1 x86, x64, IA64

    + + +#### Other Products + +##### Windows Embedded Compact 7 and Windows Embedded Compact 8 + + ++++++ + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Enhanced Cryptographic Provider7.00.2872 [1] and 8.00.6246 [2]2957

    FIPS Approved algorithms: AES (Certs.#4433and#4434); CKG (vendor affirmed); DRBG (Certs.#1432and#1433); HMAC (Certs.#2946and#2945); RSA (Certs.#2414and#2415); SHS (Certs.#3651and#3652); Triple-DES (Certs.#2383and#2384)

    +

    Allowed algorithms: HMAC-MD5; MD5; NDRNG

    Cryptographic Primitives Library (bcrypt.dll)7.00.2872 [1] and 8.00.6246 [2]2956

    FIPS Approved algorithms: AES (Certs.#4430and#4431); CKG (vendor affirmed); CVL (Certs.#1139and#1140); DRBG (Certs.#1429and#1430); DSA (Certs.#1187and#1188); ECDSA (Certs.#1072and#1073); HMAC (Certs.#2942and#2943); KAS (Certs.#114and#115); RSA (Certs.#2411and#2412); SHS (Certs.#3648and#3649); Triple-DES (Certs.#2381and#2382)

    +

    Allowed algorithms: MD5; NDRNG; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength

    + + + +##### Windows CE 6.0 and Windows Embedded Compact 7 + + ++++++ + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Enhanced Cryptographic Provider6.00.1937 [1] and 7.00.1687 [2]825

    FIPS Approved algorithms: AES (Certs. #516 [1] and #2024 [2]); HMAC (Certs. #267 [1] and #1227 [2]); RNG (Certs. #292 [1] and #1060 [2]); RSA (Cert. #230 [1] and #1052 [2]); SHS (Certs. #589 [1] and #1774 [2]); Triple-DES (Certs. #526 [1] and #1308 [2])

    +

    Other algorithms: MD5; HMAC-MD5; RC2; RC4; DES

    + + +##### Outlook Cryptographic Provider + + ++++++ + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Outlook Cryptographic Provider (EXCHCSP)SR-1A (3821)SR-1A (3821)110

    FIPS Approved algorithms: Triple-DES (Cert. #18); SHA-1 (Certs. #32); RSA (vendor affirmed)

    +

    Other algorithms: DES (Certs. #91); DES MAC; RC2; MD2; MD5

    + +  + +### Cryptographic Algorithms + +The following tables are organized by cryptographic algorithms with their modes, states, and key sizes. For each algorithm implementation (operating system / platform), there is a link to the Cryptographic Algorithm Validation Program (CAVP) issued certificate. + +### Advanced Encryption Standard (AES) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Modes / States / Key SizesAlgorithm Implementation and Certificate #
      +
    • AES-CBC:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-CFB128:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-CTR:
      • +
      • +
      • Counter Source: Internal
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-OFB:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +

    Microsoft Surface Hub Virtual TPM Implementations #4904

    +

    Version 10.0.15063.674

      +
    • AES-CBC:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-CFB128:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-CTR:
      • +
      • +
      • Counter Source: Internal
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-OFB:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #4903

    +

    Version 10.0.16299

      +
    • AES-CBC:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-CCM:
      • +
      • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
        • +
      • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
        • +
      • Plain Text Length: 0-32
        • +
      • AAD Length: 0-65536
        • +
      • +
    • AES-CFB128:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-CFB8:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-CMAC:
      • +
      • +
      • Generation:
        • +
        • +
        • AES-128:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • AES-192:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • AES-256:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • +
      • Verification:
        • +
        • +
        • AES-128:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • AES-192:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • AES-256:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • +
      • +
    • AES-CTR:
      • +
      • +
      • Counter Source: Internal
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-ECB:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-GCM:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • Tag Lengths: 96, 104, 112, 120, 128 (bits)
        • +
      • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
        • +
      • AAD Lengths: 0, 8, 1016, 1024 (bits)
        • +
      • 96 bit IV supported
        • +
      • +
    • AES-XTS:
      • +
      • +
      • Key Size: 128:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Block Sizes: Full
          • +
        • +
      • Key Size: 256:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Block Sizes: Full
          • +
        • +
      • +

    Microsoft Surface Hub SymCrypt Cryptographic Implementations #4902

    +

    Version 10.0.15063.674

      +
    • AES-CBC:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-CCM:
      • +
      • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
        • +
      • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
        • +
      • Plain Text Length: 0-32
        • +
      • AAD Length: 0-65536
        • +
      • +
    • AES-CFB128:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-CFB8:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-CMAC:
      • +
      • +
      • Generation:
        • +
        • +
        • AES-128:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • AES-192:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • AES-256:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • +
      • Verification:
        • +
        • +
        • AES-128:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • AES-192:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • AES-256:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • +
      • +
    • AES-CTR:
      • +
      • +
      • Counter Source: Internal
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-ECB:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-GCM:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • Tag Lengths: 96, 104, 112, 120, 128 (bits)
        • +
      • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
        • +
      • AAD Lengths: 0, 8, 1016, 1024 (bits)
        • +
      • 96 bit IV supported
        • +
      • +
    • AES-XTS:
      • +
      • +
      • Key Size: 128:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Block Sizes: Full
          • +
        • +
      • Key Size: 256:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Block Sizes: Full
          • +
        • +
      • +

    Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #4901

    +

    Version 10.0.15254

      +
    • AES-CBC:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-CCM:
      • +
      • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
        • +
      • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
        • +
      • Plain Text Length: 0-32
        • +
      • AAD Length: 0-65536
        • +
      • +
    • AES-CFB128:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-CFB8:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-CMAC:
      • +
      • +
      • Generation:
        • +
        • +
        • AES-128:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • AES-192:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • AES-256:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • +
      • Verification:
        • +
        • +
        • AES-128:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • AES-192:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • AES-256:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • +
      • +
    • AES-CTR:
      • +
      • +
      • Counter Source: Internal
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-ECB:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-GCM:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • IV Generation: External
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • Tag Lengths: 96, 104, 112, 120, 128 (bits)
        • +
      • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
        • +
      • AAD Lengths: 0, 8, 1016, 1024 (bits)
        • +
      • 96 bit IV supported
        • +
      • +
    • AES-XTS:
      • +
      • +
      • Key Size: 128:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Block Sizes: Full
          • +
        • +
      • Key Size: 256:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Block Sizes: Full
          • +
        • +
      • +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4897

    +

    Version 10.0.16299

    AES-KW:

    +
      +
    • Modes: Decrypt, Encrypt
      • +
    • CIPHK transformation direction: Forward
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
      • +
    +

    AES Val#4902

    Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations #4900

    +

    Version 10.0.15063.674

    AES-KW:

    +
      +
    • Modes: Decrypt, Encrypt
      • +
    • CIPHK transformation direction: Forward
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
      • +
    +

    AES Val#4901

    Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations #4899

    +

    Version 10.0.15254

    AES-KW:

    +
      +
    • Modes: Decrypt, Encrypt
      • +
    • CIPHK transformation direction: Forward
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
      • +
    +

    AES Val#4897

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #4898

    +

    Version 10.0.16299

    AES-CCM:

    +
      +
    • Key Lengths: 256 (bits)
      • +
    • Tag Lengths: 128 (bits)
      • +
    • IV Lengths: 96 (bits)
      • +
    • Plain Text Length: 0-32
      • +
    • AAD Length: 0-65536
      • +
    +

    AES Val#4902

    Microsoft Surface Hub BitLocker(R) Cryptographic Implementations #4896

    +

    Version 10.0.15063.674

    AES-CCM:

    +
      +
    • Key Lengths: 256 (bits)
      • +
    • Tag Lengths: 128 (bits)
      • +
    • IV Lengths: 96 (bits)
      • +
    • Plain Text Length: 0-32
      • +
    • AAD Length: 0-65536
      • +
    +

    AES Val#4901

    Windows 10 Mobile (version 1709) BitLocker(R) Cryptographic Implementations #4895

    +

    Version 10.0.15254

    AES-CCM:

    +
      +
    • Key Lengths: 256 (bits)
      • +
    • Tag Lengths: 128 (bits)
      • +
    • IV Lengths: 96 (bits)
      • +
    • Plain Text Length: 0-32
      • +
    • AAD Length: 0-65536
      • +
    +

    AES Val#4897

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); BitLocker(R) Cryptographic Implementations #4894

    +

    Version 10.0.16299

    CBC ( e/d; 128 , 192 , 256 );

    +

    CFB128 ( e/d; 128 , 192 , 256 );

    +

    OFB ( e/d; 128 , 192 , 256 );

    +

    CTR ( int only; 128 , 192 , 256 )

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #4627

    +

    Version 10.0.15063

    KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

    +

    AES Val#4624

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #4626

    +

    Version 10.0.15063

    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

    +

    AES Val#4624

    +

     

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile BitLocker(R) Cryptographic Implementations #4625

    +

    Version 10.0.15063

    ECB ( e/d; 128 , 192 , 256 );

    +

    CBC ( e/d; 128 , 192 , 256 );

    +

    CFB8 ( e/d; 128 , 192 , 256 );

    +

    CFB128 ( e/d; 128 , 192 , 256 );

    +

    CTR ( int only; 128 , 192 , 256 )

    +

    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

    +

    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )

    +

    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )

    +

    (KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )

    +

    IV Generated: ( External ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; 96BitIV_Supported

    +

    GMAC_Supported

    +

    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #4624

    +

    Version 10.0.15063

    ECB ( e/d; 128 , 192 , 256 );

    +

    CBC ( e/d; 128 , 192 , 256 );

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4434

    +

    Version 7.00.2872

    ECB ( e/d; 128 , 192 , 256 );

    +

    CBC ( e/d; 128 , 192 , 256 );

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4433

    +

    Version 8.00.6246

    ECB ( e/d; 128 , 192 , 256 );

    +

    CBC ( e/d; 128 , 192 , 256 );

    +

    CTR ( int only; 128 , 192 , 256 )

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4431

    +

    Version 7.00.2872

    ECB ( e/d; 128 , 192 , 256 );

    +

    CBC ( e/d; 128 , 192 , 256 );

    +

    CTR ( int only; 128 , 192 , 256 )

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4430

    +

    Version 8.00.6246

    CBC ( e/d; 128 , 192 , 256 );

    +

    CFB128 ( e/d; 128 , 192 , 256 );

    +

    OFB ( e/d; 128 , 192 , 256 );

    +

    CTR ( int only; 128 , 192 , 256 )

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #4074

    +

    Version 10.0.14393

    ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

    +

    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

    +

    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

    +

    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
    +(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
    +IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
    +GMAC_Supported

    +

    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #4064

    +

    Version 10.0.14393

    ECB ( e/d; 128 , 192 , 256 );

    +

    CBC ( e/d; 128 , 192 , 256 );

    +

    CFB8 ( e/d; 128 , 192 , 256 );

    +

     

    		Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #4063
    +Version 10.0.14393

    KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 192 , 256 , 320 , 2048 )

    +

    AES Val#4064

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #4062

    +

    Version 10.0.14393

    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

    +

    AES Val#4064

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations #4061

    +

    Version 10.0.14393

    KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

    +

    AES Val#3629

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #3652

    +

    Version 10.0.10586

    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

    +

    AES Val#3629

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BitLocker® Cryptographic Implementations #3653

    +

    Version 10.0.10586

    ECB ( e/d; 128 , 192 , 256 );

    +

    CBC ( e/d; 128 , 192 , 256 );

    +

    CFB8 ( e/d; 128 , 192 , 256 );

    +

     

    		Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA32 Algorithm Implementations #3630
    +Version 10.0.10586

    ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

    +

    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

    +

    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

    +

    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
    +(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
    +IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
    +GMAC_Supported

    +

    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #3629
    +
    +

    +

    Version 10.0.10586

    KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

    +

    AES Val#3497

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #3507

    +

    Version 10.0.10240

    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

    +

    AES Val#3497

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations #3498

    +

    Version 10.0.10240

    ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

    +

    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

    +

    CMAC(Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

    +

    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
    +(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
    +IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
    +GMAC_Supported

    +

    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

    		Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #3497
    +Version 10.0.10240

    ECB ( e/d; 128 , 192 , 256 );

    +

    CBC ( e/d; 128 , 192 , 256 );

    +

    CFB8 ( e/d; 128 , 192 , 256 );

    +

     

    		Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #3476
    +Version 10.0.10240

    ECB ( e/d; 128 , 192 , 256 );

    +

    CBC ( e/d; 128 , 192 , 256 );

    +

    CFB8 ( e/d; 128 , 192 , 256 );

    +

     

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2853

    +

    Version 6.3.9600

    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

    +

    AES Val#2832

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BitLocker� Cryptographic Implementations #2848

    +

    Version 6.3.9600

    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 0 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

    +

    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

    +

    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )

    +

    (KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )

    +

    IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 8 , 1024 ) ; 96BitIV_Supported ;
    +OtherIVLen_Supported
    +GMAC_Supported

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832

    +

    Version 6.3.9600

    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
    +AES Val#2197

    +

    CMAC (Generation/Verification ) (KS: 128; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
    +AES Val#2197

    +

    GCM(KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
    +(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
    +IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported
    +GMAC_Supported

    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #2216

    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

    +

    AES Val#2196

    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #2198

    ECB ( e/d; 128 , 192 , 256 );

    +

    CBC ( e/d; 128 , 192 , 256 );

    +

    CFB8 ( e/d; 128 , 192 , 256 );

    +

    CFB128 ( e/d; 128 , 192 , 256 );

    +

    CTR ( int only; 128 , 192 , 256 )

    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #2197

    ECB ( e/d; 128 , 192 , 256 );

    +

    CBC ( e/d; 128 , 192 , 256 );

    +

    CFB8 ( e/d; 128 , 192 , 256 );

    +

     

    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #2196
    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 – 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
    +AES Val#1168

    Windows Server 2008 R2 and SP1 CNG algorithms #1187

    +

    Windows 7 Ultimate and SP1 CNG algorithms #1178

    CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )
    +AES Val#1168    		Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #1177

    ECB ( e/d; 128 , 192 , 256 );

    +

    CBC ( e/d; 128 , 192 , 256 );

    +

    CFB8 ( e/d; 128 , 192 , 256 );

    +

     

    		Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168

    GCM

    +

    GMAC

    		Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168 , vendor-affirmed
    CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #760
    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 1 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

    Windows Server 2008 CNG algorithms #757

    +

    Windows Vista Ultimate SP1 CNG algorithms #756

    CBC ( e/d; 128 , 256 );

    +

    CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )

    Windows Vista Ultimate BitLocker Drive Encryption #715

    +

    Windows Vista Ultimate BitLocker Drive Encryption #424

    ECB ( e/d; 128 , 192 , 256 );

    +

    CBC ( e/d; 128 , 192 , 256 );

    +

    CFB8 ( e/d; 128 , 192 , 256 );

    Windows Vista Ultimate SP1 and Windows Server 2008 Symmetric Algorithm Implementation #739

    +

    Windows Vista Symmetric Algorithm Implementation #553

    ECB ( e/d; 128 , 192 , 256 );

    +

    CBC ( e/d; 128 , 192 , 256 );

    +

    CTR ( int only; 128 , 192 , 256 )

    		Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #2023

    ECB ( e/d; 128 , 192 , 256 );

    +

    CBC ( e/d; 128 , 192 , 256 );

    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #2024

    +

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #818

    +

    Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #781

    +

    Windows 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #548

    +

    Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #516

    +

    Windows CE and Windows Mobile 6, 6.1, and 6.5 Enhanced Cryptographic Provider (RSAENH) #507

    +

    Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #290

    +

    Windows CE 5.0 and 5.1 Enhanced Cryptographic Provider (RSAENH) #224

    +

    Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #80

    +

    Windows XP, SP1, and SP2 Enhanced Cryptographic Provider (RSAENH) #33

    + + +Deterministic Random Bit Generator (DRBG) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Modes / States / Key SizesAlgorithm Implementation and Certificate #
      +
    • Counter:
      • +
      • +
      • Modes: AES-256
        • +
      • Derivation Function States: Derivation Function not used
        • +
      • Prediction Resistance Modes: Not Enabled
        • +
      • +
    +

    Prerequisite: AES #4904

    Microsoft Surface Hub Virtual TPM Implementations #1734

    +

    Version 10.0.15063.674

      +
    • Counter:
      • +
      • +
      • Modes: AES-256
        • +
      • Derivation Function States: Derivation Function not used
        • +
      • Prediction Resistance Modes: Not Enabled
        • +
      • +
    +

    Prerequisite: AES #4903

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1733

    +

    Version 10.0.16299

      +
    • Counter:
      • +
      • +
      • Modes: AES-256
        • +
      • Derivation Function States: Derivation Function used
        • +
      • Prediction Resistance Modes: Not Enabled
        • +
      • +
    +

    Prerequisite: AES #4902

    Microsoft Surface Hub SymCrypt Cryptographic Implementations #1732

    +

    Version 10.0.15063.674

      +
    • Counter:
      • +
      • +
      • Modes: AES-256
        • +
      • Derivation Function States: Derivation Function used
        • +
      • Prediction Resistance Modes: Not Enabled
        • +
      • +
    +

    Prerequisite: AES #4901

    Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1731

    +

    Version 10.0.15254

      +
    • Counter:
      • +
      • +
      • Modes: AES-256
        • +
      • Derivation Function States: Derivation Function used
        • +
      • Prediction Resistance Modes: Not Enabled
        • +
      • +
    +

    Prerequisite: AES #4897

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1730

    +

    Version 10.0.16299

    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4627 ) ]

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1556

    +

    Version 10.0.15063

    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4624 ) ]

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1555

    +

    Version 10.0.15063

    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4434 ) ]

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1433

    +

    Version 7.00.2872

    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4433 ) ]

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1432

    +

    Version 8.00.6246

    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4431 ) ]

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1430

    +

    Version 7.00.2872

    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4430 ) ]

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1429

    +

    Version 8.00.6246

    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4074 ) ]

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #1222

    +

    Version 10.0.14393

    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4064 ) ]

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #1217

    +

    Version 10.0.14393

    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3629 ) ]

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #955

    +

    Version 10.0.10586

    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3497 ) ]

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #868

    +

    Version 10.0.10240

    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2832 ) ]

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489

    +

    Version 6.3.9600

    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2197 ) ]Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #258
    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#2023 ) ]Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #193
    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#1168 ) ]Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 RNG Library #23
    DRBG (SP 800–90)Windows Vista Ultimate SP1, vendor-affirmed
    + + +#### Digital Signature Algorithm (DSA) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Modes / States / Key SizesAlgorithm Implementation and Certificate #
      +
    • DSA:
      • +
      • +
      • 186-4:
        • +
        • +
        • PQGGen:
          • +
          • +
          • L = 2048, N = 256 SHA: SHA-256
            • +
          • L = 3072, N = 256 SHA: SHA-256
            • +
          • +
        • PQGVer:
          • +
          • +
          • L = 2048, N = 256 SHA: SHA-256
            • +
          • L = 3072, N = 256 SHA: SHA-256
            • +
          • +
        • SigGen:
          • +
          • +
          • L = 2048, N = 256 SHA: SHA-256
            • +
          • L = 3072, N = 256 SHA: SHA-256
            • +
          • +
        • SigVer:
          • +
          • +
          • L = 2048, N = 256 SHA: SHA-256
            • +
          • L = 3072, N = 256 SHA: SHA-256
            • +
          • +
        • KeyPair:
          • +
          • +
          • L = 2048, N = 256
            • +
          • L = 3072, N = 256
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4011, DRBG #1732

    Microsoft Surface Hub SymCrypt Cryptographic Implementations #1303

    +

    Version 10.0.15063.674

      +
    • DSA:
      • +
      • +
      • 186-4:
        • +
        • +
        • PQGGen:
          • +
          • +
          • L = 2048, N = 256 SHA: SHA-256
            • +
          • L = 3072, N = 256 SHA: SHA-256
            • +
          • +
        • PQGVer:
          • +
          • +
          • L = 2048, N = 256 SHA: SHA-256
            • +
          • L = 3072, N = 256 SHA: SHA-256
            • +
          • +
        • SigGen:
          • +
          • +
          • L = 2048, N = 256 SHA: SHA-256
            • +
          • L = 3072, N = 256 SHA: SHA-256
            • +
          • +
        • SigVer:
          • +
          • +
          • L = 2048, N = 256 SHA: SHA-256
            • +
          • L = 3072, N = 256 SHA: SHA-256
            • +
          • +
        • KeyPair:
          • +
          • +
          •  
            • +
          •  
            • +
          • L = 2048, N = 256
            • +
          • L = 3072, N = 256
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4010, DRBG #1731

    Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1302

    +

    Version 10.0.15254

      +
    • DSA:
      • +
      • +
      • 186-4:
        • +
        • +
        • PQGGen:
          • +
          • +
          • L = 2048, N = 256 SHA: SHA-256
            • +
          • L = 3072, N = 256 SHA: SHA-256
            • +
          • +
        • PQGVer:
          • +
          • +
          • L = 2048, N = 256 SHA: SHA-256
            • +
          • L = 3072, N = 256 SHA: SHA-256
            • +
          • +
        • SigGen:
          • +
          • +
          • L = 2048, N = 256 SHA: SHA-256
            • +
          • L = 3072, N = 256 SHA: SHA-256
            • +
          • +
        • SigVer:
          • +
          • +
          • L = 2048, N = 256 SHA: SHA-256
            • +
          • L = 3072, N = 256 SHA: SHA-256
            • +
          • +
        • KeyPair:
          • +
          • +
          • L = 2048, N = 256
            • +
          • L = 3072, N = 256
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4009, DRBG #1730

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1301

    +

    Version 10.0.16299

    FIPS186-4:

    +

    PQG(gen)PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]

    +

    PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

    +

    KeyPairGen:   [ (2048,256) ; (3072,256) ]

    +

    SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]

    +

    SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

    +

    SHS: Val#3790

    +

    DRBG: Val# 1555

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1223

    +

    Version 10.0.15063

    FIPS186-4:
    +PQG(ver)PARMS TESTED:       [ (1024,160) SHA( 1 ); ]
    +SIG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
    +SHS: Val# 3649

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1188

    +

    Version 7.00.2872

    FIPS186-4:
    +PQG(ver)PARMS TESTED:       [ (1024,160) SHA( 1 ); ]
    +SIG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
    +SHS: Val#3648

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1187

    +

    Version 8.00.6246

    FIPS186-4:
    +PQG(gen)    PARMS TESTED: [
    +(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
    +PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
    +KeyPairGen:    [ (2048,256) ; (3072,256) ]
    +SIG(gen)PARMS TESTED:   [ (2048,256)
    +SHA( 256 ); (3072,256) SHA( 256 ); ]
    +SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

    +

    SHS: Val# 3347
    +DRBG: Val# 1217

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #1098

    +

    Version 10.0.14393

    FIPS186-4:
    +PQG(gen)    PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ] PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 )]
    +KeyPairGen:    [ (2048,256) ; (3072,256) ] SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
    +SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

    +

    SHS: Val# 3047
    +DRBG: Val# 955

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #1024

    +

    Version 10.0.10586

    FIPS186-4:
    +PQG(gen)    PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
    +PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
    +KeyPairGen:    [ (2048,256) ; (3072,256) ]
    +SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ] SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

    +

    SHS: Val# 2886
    +DRBG: Val# 868

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #983

    +

    Version 10.0.10240

    FIPS186-4:
    +PQG(gen)    PARMS TESTED:   [
    +(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
    +PQG(ver)PARMS TESTED:   [ (2048,256)
    +SHA( 256 ); (3072,256) SHA( 256 ) ]
    +KeyPairGen:    [ (2048,256) ; (3072,256) ]
    +SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
    +SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

    +

    SHS: Val# 2373
    +DRBG: Val# 489

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855

    +

    Version 6.3.9600

    FIPS186-2:
    +PQG(ver) MOD(1024);
    +SIG(ver) MOD(1024);
    +SHS: #1903
    +DRBG: #258

    +

    FIPS186-4:
    +PQG(gen)PARMS TESTED    : [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
    +PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
    +SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
    +SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
    +SHS: #1903
    +DRBG: #258
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#687.

    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #687
    FIPS186-2:
    +PQG(ver)     MOD(1024);
    +SIG(ver) MOD(1024);
    +SHS: #1902
    +DRBG: #258
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#686.    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 DSS and Diffie-Hellman Enhanced Cryptographic Provider (DSSENH) #686
    FIPS186-2:
    +SIG(ver)     MOD(1024);
    +SHS: Val# 1773
    +DRBG: Val# 193
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#645.    		Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #645
    FIPS186-2:
    +SIG(ver)     MOD(1024);
    +SHS: Val# 1081
    +DRBG: Val# 23
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#391. See Historical DSA List Val#386.

    Windows Server 2008 R2 and SP1 CNG algorithms #391

    +

    Windows 7 Ultimate and SP1 CNG algorithms #386

    FIPS186-2:
    +SIG(ver)     MOD(1024);
    +SHS: Val# 1081
    +RNG: Val# 649
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#390. See Historical DSA List Val#385.

    Windows Server 2008 R2 and SP1 Enhanced DSS (DSSENH) #390

    +

    Windows 7 Ultimate and SP1 Enhanced DSS (DSSENH) #385

    FIPS186-2:
    +SIG(ver)     MOD(1024);
    +SHS: Val# 753
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#284. See Historical DSA List Val#283.

    Windows Server 2008 CNG algorithms #284

    +

    Windows Vista Ultimate SP1 CNG algorithms #283

    FIPS186-2:
    +SIG(ver)     MOD(1024);
    +SHS: Val# 753
    +RNG: Val# 435
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#282. See Historical DSA List Val#281.

    Windows Server 2008 Enhanced DSS (DSSENH) #282

    +

    Windows Vista Ultimate SP1 Enhanced DSS (DSSENH) #281

    FIPS186-2:
    +SIG(ver)     MOD(1024);
    +SHS: Val# 618
    +RNG: Val# 321
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#227. See Historical DSA List Val#226.

    Windows Vista CNG algorithms #227

    +

    Windows Vista Enhanced DSS (DSSENH) #226

    FIPS186-2:
    +SIG(ver)     MOD(1024);
    +SHS: Val# 784
    +RNG: Val# 448
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#292.    		Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #292
    FIPS186-2:
    +SIG(ver)     MOD(1024);
    +SHS: Val# 783
    +RNG: Val# 447
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#291.    		Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #291
    FIPS186-2:
    +PQG(gen)     MOD(1024);
    +PQG(ver) MOD(1024);
    +KEYGEN(Y) MOD(1024);
    +SIG(gen) MOD(1024);
    +SIG(ver) MOD(1024);
    +SHS: Val# 611
    +RNG: Val# 314    		Windows 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #221
    FIPS186-2:
    +PQG(gen)     MOD(1024);
    +PQG(ver) MOD(1024);
    +KEYGEN(Y) MOD(1024);
    +SIG(gen) MOD(1024);
    +SIG(ver) MOD(1024);
    +SHS: Val# 385    		Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #146
    FIPS186-2:
    +PQG(ver)     MOD(1024);
    +KEYGEN(Y) MOD(1024);
    +SIG(gen) MOD(1024);
    +SIG(ver) MOD(1024);
    +SHS: Val# 181
    +
    +    		Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #95
    FIPS186-2:
    +PQG(gen)     MOD(1024);
    +PQG(ver) MOD(1024);
    +KEYGEN(Y) MOD(1024);
    +SIG(gen) MOD(1024);
    +SHS: SHA-1 (BYTE)
    +SIG(ver) MOD(1024);
    +SHS: SHA-1 (BYTE)

    Windows 2000 DSSENH.DLL #29

    +

    Windows 2000 DSSBASE.DLL #28

    +

    Windows NT 4 SP6 DSSENH.DLL #26

    +

    Windows NT 4 SP6 DSSBASE.DLL #25

    FIPS186-2: PRIME;
    +FIPS186-2:

    +

    KEYGEN(Y):
    +SHS: SHA-1 (BYTE)

    +

    SIG(gen):
    +SIG(ver)     MOD(1024);
    +SHS: SHA-1 (BYTE)

    		Windows NT 4.0 SP4 Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider #17
    + + +#### Elliptic Curve Digital Signature Algorithm (ECDSA) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Modes / States / Key SizesAlgorithm Implementation and Certificate #
      +
    • ECDSA:
      • +
      • +
      • 186-4:
        • +
        • +
        • Key Pair Generation:
          • +
          • +
          • Curves: P-256, P-384, P-521
            • +
          • Generation Methods: Extra Random Bits
            • +
          • +
        • Public Key Validation:
          • +
          • +
          • Curves: P-256, P-384, P-521
            • +
          • +
        • Signature Generation:
          • +
          • +
          • P-256 SHA: SHA-256
            • +
          • P-384 SHA: SHA-384
            • +
          • P-521 SHA: SHA-512
            • +
          • +
        • Signature Verification:
          • +
          • +
          • P-256 SHA: SHA-256
            • +
          • P-384 SHA: SHA-384
            • +
          • P-521 SHA: SHA-512
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #2373, DRBG #489

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1263

    +

    Version 6.3.9600

      +
    • ECDSA:
      • +
      • +
      • 186-4:
        • +
        • +
        • Key Pair Generation:
          • +
          • +
          • Curves: P-256, P-384
            • +
          • Generation Methods: Testing Candidates
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4011, DRBG #1734

    Microsoft Surface Hub Virtual TPM Implementations #1253

    +

    Version 10.0.15063.674

      +
    • ECDSA:
      • +
      • +
      • 186-4:
        • +
        • +
        • Key Pair Generation:
          • +
          • +
          • Curves: P-256, P-384
            • +
          • Generation Methods: Testing Candidates
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4009, DRBG #1733

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1252

    +

    Version 10.0.16299

      +
    • ECDSA:
      • +
      • +
      • 186-4:
        • +
        • +
        • Key Pair Generation:
          • +
          • +
          • Curves: P-256, P-384, P-521
            • +
          • Generation Methods: Extra Random Bits
            • +
          • +
        • Public Key Validation:
          • +
          • +
          • Curves: P-256, P-384, P-521
            • +
          • +
        • Signature Generation:
          • +
          • +
          • P-256 SHA: SHA-256
            • +
          • P-384 SHA: SHA-384
            • +
          • P-521 SHA: SHA-512
            • +
          • +
        • Signature Verification:
          • +
          • +
          • P-256 SHA: SHA-256
            • +
          • P-384 SHA: SHA-384
            • +
          • P-521 SHA: SHA-512
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4011, DRBG #1732

    Microsoft Surface Hub MsBignum Cryptographic Implementations #1251

    +

    Version 10.0.15063.674

      +
    • ECDSA:
      • +
      • +
      • 186-4:
        • +
        • +
        • Key Pair Generation:
          • +
          • +
          • Curves: P-256, P-384, P-521
            • +
          • Generation Methods: Extra Random Bits
            • +
          • +
        • Public Key Validation:
          • +
          • +
          • Curves: P-256, P-384, P-521
            • +
          • +
        • Signature Generation:
          • +
          • +
          • P-256 SHA: SHA-256
            • +
          • P-384 SHA: SHA-384
            • +
          • P-521 SHA: SHA-512
            • +
          • +
        • Signature Verification:
          • +
          • +
          • P-256 SHA: SHA-256
            • +
          • P-384 SHA: SHA-384
            • +
          • P-521 SHA: SHA-512
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4011, DRBG #1732

    Microsoft Surface Hub SymCrypt Cryptographic Implementations #1250

    +

    Version 10.0.15063.674

      +
    • ECDSA:
      • +
      • +
      • 186-4:
        • +
        • +
        • Key Pair Generation:
          • +
          • +
          • Curves: P-256, P-384, P-521
            • +
          • Generation Methods: Extra Random Bits
            • +
          • +
        • Public Key Validation:
          • +
          • +
          • Curves: P-256, P-384, P-521
            • +
          • +
        • Signature Generation:
          • +
          • +
          • P-256 SHA: SHA-256
            • +
          • P-384 SHA: SHA-384
            • +
          • P-521 SHA: SHA-512
            • +
          • +
        • Signature Verification:
          • +
          • +
          • P-256 SHA: SHA-256
            • +
          • P-384 SHA: SHA-384
            • +
          • P-521 SHA: SHA-512
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4010, DRBG #1731

    Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1249

    +

    Version 10.0.15254

      +
    • ECDSA:
      • +
      • +
      • 186-4:
        • +
        • +
        • Key Pair Generation:
          • +
          • +
          • Curves: P-256, P-384, P-521
            • +
          • Generation Methods: Extra Random Bits
            • +
          • +
        • Public Key Validation:
          • +
          • +
          • Curves: P-256, P-384, P-521
            • +
          • +
        • Signature Generation:
          • +
          • +
          • P-256 SHA: SHA-256
            • +
          • P-384 SHA: SHA-384
            • +
          • P-521 SHA: SHA-512
            • +
          • +
        • Signature Verification:
          • +
          • +
          • P-256 SHA: SHA-256
            • +
          • P-384 SHA: SHA-384
            • +
          • P-521 SHA: SHA-512
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4010, DRBG #1731

    Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1248

    +

    Version 10.0.15254

      +
    • ECDSA:
      • +
      • +
      • 186-4:
        • +
        • +
        • Key Pair Generation:
          • +
          • +
          • Curves: P-256, P-384, P-521
            • +
          • Generation Methods: Extra Random Bits
            • +
          • +
        • Public Key Validation:
          • +
          • +
          • Curves: P-256, P-384, P-521
            • +
          • +
        • Signature Generation:
          • +
          • +
          • P-256 SHA: SHA-256
            • +
          • P-384 SHA: SHA-384
            • +
          • P-521 SHA: SHA-512
            • +
          • +
        • Signature Verification:
          • +
          • +
          • P-256 SHA: SHA-256
            • +
          • P-384 SHA: SHA-384
            • +
          • P-521 SHA: SHA-512
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4009, DRBG #1730

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1247

    +

    Version 10.0.16299

      +
    • ECDSA:
      • +
      • +
      • 186-4:
        • +
        • +
        • Key Pair Generation:
          • +
          • +
          • Curves: P-256, P-384, P-521
            • +
          • Generation Methods: Extra Random Bits
            • +
          • +
        • Public Key Validation:
          • +
          • +
          • Curves: P-256, P-384, P-521
            • +
          • +
        • Signature Generation:
          • +
          • +
          • P-256 SHA: SHA-256
            • +
          • P-384 SHA: SHA-384
            • +
          • P-521 SHA: SHA-512
            • +
          • +
        • Signature Verification:
          • +
          • +
          • P-256 SHA: SHA-256
            • +
          • P-384 SHA: SHA-384
            • +
          • P-521 SHA: SHA-512
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4009, DRBG #1730

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1246

    +

    Version 10.0.16299

    FIPS186-4:
    +PKG: CURVES    ( P-256 P-384 TestingCandidates )
    +SHS: Val#3790
    +DRBG: Val# 1555

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1136

    +

    Version 10.0.15063

    FIPS186-4:
    +PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    +PKV: CURVES( P-256 P-384 P-521 )
    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
    +SHS: Val#3790
    +DRBG: Val# 1555

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1135

    +

    Version 10.0.15063

    FIPS186-4:
    +PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    +PKV: CURVES( P-256 P-384 P-521 )
    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
    +SHS: Val#3790
    +DRBG: Val# 1555

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1133

    +

    Version 10.0.15063

    FIPS186-4:
    +PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    +PKV: CURVES( P-256 P-384 P-521 )
    +SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
    +SHS:Val# 3649
    +DRBG:Val# 1430

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1073

    +

    Version 7.00.2872

    FIPS186-4:
    +PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    +PKV: CURVES( P-256 P-384 P-521 )
    +SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
    +SHS:Val#3648
    +DRBG:Val# 1429

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1072

    +

    Version 8.00.6246

    FIPS186-4:
    +PKG: CURVES    ( P-256 P-384 TestingCandidates )
    +PKV: CURVES( P-256 P-384 )
    +SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) )

    +

    SHS: Val# 3347
    +DRBG: Val# 1222

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #920

    +

    Version 10.0.14393

    FIPS186-4:
    +PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    +PKV: CURVES( P-256 P-384 P-521 )
    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

    +

    SHS: Val# 3347
    +DRBG: Val# 1217

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #911

    +

    Version 10.0.14393

    FIPS186-4:
    +PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

    +

    SHS: Val# 3047
    +DRBG: Val# 955

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #760

    +

    Version 10.0.10586

    FIPS186-4:
    +PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

    +

    SHS: Val# 2886
    +DRBG: Val# 868

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #706

    +

    Version 10.0.10240

    FIPS186-4:
    +PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

    +

    SHS: Val#2373
    +DRBG: Val# 489

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505

    +

    Version 6.3.9600

    FIPS186-2:
    +PKG: CURVES    ( P-256 P-384 P-521 )
    +SHS: #1903
    +DRBG: #258
    +SIG(ver):CURVES( P-256 P-384 P-521 )
    +SHS: #1903
    +DRBG: #258

    +

    FIPS186-4:
    +PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
    +SHS: #1903
    +DRBG: #258
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#341.

    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #341

    FIPS186-2:
    +PKG: CURVES    ( P-256 P-384 P-521 )
    +SHS: Val#1773
    +DRBG: Val# 193
    +SIG(ver): CURVES( P-256 P-384 P-521 )
    +SHS: Val#1773
    +DRBG: Val# 193

    +

    FIPS186-4:
    +PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
    +SHS: Val#1773
    +DRBG: Val# 193
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#295.

    		Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #295
    FIPS186-2:
    +PKG: CURVES    ( P-256 P-384 P-521 )
    +SHS: Val#1081
    +DRBG: Val# 23
    +SIG(ver): CURVES( P-256 P-384 P-521 )
    +SHS: Val#1081
    +DRBG: Val# 23
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#142. See Historical ECDSA List Val#141.

    Windows Server 2008 R2 and SP1 CNG algorithms #142

    +

    Windows 7 Ultimate and SP1 CNG algorithms #141

    FIPS186-2:
    +PKG: CURVES    ( P-256 P-384 P-521 )
    +SHS: Val#753
    +SIG(ver): CURVES( P-256 P-384 P-521 )
    +SHS: Val#753
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#83. See Historical ECDSA List Val#82.

    Windows Server 2008 CNG algorithms #83

    +

    Windows Vista Ultimate SP1 CNG algorithms #82

    FIPS186-2:
    +PKG: CURVES    ( P-256 P-384 P-521 )
    +SHS: Val#618
    +RNG: Val# 321
    +SIG(ver): CURVES( P-256 P-384 P-521 )
    +SHS: Val#618
    +RNG: Val# 321
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#60.    		Windows Vista CNG algorithms #60
    + + +#### Keyed-Hash Message Authentication Code (HMAC) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Modes / States / Key SizesAlgorithm Implementation and Certificate #
      +
    • HMAC-SHA-1:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    • HMAC-SHA2-256:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    • HMAC-SHA2-384:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    +

    Prerequisite: SHS #4011

    Microsoft Surface Hub Virtual TPM Implementations #3271

    +

    Version 10.0.15063.674

      +
    • HMAC-SHA-1:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    • HMAC-SHA2-256:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    • HMAC-SHA2-384:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    +

    Prerequisite: SHS #4009

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #3270

    +

    Version 10.0.16299

      +
    • HMAC-SHA-1:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    • HMAC-SHA2-256:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    • HMAC-SHA2-384:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    • HMAC-SHA2-512:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    +

    Prerequisite: SHS #4011

    Microsoft Surface Hub SymCrypt Cryptographic Implementations #3269

    +

    Version 10.0.15063.674

      +
    • HMAC-SHA-1:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    • HMAC-SHA2-256:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    • HMAC-SHA2-384:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    • HMAC-SHA2-512:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    +

    Prerequisite: SHS #4010

    Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #3268

    +

    Version 10.0.15254

      +
    • HMAC-SHA-1:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    • HMAC-SHA2-256:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    • HMAC-SHA2-384:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    • HMAC-SHA2-512:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    +

    Prerequisite: SHS #4009

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #3267

    +

    Version 10.0.16299

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3790

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #3062

    +

    Version 10.0.15063

    HMAC-SHA1(Key Sizes Ranges Tested: KSBS ) SHS Val#3790

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3061

    +

    Version 10.0.15063

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3652

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3652

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3652

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3652

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2946

    +

    Version 7.00.2872

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3651

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3651

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3651

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3651

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2945

    +

    Version 8.00.6246

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3649

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal# 3649

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2943

    +

    Version 7.00.2872

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3648

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3648

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3648

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3648

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2942

    +

    Version 8.00.6246

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
    +SHS Val# 3347

    +

    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
    +SHS Val# 3347

    +

    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
    +SHS Val# 3347

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2661

    +

    Version 10.0.14393

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3347

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2651

    +

    Version 10.0.14393

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
    +SHS Val# 3047

    +

    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
    +SHS Val# 3047

    +

    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
    +SHS Val# 3047

    +

    HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
    +SHS Val# 3047

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #2381

    +

    Version 10.0.10586

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
    +SHSVal# 2886

    +

    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
    +SHSVal# 2886

    +

    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
    + SHSVal# 2886

    +

    HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
    +SHSVal# 2886

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2233

    +

    Version 10.0.10240

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
    +SHS Val#2373

    +

    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
    +SHS Val#2373

    +

    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
    +SHS Val#2373

    +

    HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
    +SHS Val#2373

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773

    +

    Version 6.3.9600

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#2764

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

    Windows CE and Windows Mobile, and Windows Embedded Handheld Enhanced Cryptographic Provider (RSAENH) #2122

    +

    Version 5.2.29344

    HMAC-SHA1 (Key Sizes Ranges Tested: KS#1902

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KS#1902

    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #1347

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS#1902

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS#1902

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS#1902

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS#1902

    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1346

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )

    +

    SHS#1903

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS )

    +

    SHS#1903

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS )

    +

    SHS#1903

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS )

    +

    SHS#1903

    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1345

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1773

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

    +

    Tinker HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

    		Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1364

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1774

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

    		Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1227

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1081

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

    Windows Server 2008 R2 and SP1 CNG algorithms #686

    +

    Windows 7 and SP1 CNG algorithms #677

    +

    Windows Server 2008 R2 Enhanced Cryptographic Provider (RSAENH) #687

    +

    Windows 7 Enhanced Cryptographic Provider (RSAENH) #673

    HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#1081

    		Windows 7 and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #675

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#816

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#816

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#816

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#816

    		Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #452

    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#753

    		Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #415

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS )SHS Val#753

    Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #408

    +

    Windows Vista Enhanced Cryptographic Provider (RSAENH) #407

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )SHSVal#618

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618

    		Windows Vista Enhanced Cryptographic Provider (RSAENH) #297
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#785

    Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #429

    +

    Windows XP, vendor-affirmed

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#783

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#783

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#783

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#783

    		Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #428

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#613

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#613

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#613

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#613

    		Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #289
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#610Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #287

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#753

    Windows Server 2008 CNG algorithms #413

    +

    Windows Vista Ultimate SP1 CNG algorithms #412

    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#737

    		Windows Vista Ultimate BitLocker Drive Encryption #386

    HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#618

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618

    		Windows Vista CNG algorithms #298

    HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#589

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS )SHSVal#589

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#589

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#589

    		Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #267

    HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#578

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#578

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#578

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#578

    		Windows CE and Windows Mobile 6.0 and Windows Mobil 6.5 Enhanced Cryptographic Provider (RSAENH) #260

    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#495

    		Windows Vista BitLocker Drive Encryption #199
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#364

    Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #99

    +

    Windows XP, vendor-affirmed

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#305

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#305

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#305

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#305

    		Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #31
    + + +#### Key Agreement Scheme (KAS) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Modes / States / Key SizesAlgorithm Implementation and Certificate #
      +
    • KAS ECC:
      • +
      • +
      • Functions: Domain Parameter Generation, Domain Parameter Validation, Full Public Key Validation, Key Pair Generation, Public Key Regeneration
        • +
      • Schemes:
        • +
        • +
        • Full Unified:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • KDFs: Concatenation
            • +
          • Parameter Sets:
            • +
            • +
            • EC:
              • +
              • +
              • Curve: P-256
                • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • ED:
              • +
              • +
              • Curve: P-384
                • +
              • SHA: SHA-384
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4011, ECDSA #1253, DRBG #1734

    Microsoft Surface Hub Virtual TPM Implementations #150

    +

    Version 10.0.15063.674

      +
    • KAS ECC:
      • +
      • +
      • Functions: Domain Parameter Generation, Domain Parameter Validation, Full Public Key Validation, Key Pair Generation, Public Key Regeneration
        • +
      • Schemes:
        • +
        • +
        • Full Unified:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • KDFs: Concatenation
            • +
          • Parameter Sets:
            • +
            • +
            • EC:
              • +
              • +
              • Curve: P-256
                • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • ED:
              • +
              • +
              • Curve: P-384
                • +
              • SHA: SHA-384
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4009, ECDSA #1252, DRBG #1733

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #149

    +

    Version 10.0.16299

      +
    • KAS ECC:
      • +
      • +
      • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
        • +
      • Schemes:
        • +
        • +
        • Ephemeral Unified:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • KDFs: Concatenation
            • +
          • Parameter Sets:
            • +
            • +
            • EC:
              • +
              • +
              • Curve: P-256
                • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • ED:
              • +
              • +
              • Curve: P-384
                • +
              • SHA: SHA-384
                • +
              • MAC: HMAC
                • +
              • +
            • EE:
              • +
              • +
              • Curve: P-521
                • +
              • SHA: SHA-512
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • One Pass DH:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • Parameter Sets:
            • +
            • +
            • EC:
              • +
              • +
              • Curve: P-256
                • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • ED:
              • +
              • +
              • Curve: P-384
                • +
              • SHA: SHA-384
                • +
              • MAC: HMAC
                • +
              • +
            • EE:
              • +
              • +
              • Curve: P-521
                • +
              • SHA: SHA-512
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • Static Unified:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • Parameter Sets:
            • +
            • +
            • EC:
              • +
              • +
              • Curve: P-256
                • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • ED:
              • +
              • +
              • Curve: P-384
                • +
              • SHA: SHA-384
                • +
              • MAC: HMAC
                • +
              • +
            • EE:
              • +
              • +
              • Curve: P-521
                • +
              • SHA: SHA-512
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4011, ECDSA #1250, DRBG #1732

    +
      +
    • KAS FFC:
      • +
      • +
      • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
        • +
      • Schemes:
        • +
        • +
        • dhEphem:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • Parameter Sets:
            • +
            • +
            • FB:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • FC:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • dhOneFlow:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • Parameter Sets:
            • +
            • +
            • FB:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • FC:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • dhStatic:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • Parameter Sets:
            • +
            • +
            • FB:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • FC:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4011, DSA #1303, DRBG #1732

    Microsoft Surface Hub SymCrypt Cryptographic Implementations #148

    +

    Version 10.0.15063.674

      +
    • KAS ECC:
      • +
      • +
      • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
        • +
      • Schemes:
        • +
        • +
        • Ephemeral Unified:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • KDFs: Concatenation
            • +
          • Parameter Sets:
            • +
            • +
            • EC:
              • +
              • +
              • Curve: P-256
                • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • ED:
              • +
              • +
              • Curve: P-384
                • +
              • SHA: SHA-384
                • +
              • MAC: HMAC
                • +
              • +
            • EE:
              • +
              • +
              • Curve: P-521
                • +
              • SHA: SHA-512
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • One Pass DH:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • Parameter Sets:
            • +
            • +
            • EC:
              • +
              • +
              • Curve: P-256
                • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • ED:
              • +
              • +
              • Curve: P-384
                • +
              • SHA: SHA-384
                • +
              • MAC: HMAC
                • +
              • +
            • EE:
              • +
              • +
              • Curve: P-521
                • +
              • SHA: SHA-512
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • Static Unified:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • Parameter Sets:
            • +
            • +
            • EC:
              • +
              • +
              • Curve: P-256
                • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • ED:
              • +
              • +
              • Curve: P-384
                • +
              • SHA: SHA-384
                • +
              • MAC: HMAC
                • +
              • +
            • EE:
              • +
              • +
              • Curve: P-521
                • +
              • SHA: SHA-512
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4010, ECDSA #1249, DRBG #1731

    +
      +
    • KAS FFC:
      • +
      • +
      • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
        • +
      • Schemes:
        • +
        • +
        • dhEphem:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • Parameter Sets:
            • +
            • +
            • FB:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • FC:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • dhOneFlow:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • Parameter Sets:
            • +
            • +
            • FB:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • FC:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • dhStatic:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • Parameter Sets:
            • +
            • +
            • FB:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • FC:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4010, DSA #1302, DRBG #1731

    Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #147

    +

    Version 10.0.15254

      +
    • KAS ECC:
      • +
      • +
      • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
        • +
      • Schemes:
        • +
        • +
        • Ephemeral Unified:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • KDFs: Concatenation
            • +
          • Parameter Sets:
            • +
            • +
            • EC:
              • +
              • +
              • Curve: P-256
                • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • ED:
              • +
              • +
              • Curve: P-384
                • +
              • SHA: SHA-384
                • +
              • MAC: HMAC
                • +
              • +
            • EE:
              • +
              • +
              • Curve: P-521
                • +
              • SHA: SHA-512
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • One Pass DH:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • Parameter Sets:
            • +
            • +
            • EC:
              • +
              • +
              • Curve: P-256
                • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • ED:
              • +
              • +
              • Curve: P-384
                • +
              • SHA: SHA-384
                • +
              • MAC: HMAC
                • +
              • +
            • EE:
              • +
              • +
              • Curve: P-521
                • +
              • SHA: SHA-512
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • Static Unified:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • Parameter Sets:
            • +
            • +
            • EC:
              • +
              • +
              • Curve: P-256
                • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • ED:
              • +
              • +
              • Curve: P-384
                • +
              • SHA: SHA-384
                • +
              • MAC: HMAC
                • +
              • +
            • EE:
              • +
              • +
              • Curve: P-521
                • +
              • SHA: SHA-512
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4009, ECDSA #1246, DRBG #1730

    +
      +
    • KAS FFC:
      • +
      • +
      • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
        • +
      • Schemes:
        • +
        • +
        • dhEphem:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • Parameter Sets:
            • +
            • +
            • FB:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • FC:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • dhOneFlow:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • Parameter Sets:
            • +
            • +
            • FB:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • FC:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • dhStatic:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • Parameter Sets:
            • +
            • +
            • FB:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • FC:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4009, DSA #1301, DRBG #1730

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #146

    +

    Version 10.0.16299

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration ) SCHEMES [ FullUnified ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ]

    +

    SHS Val#3790
    +DSA Val#1135
    +DRBG Val#1556

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #128

    +

    Version 10.0.15063

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
    +( FB: SHA256 ) ( FC: SHA256 ) ]
    +[ dhOneFlow ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB: SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
    +SHS Val#3790
    +DSA Val#1223
    +DRBG Val#1555

    +

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    +[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    +[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    +
    +SHS Val#3790
    +ECDSA Val#1133
    +DRBG Val#1555

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #127

    +

    Version 10.0.15063

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
    +( FB: SHA256 ) ( FC: SHA256 ) ]
    +[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB: SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
    +SHS Val# 3649
    +DSA Val#1188
    +DRBG Val#1430

    +

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    +[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    +[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #115

    +

    Version 7.00.2872

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
    +( FB: SHA256 ) ( FC: SHA256 ) ]
    +[ dhHybridOneFlow ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB:SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
    +[ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB:SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
    +SHS Val#3648
    +DSA Val#1187
    +DRBG Val#1429

    +

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    +[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    +[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    +
    +SHS Val#3648
    +ECDSA Val#1072
    +DRBG Val#1429

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #114

    +

    Version 8.00.6246

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration )
    +SCHEMES  [ FullUnified  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; &lt; KDF: CONCAT &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ]

    +

    SHS Val# 3347 ECDSA Val#920 DRBG Val#1222

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #93

    +

    Version 10.0.14393

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation )
    +SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
    +( FB: SHA256 ) ( FC: SHA256 ) ]
    +[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic (No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

    +

    SHS Val# 3347 DSA Val#1098 DRBG Val#1217

    +

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    +[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    +[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

    +

    SHS Val# 3347 DSA Val#1098 ECDSA Val#911 DRBG Val#1217 HMAC Val#2651

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #92

    +

    Version 10.0.14393

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
    +( FB: SHA256 ) ( FC: SHA256 ) ]
    +[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

    +

    SHS Val# 3047 DSA Val#1024 DRBG Val#955

    +

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    +[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    +[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

    +

    SHS Val# 3047 ECDSA Val#760 DRBG Val#955

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #72

    +

    Version 10.0.10586

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
    +( FB: SHA256 ) ( FC: SHA256 ) ]
    +[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

    +

    SHS Val# 2886 DSA Val#983 DRBG Val#868

    +

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    +[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    +[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

    +

    SHS Val# 2886 ECDSA Val#706 DRBG Val#868

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #64

    +

    Version 10.0.10240

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
    +( FB: SHA256 ) ( FC: SHA256 ) ]
    +[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

    +

    SHS Val#2373 DSA Val#855 DRBG Val#489

    +

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    +[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    +[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

    +

    SHS Val#2373 ECDSA Val#505 DRBG Val#489

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #47

    +

    Version 6.3.9600

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
    +( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
    +[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
    +[ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FA: SHA256 HMAC ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
    +SHS #1903 DSA Val#687 DRBG #258

    +

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    +[ OnePassDH( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 ) ( ED: P-384 SHA384 ) ( EE: P-521 (SHA512, HMAC_SHA512) ) ) ]
    +[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
    +
    +SHS #1903 ECDSA Val#341 DRBG #258

    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #36

    KAS (SP 800–56A)

    +

    key agreement

    +

    key establishment methodology provides 80 to 256 bits of encryption strength

    Windows 7 and SP1, vendor-affirmed

    +

    Windows Server 2008 R2 and SP1, vendor-affirmed

    + + +SP 800-108 Key-Based Key Derivation Functions (KBKDF) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Modes / States / Key SizesAlgorithm Implementation and Certificate #
      +
    • Counter:
      • +
      • +
      • MACs: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384
        • +
      • +
    +

    MAC prerequisite: HMAC #3271

    +
    +
      +
    • Counter Location: Before Fixed Data
      • +
    • R Length: 32 (bits)
      • +
    • SPs used to generate K: SP 800-56A, SP 800-90A
      • +
    +
    +

    K prerequisite: DRBG #1734, KAS #150

    Microsoft Surface Hub Virtual TPM Implementations #161

    +

    Version 10.0.15063.674

      +
    • Counter:
      • +
      • +
      • MACs: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384
        • +
      • +
    +

    MAC prerequisite: HMAC #3270

    +
    +
      +
    • Counter Location: Before Fixed Data
      • +
    • R Length: 32 (bits)
      • +
    • SPs used to generate K: SP 800-56A, SP 800-90A
      • +
    +
    +

    K prerequisite: DRBG #1733, KAS #149

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #160

    +

    Version 10.0.16299

      +
    • Counter:
      • +
      • +
      • MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
        • +
      • +
    +

    MAC prerequisite: AES #4902, HMAC #3269

    +
    +
      +
    • Counter Location: Before Fixed Data
      • +
    • R Length: 32 (bits)
      • +
    • SPs used to generate K: SP 800-56A, SP 800-90A
      • +
    • K prerequisite: KAS #148
      • +
    +

    Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations #159

    +

    Version 10.0.15063.674

      +
    • Counter:
      • +
      • +
      • MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
        • +
      • +
    +

    MAC prerequisite: AES #4901, HMAC #3268

    +
    +
      +
    • Counter Location: Before Fixed Data
      • +
    • R Length: 32 (bits)
      • +
    • SPs used to generate K: SP 800-56A, SP 800-90A
      • +
    +
    +

    K prerequisite: KAS #147

    Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations #158

    +

    Version 10.0.15254

      +
    • Counter:
      • +
      • +
      • MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
        • +
      • +
    +

    MAC prerequisite: AES #4897, HMAC #3267

    +
    +
      +
    • Counter Location: Before Fixed Data
      • +
    • R Length: 32 (bits)
      • +
    • SPs used to generate K: SP 800-56A, SP 800-90A
      • +
    +
    +

    K prerequisite: KAS #146

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #157

    +

    Version 10.0.16299

    CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
    +
    +KAS Val#128
    +DRBG Val#1556
    +MAC Val#3062

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #141

    +

    Version 10.0.15063

    CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
    +
    +KAS Val#127
    +AES Val#4624
    +DRBG Val#1555
    +MAC Val#3061

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #140

    +

    Version 10.0.15063

    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

    +

    KAS Val#93 DRBG Val#1222 MAC Val#2661

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #102

    +

    Version 10.0.14393

    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

    +

    KAS Val#92 AES Val#4064 DRBG Val#1217 MAC Val#2651

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #101

    +

    Version 10.0.14393

    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

    +

    KAS Val#72 AES Val#3629 DRBG Val#955 MAC Val#2381

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #72

    +

    Version 10.0.10586

    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

    +

    KAS Val#64 AES Val#3497 RBG Val#868 MAC Val#2233

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #66

    +

    Version 10.0.10240

    CTR_Mode:  ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

    +

    DRBG Val#489 MAC Val#1773

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #30

    +

    Version 6.3.9600

    CTR_Mode: ( Llength( Min0 Max4 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

    +

    DRBG #258 HMAC Val#1345

    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #3
    + + +Random Number Generator (RNG) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Modes / States / Key SizesAlgorithm Implementation and Certificate #

    FIPS 186-2 General Purpose

    +

    [ (x-Original); (SHA-1) ]

    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1110
    FIPS 186-2
    +[ (x-Original); (SHA-1) ]

    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1060

    +

    Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #292

    +

    Windows CE and Windows Mobile 6.0 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #286

    +

    Windows CE 5.00 and Window CE 5.01 Enhanced Cryptographic Provider (RSAENH) #66

    FIPS 186-2
    +[ (x-Change Notice); (SHA-1) ]

    +

    FIPS 186-2 General Purpose
    +[ (x-Change Notice); (SHA-1) ]

    Windows 7 and SP1 and Windows Server 2008 R2 and SP1 RNG Library #649

    +

    Windows Vista Ultimate SP1 and Windows Server 2008 RNG Implementation #435

    +

    Windows Vista RNG implementation #321

    FIPS 186-2 General Purpose
    +[ (x-Change Notice); (SHA-1) ]

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #470

    +

    Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #449

    +

    Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #447

    +

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #316

    +

    Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #313

    FIPS 186-2
    +[ (x-Change Notice); (SHA-1) ]

    Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #448

    +

    Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #314

    + + +#### RSA + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Modes / States / Key SizesAlgorithm Implementation and Certificate #

    RSA:

    +
      +
    • 186-4:
      • +
      • +
      • Signature Generation PKCS1.5:
        • +
        • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
          • +
        • +
      • Signature Generation PSS:
        • +
        • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • +
        • +
      • Signature Verification PKCS1.5:
        • +
        • +
        • Mod 1024 SHA: SHA-1, SHA-256, SHA-384
          • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
          • +
        • +
      • Signature Verification PSS:
        • +
        • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • +
        • Mod 3072:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4011, DRBG #1734

    Microsoft Surface Hub Virtual TPM Implementations #2677

    +

    Version 10.0.15063.674

    RSA:

    +
      +
    • 186-4:
      • +
      • +
      • Signature Generation PKCS1.5:
        • +
        • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
          • +
        • +
      • Signature Generation PSS:
        • +
        • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 240 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • +
        • +
      • Signature Verification PKCS1.5:
        • +
        • +
        • Mod 1024 SHA: SHA-1, SHA-256, SHA-384
          • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
          • +
        • +
      • Signature Verification PSS:
        • +
        • +
        • Mod 1024:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4009, DRBG #1733

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #2676

    +

    Version 10.0.16299

    RSA:

    +
      +
    • 186-4:
      • +
      • +
      • Key Generation:
        • +
      • Signature Verification PKCS1.5:
        • +
        • +
        • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • +
      • +
    +

    Prerequisite: SHS #4011, DRBG #1732

    Microsoft Surface Hub RSA32 Algorithm Implementations #2675

    +

    Version 10.0.15063.674

    RSA:

    +
      +
    • 186-4:
      • +
      • +
      • Signature Verification PKCS1.5:
        • +
        • +
        • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • +
      • +
    +

    Prerequisite: SHS #4009, DRBG #1730

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); RSA32 Algorithm Implementations #2674

    +

    Version 10.0.16299

    RSA:

    +
      +
    • 186-4:
      • +
      • +
      • Signature Verification PKCS1.5:
        • +
        • +
        • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • +
      • +
    +

    Prerequisite: SHS #4010, DRBG #1731

    Windows 10 Mobile (version 1709) RSA32 Algorithm Implementations #2673

    +

    Version 10.0.15254

    RSA:

    +
      +
    • 186-4:
      • +
      • +
      • Key Generation:
        • +
        • +
        • Public Key Exponent: Fixed (10001)
          • +
        • Provable Primes with Conditions:
          • +
          • +
          • Mod lengths: 2048, 3072 (bits)
            • +
          • Primality Tests: C.3
            • +
          • +
        • +
      • Signature Generation PKCS1.5:
        • +
        • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • +
      • Signature Generation PSS:
        • +
        • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • Mod 3072:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • +
      • Signature Verification PKCS1.5:
        • +
        • +
        • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • +
      • Signature Verification PSS:
        • +
        • +
        • Mod 1024:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 496 (bits)
            • +
          • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • Mod 3072:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4011, DRBG #1732

    Microsoft Surface Hub MsBignum Cryptographic Implementations #2672

    +

    Version 10.0.15063.674

    RSA:

    +
      +
    • 186-4:
      • +
      • +
      • Key Generation:
        • +
        • +
        • Probable Random Primes:
          • +
          • +
          • Mod lengths: 2048, 3072 (bits)
            • +
          • Primality Tests: C.2
            • +
          • +
        • +
      • Signature Generation PKCS1.5:
        • +
        • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • +
      • Signature Generation PSS:
        • +
        • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • Mod 3072:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • +
      • Signature Verification PKCS1.5:
        • +
        • +
        • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • +
      • Signature Verification PSS:
        • +
        • +
        • Mod 1024:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 496 (bits)
            • +
          • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • Mod 3072:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4011, DRBG #1732

    Microsoft Surface Hub SymCrypt Cryptographic Implementations #2671

    +

    Version 10.0.15063.674

    RSA:

    +
      +
    • 186-4:
      • +
      • +
      • Key Generation:
        • +
        • +
        • Probable Random Primes:
          • +
          • +
          • Mod lengths: 2048, 3072 (bits)
            • +
          • Primality Tests: C.2
            • +
          • +
        • +
      • Signature Generation PKCS1.5:
        • +
        • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • +
      • Signature Generation PSS:
        • +
        • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • Mod 3072:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • +
      • Signature Verification PKCS1.5:
        • +
        • +
        • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • +
      • Signature Verification PSS:
        • +
        • +
        • Mod 1024:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 496 (bits)
            • +
          • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • Mod 3072:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4010, DRBG #1731

    Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #2670

    +

    Version 10.0.15254

    RSA:

    +
      +
    • 186-4:
      • +
      • +
      • Key Generation:
        • +
        • +
        • Public Key Exponent: Fixed (10001)
          • +
        • Provable Primes with Conditions:
          • +
          • +
          • Mod lengths: 2048, 3072 (bits)
            • +
          • Primality Tests: C.3
            • +
          • +
        • +
      • Signature Generation PKCS1.5:
        • +
        • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • +
      • Signature Generation PSS:
        • +
        • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • Mod 3072:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • +
      • Signature Verification PKCS1.5:
        • +
        • +
        • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • +
      • Signature Verification PSS:
        • +
        • +
        • Mod 1024:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 496 (bits)
            • +
          • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • Mod 3072:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4010, DRBG #1731

    Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #2669

    +

    Version 10.0.15254

      +
    • 186-4:
      • +
      • +
      • Key Generation:
        • +
        • +
        • Public Key Exponent: Fixed (10001)
          • +
        • Provable Primes with Conditions:
          • +
          • +
          • Mod lengths: 2048, 3072 (bits)
            • +
          • Primality Tests: C.3
            • +
          • +
        • +
      • Signature Generation PKCS1.5:
        • +
        • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • +
      • Signature Generation PSS:
        • +
        • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • Mod 3072:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • +
      • Signature Verification PKCS1.5:
        • +
        • +
        • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • +
      • Signature Verification PSS:
        • +
        • +
        • Mod 1024:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 496 (bits)
            • +
          • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • Mod 3072:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4009, DRBG #1730

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #2668

    +

    Version 10.0.16299

      +
    • 186-4:
      • +
      • +
      • Key Generation:
        • +
        • +
        • Probable Random Primes:
          • +
          • +
          • Mod lengths: 2048, 3072 (bits)
            • +
          • Primality Tests: C.2
            • +
          • +
        • +
      • Signature Generation PKCS1.5:
        • +
        • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • +
      • Signature Generation PSS:
        • +
        • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • Mod 3072:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • +
      • Signature Verification PKCS1.5:
        • +
        • +
        • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • +
      • Signature Verification PSS:
        • +
        • +
        • Mod 1024:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 496 (bits)
            • +
          • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • Mod 3072:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4009, DRBG #1730

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2667

    +

    Version 10.0.16299

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
    +[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
    +SHA Val#3790

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #2524

    +

    Version 10.0.15063

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    +SHA Val#3790

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile RSA32 Algorithm Implementations #2523

    +

    Version 10.0.15063

    FIPS186-4:
    +186-4KEY(gen):     FIPS186-4_Fixed_e ( 10001 ) ;
    +PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    +[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
    +SHA Val#3790
    +DRBG: Val# 1555

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #2522

    +

    Version 10.0.15063

    FIPS186-4:
    +186-4KEY(gen):
    +PGM(ProbRandom:     ( 2048 , 3072 ) PPTT:( C.2 )
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    +[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
    +SHA Val#3790

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2521

    +

    Version 10.0.15063

    FIPS186-2:
    +ALG[ANSIX9.31]:
    +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652, SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652

    +

    FIPS186-4:
    +ALG[ANSIX9.31]     Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
    +SIG(gen) with SHA-1 affirmed for use with protocols only.     Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    +SHA Val#3652

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2415

    +

    Version 7.00.2872

    FIPS186-2:
    +ALG[ANSIX9.31]:
    +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651, SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651

    +

    FIPS186-4:
    +ALG[ANSIX9.31]     Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
    +SIG(gen) with SHA-1 affirmed for use with protocols only.     Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    +SHA Val#3651

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2414

    +

    Version 8.00.6246

    FIPS186-2:
    +ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 4096 , SHS: SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val# 3649 , SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649

    +

    FIPS186-4:
    +186-4KEY(gen):     FIPS186-4_Fixed_e (10001) ;
    +PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    +SHA Val# 3649
    +DRBG: Val# 1430

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2412

    +

    Version 7.00.2872

    FIPS186-2:
    +ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 4096 , SHS: SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3648, SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648

    +

    FIPS186-4:
    +186-4KEY(gen):     FIPS186-4_Fixed_e (10001) ;
    +PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    +SHA Val#3648
    +DRBG: Val# 1429

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2411

    +

    Version 8.00.6246

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
    +[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))

    +

    SHA Val# 3347

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2206

    +

    Version 10.0.14393

    FIPS186-4:
    +186-4KEY(gen):     FIPS186-4_Fixed_e ( 10001 ) ;
    +PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

    +

    SHA Val# 3347 DRBG: Val# 1217

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA Key Generation Implementation #2195

    +

    Version 10.0.14393

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    +

    SHA Val#3346

    soft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #2194

    +

    Version 10.0.14393

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
    +SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    +

    SHA Val# 3347 DRBG: Val# 1217

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #2193

    +

    Version 10.0.14393

    FIPS186-4:
    +[RSASSA-PSS]: Sig(Gen):     (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

    +

    Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

    +

    SHA Val# 3347 DRBG: Val# 1217

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #2192

    +

    Version 10.0.14393

    FIPS186-4:
    +186-4KEY(gen)    :  FIPS186-4_Fixed_e ( 10001 ) ;
    +PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

    +

    SHA Val# 3047 DRBG: Val# 955

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA Key Generation Implementation #1889

    +

    Version 10.0.10586

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    +

    SHA Val#3048

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #1871

    +

    Version 10.0.10586

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
    +SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    +

    SHA Val# 3047

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub MsBignum Cryptographic Implementations #1888

    +

    Version 10.0.10586

    FIPS186-4:
    +[RSASSA-PSS]: Sig(Gen)    : (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
    +Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

    +

    SHA Val# 3047

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #1887

    +

    Version 10.0.10586

    FIPS186-4:
    +186-4KEY(gen):     FIPS186-4_Fixed_e ( 10001 ) ;
    +PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

    +

    SHA Val# 2886 DRBG: Val# 868

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA Key Generation Implementation #1798

    +

    Version 10.0.10240

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    +

    SHA Val#2871

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #1784

    +

    Version 10.0.10240

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    +

    SHA Val#2871

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #1783

    +

    Version 10.0.10240

    FIPS186-4:
    +[RSASSA-PSS]:     Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
    +Sig(Ver): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

    +

    SHA Val# 2886

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #1802

    +

    Version 10.0.10240

    FIPS186-4:
    +186-4KEY(gen):     FIPS186-4_Fixed_e ;
    +PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

    +

    SHA Val#2373 DRBG: Val# 489

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 RSA Key Generation Implementation #1487

    +

    Version 6.3.9600

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    +

    SHA Val#2373

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #1494

    +

    Version 6.3.9600

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5    ] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
    +SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    +

    SHA Val#2373

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1493

    +

    Version 6.3.9600

    FIPS186-4:
    +[RSASSA-PSS]:     Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
    + Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

    +

    SHA Val#2373

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519

    +

    Version 6.3.9600

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(gen) (2048 SHA( 256 , 384 , 512-256 )) (3072 SHA( 256 , 384 , 512-256 ))
    +SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512-256 )) (2048 SHA( 1 , 256 , 384 , 512-256 )) (3072 SHA( 1 , 256 , 384 , 512-256 ))
    +[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
    +Sig(Ver): (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 , 512 ))
    +SHA #1903

    +

    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1134.

    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1134
    FIPS186-4:
    +186-4KEY(gen):     FIPS186-4_Fixed_e , FIPS186-4_Fixed_e_Value
    +PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
    +SHA #1903 DRBG: #258    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 RSA Key Generation Implementation #1133
    FIPS186-2:
    +ALG[ANSIX9.31]:     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: #258
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1132.    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1132
    FIPS186-2:
    +ALG[ANSIX9.31]:
    +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774, SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1052.    		Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1052
    FIPS186-2:
    +ALG[ANSIX9.31]:     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 193
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1773, SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1051.    		Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1051
    FIPS186-2:
    +ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#568.    		Windows Server 2008 R2 and SP1 Enhanced Cryptographic Provider (RSAENH) #568
    FIPS186-2:
    +ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    +ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
    +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#567. See Historical RSA List Val#560.

    Windows Server 2008 R2 and SP1 CNG algorithms #567

    +

    Windows 7 and SP1 CNG algorithms #560

    FIPS186-2:
    +ALG[ANSIX9.31]:     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 23
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#559.    		Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key Generation Implementation #559
    FIPS186-2:
    +ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#557.    		Windows 7 and SP1 Enhanced Cryptographic Provider (RSAENH) #557
    FIPS186-2:
    +ALG[ANSIX9.31]:
    +ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#816, SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#395.    		Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #395
    FIPS186-2:
    +ALG[ANSIX9.31]:
    +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#783
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#783, SHA-384Val#783, SHA-512Val#783,
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#371.    		Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #371
    FIPS186-2:
    +ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
    +ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
    +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#358. See Historical RSA List Val#357.

    Windows Server 2008 CNG algorithms #358

    +

    Windows Vista SP1 CNG algorithms #357

    FIPS186-2:
    +ALG[ANSIX9.31]:
    +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#355. See Historical RSA List Val#354.

    Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #355

    +

    Windows Vista SP1 Enhanced Cryptographic Provider (RSAENH) #354

    FIPS186-2:
    +ALG[ANSIX9.31]:     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#353.    		Windows Vista SP1 and Windows Server 2008 RSA Key Generation Implementation #353
    FIPS186-2:
    +ALG[ANSIX9.31]:     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 RNG: Val# 321
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#258.    		Windows Vista RSA key generation implementation #258
    FIPS186-2:
    +ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
    +ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
    +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#257.    		Windows Vista CNG algorithms #257
    FIPS186-2:
    +ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#255.    		Windows Vista Enhanced Cryptographic Provider (RSAENH) #255
    FIPS186-2:
    +ALG[ANSIX9.31]:
    +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613, SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#245.    		Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #245
    FIPS186-2:
    +ALG[ANSIX9.31]:
    +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589, SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#230.    		Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #230
    FIPS186-2:
    +ALG[ANSIX9.31]:
    +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578, SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#222.    		Windows CE and Windows Mobile 6 and Windows Mobile 6.1 Enhanced Cryptographic Provider (RSAENH) #222
    FIPS186-2:
    +ALG[RSASSA-PKCS1_V1_5]:
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#364
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#81.    		Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #81
    FIPS186-2:
    +ALG[ANSIX9.31]:
    +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305, SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#52.    		Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #52

    FIPS186-2:

    +

    – PKCS#1 v1.5, signature generation and verification

    +

    – Mod sizes: 1024, 1536, 2048, 3072, 4096

    +

    – SHS: SHA–1/256/384/512

    Windows XP, vendor-affirmed

    +

    Windows 2000, vendor-affirmed

    + + +#### Secure Hash Standard (SHS) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Modes / States / Key SizesAlgorithm Implementation and Certificate #
      +
    • SHA-1:
      • +
      • +
      • Supports Empty Message
        • +
      • +
    • SHA-256:
      • +
      • +
      • Supports Empty Message
        • +
      • +
    • SHA-384:
      • +
      • +
      • Supports Empty Message
        • +
      • +
    • SHA-512:
      • +
      • +
      • Supports Empty Message
        • +
      • +

    Microsoft Surface Hub SymCrypt Cryptographic Implementations #4011

    +

    Version 10.0.15063.674

      +
    • SHA-1:
      • +
      • +
      • Supports Empty Message
        • +
      • +
    • SHA-256:
      • +
      • +
      • Supports Empty Message
        • +
      • +
    • SHA-384:
      • +
      • +
      • Supports Empty Message
        • +
      • +
    • SHA-512:
      • +
      • +
      • Supports Empty Message
        • +
      • +

    Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #4010

    +

    Version 10.0.15254

      +
    • SHA-1:
      • +
      • +
      • Supports Empty Message
        • +
      • +
    • SHA-256:
      • +
      • +
      • Supports Empty Message
        • +
      • +
    • SHA-384:
      • +
      • +
      • Supports Empty Message
        • +
      • +
    • SHA-512:
      • +
      • +
      • Supports Empty Message
        • +
      • +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4009

    +

    Version 10.0.16299

    SHA-1      (BYTE-only)
    +SHA-256  (BYTE-only)
    +SHA-384  (BYTE-only)
    +SHA-512  (BYTE-only)

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3790

    +

    Version 10.0.15063

    SHA-1      (BYTE-only)
    +SHA-256  (BYTE-only)
    +SHA-384  (BYTE-only)
    +SHA-512  (BYTE-only)

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3652

    +

    Version 7.00.2872

    SHA-1      (BYTE-only)
    +SHA-256  (BYTE-only)
    +SHA-384  (BYTE-only)
    +SHA-512  (BYTE-only)

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3651

    +

    Version 8.00.6246

    SHA-1      (BYTE-only)
    +SHA-256  (BYTE-only)
    +SHA-384  (BYTE-only)
    +SHA-512  (BYTE-only)

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3649

    +

    Version 7.00.2872

    SHA-1      (BYTE-only)
    +SHA-256  (BYTE-only)
    +SHA-384  (BYTE-only)
    +SHA-512  (BYTE-only)

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3648

    +

    Version 8.00.6246

    SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)    		Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #3347
    +Version 10.0.14393
    SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)    		Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #3346
    +Version 10.0.14393
    SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)    		Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #3048
    +Version 10.0.10586
    SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)    		Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #3047
    +Version 10.0.10586
    SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)    		Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2886
    +Version 10.0.10240
    SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)    		Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #2871
    +Version 10.0.10240
    SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)    		Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2396
    +Version 6.3.9600
    SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)    		Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2373
    +Version 6.3.9600

    SHA-1 (BYTE-only)

    +

    SHA-256 (BYTE-only)

    +

    SHA-384 (BYTE-only)

    +

    SHA-512 (BYTE-only)

    +

    Implementation does not support zero-length (null) messages.

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1903

    +

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1902

    SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)

    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1774

    +

    Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1773

    SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)

    Windows 7and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1081

    +

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #816

    SHA-1 (BYTE-only)

    Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #785

    +

    Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #784

    SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)    		Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #783
    SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)

    Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #753

    +

    Windows Vista Symmetric Algorithm Implementation #618

    SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)

    Windows Vista BitLocker Drive Encryption #737

    +

    Windows Vista Beta 2 BitLocker Drive Encryption #495

    SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #613

    +

    Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #364

    SHA-1 (BYTE-only)

    Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #611

    +

    Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #610

    +

    Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #385

    +

    Windows Server 2003 SP1 Kernel Mode Cryptographic Module (fips.sys) #371

    +

    Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #181

    +

    Windows Server 2003 Kernel Mode Cryptographic Module (fips.sys) #177

    +

    Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #176

    SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)

    Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #589

    +

    Windows CE and Windows Mobile 6 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #578

    +

    Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #305

    SHA-1 (BYTE-only)

    Windows XP Microsoft Enhanced Cryptographic Provider #83

    +

    Crypto Driver for Windows 2000 (fips.sys) #35

    +

    Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #32

    +

    Windows 2000 RSAENH.DLL #24

    +

    Windows 2000 RSABASE.DLL #23

    +

    Windows NT 4 SP6 RSAENH.DLL #21

    +

    Windows NT 4 SP6 RSABASE.DLL #20

    + + +#### Triple DES + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Modes / States / Key SizesAlgorithm Implementation and Certificate #
      +
    • TDES-CBC:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Keying Option: 1
        • +
      • +
    • TDES-CFB64:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Keying Option: 1
        • +
      • +
    • TDES-CFB8:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Keying Option: 1
        • +
      • +
    • TDES-ECB:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Keying Option: 1
        • +
      • +

    Microsoft Surface Hub SymCrypt Cryptographic Implementations #2558

    +

    Version 10.0.15063.674

      +
    • TDES-CBC:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Keying Option: 1
        • +
      • +
    • TDES-CFB64:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Keying Option: 1
        • +
      • +
    • TDES-CFB8:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Keying Option: 1
        • +
      • +
    • TDES-ECB:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Keying Option: 1
        • +
      • +

    Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #2557

    +

    Version 10.0.15254

      +
    • TDES-CBC:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Keying Option: 1
        • +
      • +
    • TDES-CFB64:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Keying Option: 1
        • +
      • +
    • TDES-CFB8:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Keying Option: 1
        • +
      • +
    • TDES-ECB:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Keying Option: 1
        • +
      • +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2556

    +

    Version 10.0.16299

    TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; TCFB64( KO 1 e/d, )

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2459

    +

    Version 10.0.15063

    TECB( KO 1 e/d, ) ;

    +

    TCBC( KO 1 e/d, )

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2384

    +

    Version 8.00.6246

    TECB( KO 1 e/d, ) ;

    +

    TCBC( KO 1 e/d, )

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2383

    +

    Version 8.00.6246

    TECB( KO 1 e/d, ) ;

    +

    TCBC( KO 1 e/d, ) ;

    +

    CTR ( int only )

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2382

    +

    Version 7.00.2872

    TECB( KO 1 e/d, ) ;

    +

    TCBC( KO 1 e/d, )

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2381

    +

    Version 8.00.6246

    TECB( KO 1 e/d, ) ;

    +

    TCBC( KO 1 e/d, ) ;

    +

    TCFB8( KO 1 e/d, ) ;

    +

    TCFB64( KO 1 e/d, )

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2227
    +
    +

    +

    Version 10.0.14393

    TECB( KO 1 e/d, ) ;

    +

    TCBC( KO 1 e/d, ) ;

    +

    TCFB8( KO 1 e/d, ) ;

    +

    TCFB64( KO 1 e/d, )

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #2024
    +
    +

    +

    Version 10.0.10586

    TECB( KO 1 e/d, ) ;

    +

    TCBC( KO 1 e/d, ) ;

    +

    TCFB8( KO 1 e/d, ) ;

    +

    TCFB64( KO 1 e/d, )

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #1969
    +
    +

    +

    Version 10.0.10240

    TECB( KO 1 e/d, ) ;

    +

    TCBC( KO 1 e/d, ) ;

    +

    TCFB8( KO 1 e/d, ) ;

    +

    TCFB64( KO 1 e/d, )

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1692

    +

    Version 6.3.9600

    TECB( e/d; KO 1,2 ) ;

    +

    TCBC( e/d; KO 1,2 ) ;

    +

    TCFB8( e/d; KO 1,2 ) ;

    +

    TCFB64( e/d; KO 1,2 )

    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1387

    TECB( e/d; KO 1,2 ) ;

    +

    TCBC( e/d; KO 1,2 ) ;

    +

    TCFB8( e/d; KO 1,2 )

    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1386

    TECB( e/d; KO 1,2 ) ;

    +

    TCBC( e/d; KO 1,2 ) ;

    +

    TCFB8( e/d; KO 1,2 )

    		Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #846

    TECB( e/d; KO 1,2 ) ;

    +

    TCBC( e/d; KO 1,2 ) ;

    +

    TCFB8( e/d; KO 1,2 )

    		Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #656

    TECB( e/d; KO 1,2 ) ;

    +

    TCBC( e/d; KO 1,2 ) ;

    +

    TCFB8( e/d; KO 1,2 )

    		Windows Vista Symmetric Algorithm Implementation #549
    Triple DES MAC

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 #1386, vendor-affirmed

    +

    Windows 7 and SP1 and Windows Server 2008 R2 and SP1 #846, vendor-affirmed

    TECB( e/d; KO 1,2 ) ;

    +

    TCBC( e/d; KO 1,2 )

    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1308

    +

    Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1307

    +

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #691

    +

    Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #677

    +

    Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #676

    +

    Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #675

    +

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #544

    +

    Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #543

    +

    Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #542

    +

    Windows CE 6.0 and Window CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #526

    +

    Windows CE and Windows Mobile 6 and Windows Mobile 6.1 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #517

    +

    Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #381

    +

    Windows Server 2003 SP1 Kernel Mode Cryptographic Module (fips.sys) #370

    +

    Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #365

    +

    Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #315

    +

    Windows Server 2003 Kernel Mode Cryptographic Module (fips.sys) #201

    +

    Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #199

    +

    Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #192

    +

    Windows XP Microsoft Enhanced Cryptographic Provider #81

    +

    Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #18

    +

    Crypto Driver for Windows 2000 (fips.sys) #16

    + + +#### SP 800-132 Password Based Key Derivation Function (PBKDF) + + + + + + + + + + + + + + +
    + Modes / States / Key Sizes + + Algorithm Implementation and Certificate # +
    + PBKDF (vendor affirmed) +

     Kernel Mode Cryptographic Primitives Library (cng.sys) Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2937
    (Software Version: 10.0.14393)

    +

    Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
    (Software Version: 10.0.14393)

    +

    Code Integrity (ci.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2935
    (Software Version: 10.0.14393)

    +

    Boot Manager in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2931
    (Software Version: 10.0.14393)

    +
    + PBKDF (vendor affirmed) +

    Kernel Mode Cryptographic Primitives Library (cng.sys) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
    (Software Version: 10.0.14393)

    +

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG), vendor-affirmed

    +
    + + +#### Component Validation List + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Publication / Component Validated / DescriptionImplementation and Certificate #
      +
    • ECDSA SigGen:
      • +
      • +
      • P-256 SHA: SHA-256
        • +
      • P-384 SHA: SHA-384
        • +
      • P-521 SHA: SHA-512
        • +
      • +
    +

    Prerequisite: DRBG #489

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1540

    +

    Version 6.3.9600

      +
    • RSASP1:
      • +
      • +
      • Modulus Size: 2048 (bits)
        • +
      • Padding Algorithms: PKCS 1.5
        • +
      • +

    Microsoft Surface Hub Virtual TPM Implementations #1519

    +

    Version 10.0.15063.674

      +
    • RSASP1:
      • +
      • +
      • Modulus Size: 2048 (bits)
        • +
      • Padding Algorithms: PKCS 1.5
        • +
      • +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1518

    +

    Version 10.0.16299

      +
    • RSADP:
      • +
      • +
      • Modulus Size: 2048 (bits)
        • +
      • +

    Microsoft Surface Hub MsBignum Cryptographic Implementations #1517

    +

    Version 10.0.15063.674

      +
    • RSASP1:
      • +
      • +
      • Modulus Size: 2048 (bits)
        • +
      • Padding Algorithms: PKCS 1.5
        • +
      • +

    Microsoft Surface Hub MsBignum Cryptographic Implementations #1516

    +

    Version 10.0.15063.674

      +
    • ECDSA SigGen:
      • +
      • +
      • P-256 SHA: SHA-256
        • +
      • P-384 SHA: SHA-384
        • +
      • P-521 SHA: SHA-512
        • +
      • +
    +

     Prerequisite: DRBG #1732

    Microsoft Surface Hub MsBignum Cryptographic Implementations #1515

    +

    Version 10.0.15063.674

      +
    • ECDSA SigGen:
      • +
      • +
      • P-256 SHA: SHA-256
        • +
      • P-384 SHA: SHA-384
        • +
      • P-521 SHA: SHA-512
        • +
      • +
    +

    Prerequisite: DRBG #1732

    Microsoft Surface Hub SymCrypt Cryptographic Implementations #1514

    +

    Version 10.0.15063.674

      +
    • RSADP:
      • +
      • +
      • Modulus Size: 2048 (bits)
        • +
      • +

    Microsoft Surface Hub SymCrypt Cryptographic Implementations #1513

    +

    Version 10.0.15063.674

      +
    • RSASP1:
      • +
      • +
      • Modulus Size: 2048 (bits)
        • +
      • Padding Algorithms: PKCS 1.5
        • +
      • +

    Microsoft Surface Hub SymCrypt Cryptographic Implementations #1512

    +

    Version 10.0.15063.674

      +
    • IKEv1:
      • +
      • +
      • Methods: Digital Signature, Pre-shared Key, Public Key Encryption
        • +
      • Pre-shared Key Length: 64-2048
        • +
      • Diffie-Hellman shared secrets:
        • +
        • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 2048 (bits)
            • +
          • SHA Functions: SHA-256
            • +
          • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 256 (bits)
            • +
          • SHA Functions: SHA-256
            • +
          • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 384 (bits)
            • +
          • SHA Functions: SHA-384
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4011, HMAC #3269

    +
      +
    • IKEv2:
      • +
      • +
      • Derived Keying Material length: 192-1792
        • +
      • Diffie-Hellman shared secrets:
        • +
        • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 2048 (bits)
            • +
          • SHA Functions: SHA-256
            • +
          • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 256 (bits)
            • +
          • SHA Functions: SHA-256
            • +
          • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 384 (bits)
            • +
          • SHA Functions: SHA-384
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4011, HMAC #3269

    +
      +
    • TLS:
      • +
      • +
      • Supports TLS 1.0/1.1
        • +
      • Supports TLS 1.2:
        • +
        • +
        • SHA Functions: SHA-256, SHA-384
          • +
        • +
      • +
    +

    Prerequisite: SHS #4011, HMAC #3269

    Microsoft Surface Hub SymCrypt Cryptographic Implementations #1511

    +

    Version 10.0.15063.674

      +
    • ECDSA SigGen:
      • +
      • +
      • P-256 SHA: SHA-256
        • +
      • P-384 SHA: SHA-384
        • +
      • P-521 SHA: SHA-512
        • +
      • +
    +

    Prerequisite: DRBG #1731

    Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1510

    +

    Version 10.0.15254

      +
    • RSADP:
      • +
      • +
      • Modulus Size: 2048 (bits)
        • +
      • +

    Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1509

    +

    Version 10.0.15254

      +
    • RSASP1:
      • +
      • +
      • Modulus Size: 2048 (bits)
        • +
      • Padding Algorithms: PKCS 1.5
        • +
      • +

    Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1508

    +

    Version 10.0.15254

      +
    • IKEv1:
      • +
      • +
      • Methods: Digital Signature, Pre-shared Key, Public Key Encryption
        • +
      • Pre-shared Key Length: 64-2048
        • +
      • Diffie-Hellman shared secrets:
        • +
        • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 2048 (bits)
            • +
          • SHA Functions: SHA-256
            • +
          • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 256 (bits)
            • +
          • SHA Functions: SHA-256
            • +
          • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 384 (bits)
            • +
          • SHA Functions: SHA-384
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4010, HMAC #3268

    +
      +
    • IKEv2:
      • +
      • +
      • Derived Keying Material length: 192-1792
        • +
      • Diffie-Hellman shared secrets:
        • +
        • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 2048 (bits)
            • +
          • SHA Functions: SHA-256
            • +
          • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 256 (bits)
            • +
          • SHA Functions: SHA-256
            • +
          • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 384 (bits)
            • +
          • SHA Functions: SHA-384
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4010, HMAC #3268

    +
      +
    • TLS:
      • +
      • +
      • Supports TLS 1.0/1.1
        • +
      • Supports TLS 1.2:
        • +
        • +
        • SHA Functions: SHA-256, SHA-384
          • +
        • +
      • +
    +

    Prerequisite: SHS #4010, HMAC #3268

    Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1507

    +

    Version 10.0.15254

      +
    • ECDSA SigGen:
      • +
      • +
      • P-256 SHA: SHA-256
        • +
      • P-384 SHA: SHA-384
        • +
      • P-521 SHA: SHA-512
        • +
      • +
    +

    Prerequisite: DRBG #1731

    Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1506

    +

    Version 10.0.15254

      +
    • RSADP:
      • +
      • +
      • Modulus Size: 2048 (bits)
        • +
      • +

    Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1505

    +

    Version 10.0.15254

      +
    • RSASP1:
      • +
      • +
      • Modulus Size: 2048 (bits)
        • +
      • Padding Algorithms: PKCS 1.5
        • +
      • +

    Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1504

    +

    Version 10.0.15254

      +
    • ECDSA SigGen:
      • +
      • +
      • P-256 SHA: SHA-256
        • +
      • P-384 SHA: SHA-384
        • +
      • P-521 SHA: SHA-512
        • +
      • +
    +

    Prerequisite: DRBG #1730

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1503

    +

    Version 10.0.16299

      +
    • RSADP:
      • +
      • +
      • Modulus Size: 2048 (bits)
        • +
      • +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1502

    +

    Version 10.0.16299

      +
    • RSASP1:
      • +
      • +
      • Modulus Size: 2048 (bits)
        • +
      • Padding Algorithms: PKCS 1.5
        • +
      • +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1501

    +

    Version 10.0.16299

      +
    • ECDSA SigGen:
      • +
      • +
      • P-256 SHA: SHA-256
        • +
      • P-384 SHA: SHA-384
        • +
      • P-521 SHA: SHA-512
        • +
      • +
    +

    Prerequisite: DRBG #1730

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1499

    +

    Version 10.0.16299

      +
    • RSADP:
      • +
      • +
      • Modulus Size: 2048 (bits)
        • +
      • +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1498

    +

    Version 10.0.16299

    +

     

      +
    • RSASP1:
      • +
      • +
      • Modulus Size: 2048 (bits)
        • +
      • Padding Algorithms: PKCS 1.5
        • +
      • +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1497

    +

    Version 10.0.16299

      +
    • IKEv1:
      • +
      • +
      • Methods: Digital Signature, Pre-shared Key, Public Key Encryption
        • +
      • Pre-shared Key Length: 64-2048
        • +
      • Diffie-Hellman shared secrets:
        • +
        • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 2048 (bits)
            • +
          • SHA Functions: SHA-256
            • +
          • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 256 (bits)
            • +
          • SHA Functions: SHA-256
            • +
          • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 384 (bits)
            • +
          • SHA Functions: SHA-384
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4009, HMAC #3267

    +
      +
    • IKEv2:
      • +
      • +
      • Derived Keying Material length: 192-1792
        • +
      • Diffie-Hellman shared secrets:
        • +
        • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 2048 (bits)
            • +
          • SHA Functions: SHA-256
            • +
          • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 256 (bits)
            • +
          • SHA Functions: SHA-256
            • +
          • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 384 (bits)
            • +
          • SHA Functions: SHA-384
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4009, HMAC #3267

    +
      +
    • TLS:
      • +
      • +
      • Supports TLS 1.0/1.1
        • +
      • Supports TLS 1.2:
        • +
        • +
        • SHA Functions: SHA-256, SHA-384
          • +
        • +
      • +
    +

    Prerequisite: SHS #4009, HMAC #3267

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1496

    +

    Version 10.0.16299

    FIPS186-4 ECDSA

    +

    Signature Generation of hash sized messages

    +

    ECDSA SigGen Component: CURVES( P-256 P-384 P-521 )

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1284
    +Version 10.0. 15063

    +

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1279
    +Version 10.0. 15063

    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #922
    +Version 10.0.14393

    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #894
    +Version 10.0.14393icrosoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #666
    +Version 10.0.10586

    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #288
    +Version 6.3.9600

    FIPS186-4 RSA; PKCS#1 v2.1

    +

    RSASP1 Signature Primitive

    +

    RSASP1: (Mod2048: PKCS1.5 PKCSPSS)

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1285
    +Version 10.0.15063

    +

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1282
    +Version 10.0.15063

    +

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1280
    +Version 10.0.15063

    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #893
    +Version 10.0.14393

    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #888
    +Version 10.0.14393

    +

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #665
    +Version 10.0.10586

    +

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #572
    +Version  10.0.10240

    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry MsBignum Cryptographic Implementations #289
    +Version 6.3.9600

    FIPS186-4 RSA; RSADP

    +

    RSADP Primitive

    +

    RSADP: (Mod2048)

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1283
    +Version 10.0.15063

    +

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1281
    +Version 10.0.15063

    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #895
    +Version 10.0.14393

    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #887
    +Version 10.0.14393

    +

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #663
    +Version 10.0.10586

    +

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #576
    +Version  10.0.10240

    SP800-135

    +

    Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1496

    +

    Version 10.0.16299

    +

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1278
    +Version 10.0.15063

    +

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1140
    +Version 7.00.2872

    +

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1139
    +Version 8.00.6246

    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BcryptPrimitives and NCryptSSLp #886
    +Version 10.0.14393

    +

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BCryptPrimitives and NCryptSSLp #664
    +Version 10.0.10586

    +

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BCryptPrimitives and NCryptSSLp #575
    +Version  10.0.10240

    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BCryptPrimitives and NCryptSSLp #323
    +Version 6.3.9600

    + + +## References + +\[[FIPS 140](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf)\] - FIPS 140-2, Security Requirements for Cryptographic Modules + +\[[FIPS FAQ](http://csrc.nist.gov/groups/stm/cmvp/documents/cmvpfaq.pdf)\] - Cryptographic Module Validation Program (CMVP) FAQ + +\[[SP 800-57](http://csrc.nist.gov/publications/pubssps.html#800-57-part1)\] - Recommendation for Key Management – Part 1: General (Revised) + +\[[SP 800-131A](http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf)\] - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths + +## Additional Microsoft References + +Enabling FIPS mode - + +Cipher Suites in Schannel - [http://msdn.microsoft.com/en-us/library/aa374757(VS.85).aspx](https://msdn.microsoft.com/en-us/library/aa374757\(vs.85\).aspx) + diff --git a/windows/security/threat-protection/images/powershell-example.png b/windows/security/threat-protection/images/powershell-example.png new file mode 100644 index 0000000000..4ec2be97af Binary files /dev/null and b/windows/security/threat-protection/images/powershell-example.png differ diff --git a/windows/security/threat-protection/images/vbs-example.png b/windows/security/threat-protection/images/vbs-example.png new file mode 100644 index 0000000000..6a1cc80fd4 Binary files /dev/null and b/windows/security/threat-protection/images/vbs-example.png differ diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index be736a9d69..43e37f1269 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security author: dansimp ms.localizationpriority: medium -ms.date: 09/07/2018 +ms.date: 10/04/2018 --- # Threat Protection @@ -30,7 +30,7 @@ Windows Defender Advanced Threat Protection (Windows Defender ATP) is a unified
    Management and APIs
    -
    Microsoft threat protection
    +
    Microsoft Threat Protection

    @@ -43,6 +43,7 @@ The attack surface reduction set of capabilities provide the first line of defen - [Hardware based isolation](windows-defender-atp/overview-hardware-based-isolation.md) - [Application control](windows-defender-application-control/windows-defender-application-control.md) +- [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) - [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md) - [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md) - [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md) @@ -54,11 +55,12 @@ The attack surface reduction set of capabilities provide the first line of defen **[Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)**
    To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation protection designed to catch all types of emerging threats. -- [Windows Defender Antivirus](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) -- [Machine learning](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md) +- [Behavior monitoring](/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) +- [Cloud-based protection](/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) +- [Machine learning](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md) +- [URL Protection](/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus) - [Automated sandbox service](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md) - **[Endpoint protection and response](windows-defender-atp/overview-endpoint-detection-response.md)**
    @@ -110,8 +112,8 @@ Integrate Windows Defender Advanced Threat Protection into your existing workflo -**[Microsoft threat protection](windows-defender-atp/threat-protection-integration.md)**
    -Bring the power of Microsoft threat protection to your organization. +**[Microsoft Threat Protection](windows-defender-atp/threat-protection-integration.md)**
    +Bring the power of Microsoft threat protection to your organization. Windows Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workplace. - [Conditional access](windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md) - [O365 ATP](windows-defender-atp/threat-protection-integration.md) - [Azure ATP](windows-defender-atp/threat-protection-integration.md) diff --git a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md index 2f6a6ce43c..b33d8c80f8 100644 --- a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md +++ b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md @@ -1,7 +1,7 @@ --- title: Coordinated Malware Eradication -description: Information and criteria regarding CME -keywords: security, malware +description: The Coordinated Malware Eradication program aims to unite security organizations to disrupt the malware ecosystem. +keywords: security, malware, malware eradication, Microsoft Malware Protection Center, MMPC ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library @@ -32,4 +32,4 @@ Organizations participating in the CME effort work together to help eradicate se Any organization that is involved in cybersecurity and antimalware or interested in fighting cybercrime can participate in CME campaigns by enrolling in the [Virus Information Alliance (VIA) program](virus-information-alliance-criteria.md). It ensures that everyone agrees to use the information and tools available for campaigns for their intended purpose (that is, the eradication of malware). -If your organization meets these criteria and would like to apply for membership, contact us at [mvi@microsoft.com](mailto:mvi@microsoft.com). Please indicate whether you would like to join CME, [VIA](./virus-information-alliance-criteria.md), or [MVI](./virus-initiative-criteria.md). \ No newline at end of file +If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry). \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md index ab053f956f..338810c3c0 100644 --- a/windows/security/threat-protection/intelligence/criteria.md +++ b/windows/security/threat-protection/intelligence/criteria.md @@ -1,7 +1,7 @@ --- title: How Microsoft identifies malware and potentially unwanted applications -description: criteria -keywords: security, malware +description: Learn how Microsoft reviews software for unwanted behavior, advertising, privacy violations, and negative consumer opinion to determine if it is malware (malicious software) or potentially unwanted applications. +keywords: security, malware, virus research threats, research malware, pc protection, computer infection, virus infection, descriptions, remediation, latest threats, MMPC, Microsoft Malware Protection Center, PUA, potentially unwanted applications ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library diff --git a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md index 52a769a8b5..8a1c4b9338 100644 --- a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md +++ b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md @@ -1,7 +1,7 @@ --- title: Industry collaboration programs -description: Describing the 3 industry collaboration programs -keywords: security, malware +description: Microsoft industry-wide antimalware collaboration programs - Virus Information Alliance (VIA), Microsoft Virus Initiative (MVI), and Coordinated Malware Eradication (CME) +keywords: security, malware, antivirus industry, antimalware Industry, collaboration programs, alliances, Virus Information Alliance, Microsoft Virus Initiative, Coordinated Malware Eradication, WDSI, MMPC, Microsoft Malware Protection Center, partnerships ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library diff --git a/windows/security/threat-protection/intelligence/developer-resources.md b/windows/security/threat-protection/intelligence/developer-resources.md index 612338fcad..def783966f 100644 --- a/windows/security/threat-protection/intelligence/developer-resources.md +++ b/windows/security/threat-protection/intelligence/developer-resources.md @@ -26,18 +26,12 @@ Check out the following resources for information on how to submit and view subm ### Detection criteria -To objectively identify malware and unidentified software, Microsoft applies a set of criteria for evaluating malicious or potentially harmful code. - -For more information, see +To objectively identify malware and unidentified software, Microsoft applies a [set of criteria](criteria.md) for evaluating malicious or potentially harmful code. ### Developer questions -Find more guidance about the file submission and detection dispute process in our FAQ for software developers. - -For more information, see +Find more guidance about the file submission and detection dispute process in our [FAQ for software developers](developer-faq.md). ### Scan your software -Use Windows Defender Antivirus to check your software against the latest definitions and cloud protection from Microsoft. - -For more information, see \ No newline at end of file +Use [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10?ocid=cx-docs-avreports) to check your software against the latest definitions and cloud protection from Microsoft. diff --git a/windows/security/threat-protection/intelligence/exploits-malware.md b/windows/security/threat-protection/intelligence/exploits-malware.md index 252dc72d31..460e31a545 100644 --- a/windows/security/threat-protection/intelligence/exploits-malware.md +++ b/windows/security/threat-protection/intelligence/exploits-malware.md @@ -1,7 +1,7 @@ --- title: Exploits and exploit kits -description: Learn about exploits, how they can infect devices, and what you can do to protect yourself. -keywords: security, malware, exploits, exploit kits, prevention, vulnerabilities +description: Learn about how exploits use vulnerabilities in common software to give an attackers access to your computer and to install other malware. +keywords: security, malware, exploits, exploit kits, prevention, vulnerabilities, Microsoft, Exploit malware family, exploits, java, flash, adobe, update software, prevent exploits, exploit pack, vulnerability, 0-day, holes, weaknesses, attack, Flash, Adobe, out-of-date software, out of date software, update, update software, reinfection, Java cache, reinfected, won't remove, won't clean, still detects, full scan, MSE, Defender, WDSI, MMPC, Microsoft Malware Protection Center ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library diff --git a/windows/security/threat-protection/intelligence/macro-malware.md b/windows/security/threat-protection/intelligence/macro-malware.md index 27bccb2f06..4061d33001 100644 --- a/windows/security/threat-protection/intelligence/macro-malware.md +++ b/windows/security/threat-protection/intelligence/macro-malware.md @@ -1,7 +1,7 @@ --- title: Macro malware -description: Learn about how macro malware works, how it can infect devices, and what you can do to protect yourself. -keywords: security, malware, macro, protection +description: Learn about macro viruses and malware, which are embedded in documents and are used to drop malicious payloads and distribute other threats. +keywords: security, malware, macro, protection, WDSI, MMPC, Microsoft Malware Protection Center, macro virus, macro malware, documents, viruses in Office, viruses in Word ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library diff --git a/windows/security/threat-protection/intelligence/malware-naming.md b/windows/security/threat-protection/intelligence/malware-naming.md index 35db2cac2b..2dd0229441 100644 --- a/windows/security/threat-protection/intelligence/malware-naming.md +++ b/windows/security/threat-protection/intelligence/malware-naming.md @@ -1,7 +1,7 @@ --- title: Malware names -description: Identifying malware vocabulary -keywords: security, malware, names +description: Understand the malware naming convention used by Windows Defender Antivirus and other Microsoft antimalware. +keywords: security, malware, names, Microsoft, MMPC, Microsoft Malware Protection Center, WDSI, malware name, malware prefix, malware type, virus name ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library diff --git a/windows/security/threat-protection/intelligence/prevent-malware-infection.md b/windows/security/threat-protection/intelligence/prevent-malware-infection.md index 731b7e0e95..54e33d0a52 100644 --- a/windows/security/threat-protection/intelligence/prevent-malware-infection.md +++ b/windows/security/threat-protection/intelligence/prevent-malware-infection.md @@ -1,7 +1,7 @@ --- title: Prevent malware infection -description: Malware prevention best practices -keywords: security, malware, prevention, infection, tips +description: Learn steps you can take to help prevent a malware or potentially unwanted software from infecting your computer. +keywords: security, malware, prevention, infection, tips, Microsoft, MMPC, Microsoft Malware Protection Center, virus, trojan, worm, stop, prevent, full scan, infection, avoid malware, avoid trojan, avoid virus, infection, how, detection, security software, antivirus, updates, how malware works, how virus works, firewall, turn on, user privileges, limit, prevention, WDSI, MMPC, Microsoft Malware Protection Center ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md index 484ae796f1..3441ceb6d7 100644 --- a/windows/security/threat-protection/intelligence/ransomware-malware.md +++ b/windows/security/threat-protection/intelligence/ransomware-malware.md @@ -1,7 +1,7 @@ --- title: Ransomware -description: Learn about ransomware, how it works, and what you can do to protect yourself. -keywords: security, malware, ransomware, encryption, extortion, money, key, infection, prevention, tips +description: Learn how to protect your computer and network from ransomware attacks, which can stop you from accessing your files. +keywords: security, malware, ransomware, encryption, extortion, money, key, infection, prevention, tips, WDSI, MMPC, Microsoft Malware Protection Center, ransomware-as-a-service, ransom, ransomware downloader, protection, prevention, solution, exploit kits, backup, Cerber, Locky, WannaCry, WannaCrypt, Petya, Spora ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library diff --git a/windows/security/threat-protection/intelligence/rootkits-malware.md b/windows/security/threat-protection/intelligence/rootkits-malware.md index 24d7b3ca8a..cf0bc0334f 100644 --- a/windows/security/threat-protection/intelligence/rootkits-malware.md +++ b/windows/security/threat-protection/intelligence/rootkits-malware.md @@ -1,7 +1,7 @@ --- title: Rootkits -description: Learn about rootkits, how they hide malware on your device, and what you can do to protect yourself. -keywords: security, malware, rootkit, hide, protection, hiding +description: Rootkits may be used by malware authors to hide malicious code on your computer and make malware or potentially unwanted software harder to remove. +keywords: security, malware, rootkit, hide, protection, hiding, WDSI, MMPC, Microsoft Malware Protection Center, rootkits, Sirefef, Rustock, Sinowal, Cutwail, malware, virus ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md index 907f9c9a3a..6a509aa69d 100644 --- a/windows/security/threat-protection/intelligence/safety-scanner-download.md +++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md @@ -21,6 +21,8 @@ Safety Scanner only scans when manually triggered and is available for use 10 da > **NOTE:** This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Windows Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/en-us/windows/windows-defender) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/en-us/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/en-us/wdsi/help/troubleshooting-infection). +> **NOTE:** Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on the desktop. Note where you saved this download. + ## System requirements Safety Scanner helps remove malicious software from computers running Windows 10, Windows 10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2016, Windows Server Tech Preview, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. Please refer to the [Microsoft Lifecycle Policy](https://support.microsoft.com/en-us/lifecycle). diff --git a/windows/security/threat-protection/intelligence/submission-guide.md b/windows/security/threat-protection/intelligence/submission-guide.md index b72568d223..49259aa858 100644 --- a/windows/security/threat-protection/intelligence/submission-guide.md +++ b/windows/security/threat-protection/intelligence/submission-guide.md @@ -1,7 +1,7 @@ --- title: How Microsoft identifies malware and potentially unwanted applications -description: criteria -keywords: security, malware +description: Learn how to submit files to Microsoft for malware analysis, how to track your submissions, and dispute detections. +keywords: security, sample submission help, malware file, virus file, trojan file, submit, send to Microsoft, submit a sample, virus, trojan, worm, undetected, doesn’t detect, email microsoft, email malware, I think this is malware, I think it's a virus, where can I send a virus, is this a virus, MSE, doesn’t detect, no signature, no detection, suspect file, MMPC, Microsoft Malware Protection Center, researchers, analyst, WDSI ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library diff --git a/windows/security/threat-protection/intelligence/supply-chain-malware.md b/windows/security/threat-protection/intelligence/supply-chain-malware.md index ce1112d198..340a2bf9f0 100644 --- a/windows/security/threat-protection/intelligence/supply-chain-malware.md +++ b/windows/security/threat-protection/intelligence/supply-chain-malware.md @@ -17,6 +17,8 @@ Supply chain attacks are an emerging kind of threat that target software develop ## How supply chain attacks work +> [!video https://www.youtube.com/embed/uXm2XNSavwo] + Attackers hunt for unsecure network protocols, unprotected server infrastructures, and unsafe coding practices. They break in, change source codes, and hide malware in build and update processes. Because software is built and released by trusted vendors, these apps and updates are signed and certified. In software supply chain attacks, vendors are likely unaware that their apps or updates are infected with malicious code when they’re released to the public. The malicious code then runs with the same trust and permissions as the app. diff --git a/windows/security/threat-protection/intelligence/support-scams.md b/windows/security/threat-protection/intelligence/support-scams.md index 821900539a..c63043dc53 100644 --- a/windows/security/threat-protection/intelligence/support-scams.md +++ b/windows/security/threat-protection/intelligence/support-scams.md @@ -1,7 +1,7 @@ --- title: Tech Support Scams -description: Learn about how supply chain attacks work, deliver malware do your devices, and what you can do to protect yourself -keywords: security, malware, tech support, scam, protection, trick, spoof, fake, error messages, report +description: Microsoft security software can protect you from tech support scams that claims to scan for malware or viruses and then shows you fake detections and warnings. +keywords: security, malware, tech support, scam, protection, trick, spoof, fake, error messages, report, rogue security software, fake, antivirus, fake software, rogue, threats, fee, removal fee, upgrade, pay for removal, install full version, trial, lots of threats, scanner, scan, clean, computer, security, program, XP home security, fake microsoft, activate, activate scan, activate antivirus, warnings, pop-ups, security warnings, security pop-ups tech support scams, fake Microsoft error notification, fake virus alert, fake product expiration, fake Windows activation, scam web pages, scam phone numbers, telephone numbers, MMPC, WDSI, Microsoft Malware Protection Center, tech support scam numbers ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library @@ -40,7 +40,7 @@ It is also important to keep the following in mind: * Use [Microsoft Edge](https://www.microsoft.com/windows/microsoft-edge) when browsing the internet. It blocks known support scam sites using Windows Defender SmartScreen (which is also used by Internet Explorer). Furthermore, Microsoft Edge can stop pop-up dialogue loops used by these sites. -* Enable Enable [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It detects and removes known support scam malware. +* Enable [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It detects and removes known support scam malware. ## What to do if information has been given to a tech support person @@ -60,4 +60,4 @@ Help Microsoft stop scammers, whether they claim to be from Microsoft or from an **www.microsoft.com/reportascam** -You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site) or using built in web browser functionality. \ No newline at end of file +You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site) or using built in web browser functionality. diff --git a/windows/security/threat-protection/intelligence/trojans-malware.md b/windows/security/threat-protection/intelligence/trojans-malware.md index f3974e7341..47a21f4308 100644 --- a/windows/security/threat-protection/intelligence/trojans-malware.md +++ b/windows/security/threat-protection/intelligence/trojans-malware.md @@ -1,7 +1,7 @@ --- title: Trojan malware -description: Learn about how trojans work, deliver malware do your devices, and what you can do to protect yourself. -keywords: security, malware, protection, trojan, download, file, infection +description: Trojans are a type of threat that can infect your device. This page tells you what they are and how to remove them. +keywords: security, malware, protection, trojan, download, file, infection, trojans, virus, protection, cleanup, removal, antimalware, antivirus, WDSI, MMPC, Microsoft Malware Protection Center, malware types ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library diff --git a/windows/security/threat-protection/intelligence/understanding-malware.md b/windows/security/threat-protection/intelligence/understanding-malware.md index f2ed89b560..f8698bec16 100644 --- a/windows/security/threat-protection/intelligence/understanding-malware.md +++ b/windows/security/threat-protection/intelligence/understanding-malware.md @@ -1,7 +1,7 @@ --- title: Understanding malware & other threats -description: Learn about the different types of malware, how they work, and what you can do to protect yourself. -keywords: security, malware +description: Learn about the world's most prevalent viruses, malware, and other threats. Understand how they arrive, their detailed behaviors, infection symptoms, and how to prevent & remove them. +keywords: security, malware, virus, malware, threat, analysis, research, encyclopedia, dictionary, glossary, ransomware, support scams, unwanted software, computer infection, virus infection, descriptions, remediation, latest threats, mmpc, microsoft malware protection center, wdsi ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library diff --git a/windows/security/threat-protection/intelligence/unwanted-software.md b/windows/security/threat-protection/intelligence/unwanted-software.md index bff16819a8..9a71aa1b92 100644 --- a/windows/security/threat-protection/intelligence/unwanted-software.md +++ b/windows/security/threat-protection/intelligence/unwanted-software.md @@ -1,7 +1,7 @@ --- title: Unwanted software description: Learn about how unwanted software changes your default settings without your consent and what you can do to protect yourself. -keywords: security, malware, protection, unwanted, software, alter, infect +keywords: security, malware, protection, unwanted, software, alter, infect, unwanted software, software bundlers, browser modifiers, privacy, security, computing experience, prevent infection, solution, WDSI, MMPC, Microsoft Malware Protection Center, virus research threats, research malware, pc protection, computer infection, virus infection, descriptions, remediation, latest threats ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library diff --git a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md index 10e99ef924..7ce546eeed 100644 --- a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md @@ -1,7 +1,7 @@ --- title: Virus Information Alliance -description: Information and criteria regarding VIA -keywords: security, malware +description: The Microsoft Virus Information Alliance (VIA) is an antimalware collaboration program for security software and service providers, antimalware testing organizations, and other organizations involved in fighting cybercrime. +keywords: security, malware, Microsoft, MMPC, Microsoft Malware Protection Center, partners, sharing, samples, vendor exchange, CSS, alliance, WDSI ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library @@ -46,4 +46,4 @@ To be eligible for VIA your organization must: 3. Be willing to sign and adhere to the VIA membership agreement. -If your organization meets these criteria and would like to apply for membership, contact us at [mvi@microsoft.com](mailto:mvi@microsoft.com). Please indicate whether you would like to join VIA, [MVI](./virus-initiative-criteria.md), or [CME](./coordinated-malware-eradication.md). \ No newline at end of file +If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry). \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md index 26f3bbce30..eeea702caa 100644 --- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md @@ -1,7 +1,7 @@ --- title: Microsoft Virus Initiative -description: Information and criteria regarding MVI -keywords: security, malware +description: The Microsoft Virus Initiative (MVI) helps organizations that make antivirus or antimalware products integrate with Windows and share antimalware telemetry data with Microsoft. +keywords: security, malware, MVI, Microsoft Malware Protection Center, MMPC, alliances, WDSI ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library @@ -52,6 +52,6 @@ Your organization must meet the following eligibility requirements to participat 7. Submit your AM app to Microsoft for periodic performance testing. -### Apply to MVI +### Apply now -If your organization meets these criteria and would like to apply for membership, contact us at [mvi@microsoft.com](mailto:mvi@microsoft.com). Please indicate whether you would like to join MVI, [VIA](./virus-information-alliance-criteria.md), or [CME](./coordinated-malware-eradication.md). \ No newline at end of file +If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry). \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md index f1e88eb03c..b76c90029c 100644 --- a/windows/security/threat-protection/intelligence/worms-malware.md +++ b/windows/security/threat-protection/intelligence/worms-malware.md @@ -1,7 +1,7 @@ --- title: Worms -description: Learn about worms, how they infect devices, and what you can do to protect yourself. -keywords: security, malware, protection, worm, vulnerabilities, infect, steal, Jenxcus, Gamarue, Bondat, WannaCrypt +description: Learn about how worms replicate and spread to other computers or networks. Read about the most popular worms and steps you can take to stop them. +keywords: security, malware, protection, worm, vulnerabilities, infect, steal, Jenxcus, Gamarue, Bondat, WannaCrypt, WDSI, MMPC, Microsoft Malware Protection Center, worms, malware types, threat propagation, mass-mailing, IP scanning ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md new file mode 100644 index 0000000000..580a5b58bd --- /dev/null +++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md @@ -0,0 +1,39 @@ +--- +title: Microsoft Baseline Security Analyzer (MBSA) removal and guidance on alternative solutions +description: This article documents the removal of MBSA and alternative solutions +keywords: MBSA, security, removal +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.author: astoica +author: andreiztm +ms.date: 10/05/2018 +--- + +# What is Microsoft Baseline Security Analyzer and its uses? + +Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these additional checks had not been actively maintained since Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive. + +MBSA was largely used in situations where neither Microsoft Update nor a local WSUS/SCCM server was available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 is not updated to fully support Windows 10 and Windows Server 2016. + +## The Solution +A script can help you with an alternative to MBSA’s patch-compliance checking: + +- [Using WUA to Scan for Updates Offline](https://docs.microsoft.com/previous-versions/windows/desktop/aa387290(v=vs.85)), which includes a sample .vbs script. +For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with PowerShell](https://gallery.technet.microsoft.com/Using-WUA-to-Scan-for-f7e5e0be). + +For example: + +[![VBS script](images/vbs-example.png)](https://docs.microsoft.com/previous-versions/windows/desktop/aa387290(v=vs.85)) +[![PowerShell script](images/powershell-example.png)](https://gallery.technet.microsoft.com/Using-WUA-to-Scan-for-f7e5e0be) + +The preceding scripts leverage the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it. +The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it does not contain any information on non-security updates, tools or drivers. + +## More Information + +For security compliance and for desktop/server hardening, we recommend the Microsoft Security Baselines and the Security Compliance Toolkit. + +- [Windows security baselines](windows-security-baselines.md) +- [Download Microsoft Security Compliance Toolkit 1.0 ](https://www.microsoft.com/download/details.aspx?id=55319) +- [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/) diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md index b85e285e97..c481a744c3 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 04/19/2017 +ms.date: 10/11/2018 --- # Account Lockout Policy @@ -22,6 +22,9 @@ Someone who attempts to use more than a few unsuccessful passwords while trying The following topics provide a discussion of each policy setting's implementation and best practices considerations, policy location, default values for the server type or Group Policy Object (GPO), relevant differences in operating system versions, and security considerations (including the possible vulnerabilities of each policy setting), countermeasures that you can implement, and the potential impact of implementing the countermeasures. +>[!NOTE] +>Account lockout settings for remote access clients can be configured separately by editing the Registry on the server that manages the remote access. For more information, see [How to configure remote access client account lockout](https://support.microsoft.com/help/816118/how-to-configure-remote-access-client-account-lockout-in-windows-serve). + ## In this section | Topic | Description | diff --git a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md index 1ae321bd87..83b3cbd192 100644 --- a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md +++ b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md @@ -84,11 +84,11 @@ A user who is assigned this user right could increase the scheduling priority of ### Countermeasure -Verify that only Administrators and and Window Manager/Window Manager Group have the **Increase scheduling priority** user right assigned to them. +Verify that only Administrators and Window Manager/Window Manager Group have the **Increase scheduling priority** user right assigned to them. ### Potential impact -None. Restricting the **Increase scheduling priority** user right to members of the Administrators group and and Window Manager/Window Manager Group is the default configuration. +None. Restricting the **Increase scheduling priority** user right to members of the Administrators group and Window Manager/Window Manager Group is the default configuration. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md index 59c2b970da..a1880dbc92 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 10/02/2018 +ms.date: 10/25/2018 --- @@ -23,13 +23,13 @@ ms.date: 10/02/2018 **Use Microsoft Intune to configure scanning options** -See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. **Use Configuration Manager to configure scanning options:** -See [How to create and deploy antimalware policies: Scan settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring System Center Configuration Manager (current branch). +See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring System Center Configuration Manager (current branch). **Use Group Policy to configure scanning options** @@ -58,7 +58,7 @@ Specify the level of subfolders within an archive folder to scan | Scan > Specif Configure low CPU priority for scheduled scans | Scan > Configure low CPU priority for scheduled scans | Disabled | Not available >[!NOTE] ->By default, quick scans run on mounted removable devices, such as USB drives. +>If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. **Use PowerShell to configure scanning options** @@ -66,7 +66,7 @@ See [Manage Windows Defender Antivirus with PowerShell cmdlets](use-powershell-c **Use WMI to configure scanning options** -For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx). +For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx). ### Email scanning limitations diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index c7d6f246c3..e993bcf60f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/03/2018 +ms.date: 10/08/2018 --- # Configure and validate Windows Defender Antivirus network connections @@ -60,8 +60,9 @@ The following table lists the services and their associated URLs that your netwo Used by Windows Defender Antivirus to provide cloud-delivered protection -*.wdcp.microsoft.com*
    -*.wdcpalt.microsoft.com* +*.wdcp.microsoft.com
    +*.wdcpalt.microsoft.com
    +*.wd.microsoft.com diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md index d1ce22572e..026ca31daa 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: justinha ms.author: justinha -ms.date: 10/19/2017 +ms.date: 10/17/2017 --- # Configure Windows Defender Application Guard policy settings @@ -19,12 +19,12 @@ Windows Defender Application Guard (Application Guard) works with Group Policy t Application Guard uses both network isolation and application-specific settings. -### Network isolation settings +## Network isolation settings These settings, located at **Computer Configuration\Administrative Templates\Network\Network Isolation**, help you define and manage your company's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container. >[!NOTE] ->You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. +>You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. |Policy name|Supported versions|Description| @@ -33,15 +33,18 @@ These settings, located at **Computer Configuration\Administrative Templates\Net |Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) Please include a full domain name (www.contoso.com) in the configuration 2) You may optionally use "." as a wildcard character to automatically trust subdomains. Configuring ".constoso.com" will automatically trust "subdomain1.contoso.com", "subdomain2.contoso.com" etc. | |Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment.| -### Application-specific settings +## Application-specific settings These settings, located at **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard**, can help you to manage your company's implementation of Application Guard. |Name|Supported versions|Description|Options| |-----------|------------------|-----------|-------| -|Configure Windows Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

    Windows 10 Pro, 1803|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
    • Disable the clipboard functionality completely when Virtualization Security is enabled.
    • Enable copying of certain content from Application Guard into Microsoft Edge.
    • Enable copying of certain content from Microsoft Edge into Application Guard.

      **Important**
      Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
    **Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| -|Configure Windows Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

    Windows 10 Pro, 1803|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
    • Enable Application Guard to print into the XPS format.
    • Enable Application Guard to print into the PDF format.
    • Enable Application Guard to print to locally attached printers.
    • Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.
    **Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| -|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher

    Windows 10 Pro, 1803|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.**Note** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.

    **Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | -|Allow Persistence|Windows 10 Enterprise, 1709 or higher

    Windows 10 Pro, 1803|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

    **Disabled or not configured.** All user data within Application Guard is reset between sessions.

    **Note**
    If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
    **To reset the container:**
    1. Open a command-line program and navigate to Windows/System32.
    2. Type `wdagtool.exe cleanup`.
      The container environment is reset, retaining only the employee-generated data.
    3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.
      The container environment is reset, including discarding all employee-generated data.
    | +|Configure Windows Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

    Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
    • Disable the clipboard functionality completely when Virtualization Security is enabled.
    • Enable copying of certain content from Application Guard into Microsoft Edge.
    • Enable copying of certain content from Microsoft Edge into Application Guard.

      **Important**
      Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
    **Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| +|Configure Windows Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

    Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
    • Enable Application Guard to print into the XPS format.
    • Enable Application Guard to print into the PDF format.
    • Enable Application Guard to print to locally attached printers.
    • Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.
    **Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| +|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.**Note** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.

    **Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | +|Allow Persistence|Windows 10 Enterprise, 1709 or higher

    Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

    **Disabled or not configured.** All user data within Application Guard is reset between sessions.

    **Note**
    If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
    **To reset the container:**
    1. Open a command-line program and navigate to Windows/System32.
    2. Type `wdagtool.exe cleanup`.
      The container environment is reset, retaining only the employee-generated data.
    3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.
      The container environment is reset, including discarding all employee-generated data.
    | |Turn on Windows Defender Application Guard in Enterprise Mode|Windows 10 Enterprise, 1709 or higher|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.

    **Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.| -|Allow files to download to host operating system|Windows 10 Enterprise, 1803|Determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Windows Defender Application Guard container to the host operating system.

    **Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.| -|Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, version 1803

    (experimental only)|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering.

      **Important**
      Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

    **Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.

    **Note**
    This is an experimental feature in Windows 10 Enterprise, version 1803 and will not function without the presence of an additional registry key provided by Microsoft. If you would like to evaluate this feature on deployments of Windows 10 Enterprise, version 1803, please contact Microsoft for further information.| +|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Windows Defender Application Guard container to the host operating system.

    **Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.| +|Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, 1803 or higher

    Windows 10 Pro, 1803 or higher|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering.

      **Important**
      Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

    **Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| +|Allow camera and microphone access in Windows Defender Application Guard|Windows 10 Enterprise, 1809 or higher

    Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Windows Defender Application Guard.|**Enabled.** Applications inside Windows Defender Application Guard are able to access the camera and microphone on the user's device.

    **Important**
    Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

    **Disabled or not configured.** Applications inside Windows Defender Application Guard are unable to access the camera and microphone on the user's device.| +|Allow Windows Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher

    Windows 10 Pro, 1809 or higher|Determines whether Root Certificates are shared with Windows Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.

    **Disabled or not configured.** Certificates are not shared with Windows Defender Application Guard.| +|Allow users to trust files that open in Windows Defender Application Guard|Windows 10 Enterprise, 1809 or higher|Determines whether users are able to manually trust untrusted files to open them on the host.|**Enabled.** Users are able to manually trust files or trust files after an antivirus check.

    **Disabled or not configured.** Users are unable to manually trust files and files continue to open in Windows Defender Application Guard.| diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-camera-and-mic.png b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-camera-and-mic.png new file mode 100644 index 0000000000..3c1b046b93 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-camera-and-mic.png differ diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-root-certificates.png b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-root-certificates.png new file mode 100644 index 0000000000..78552bf6db Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-root-certificates.png differ diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png new file mode 100644 index 0000000000..08cb4d5676 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png differ diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-security-center-settings.png b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-security-center-settings.png new file mode 100644 index 0000000000..9e58d99ead Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-security-center-settings.png differ diff --git a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md index b05ad26647..e7f9fe2f97 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: justinha ms.author: justinha -ms.date: 10/19/2017 +ms.date: 10/16/2018 --- # Application Guard testing scenarios @@ -66,9 +66,9 @@ Before you can use Application Guard in enterprise mode, you must install Window ![Group Policy editor with Neutral resources setting](images/appguard-gp-network-isolation-neutral.png) -4. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Turn on Windows Defender Application Guard in Enterprise Mode** setting. +4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Turn on Windows Defender Application Guard in Enterprise Mode** setting. -5. Click **Enabled**. +5. Click **Enabled** and click **OK**. ![Group Policy editor with Turn On/Off setting](images/appguard-gp-turn-on.png) @@ -104,10 +104,11 @@ You have the option to change each of these settings to work with your enterpris - Windows 10 Enterpise edition, version 1709 or higher - Windows 10 Professional edition, version 1803 -**To change the copy and paste options** -1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings**. +#### Copy and paste options -2. Click **Enabled**. +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings**. + +2. Click **Enabled** and click **OK**. ![Group Policy editor clipboard options](images/appguard-gp-clipboard.png) @@ -129,10 +130,11 @@ You have the option to change each of these settings to work with your enterpris 5. Click **OK**. -**To change the print options** -1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard print** settings. +#### Print options -2. Click **Enabled**. +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard print** settings. + +2. Click **Enabled** and click **OK**. ![Group Policy editor Print options](images/appguard-gp-print.png) @@ -140,10 +142,11 @@ You have the option to change each of these settings to work with your enterpris 4. Click **OK**. -**To change the data persistence options** -1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard** setting. +#### Data persistence options -2. Click **Enabled**. +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard** setting. + +2. Click **Enabled** and click **OK**. ![Group Policy editor Data Persistence options](images/appguard-gp-persistence.png) @@ -164,10 +167,11 @@ You have the option to change each of these settings to work with your enterpris - Windows 10 Enterpise edition, version 1803 - Windows 10 Professional edition, version 1803 -**To change the download options** -1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow files to download and save to the host operating system from Windows Defender Application Guard** setting. +#### Download options -2. Click **Enabled**. +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow files to download and save to the host operating system from Windows Defender Application Guard** setting. + +2. Click **Enabled** and click **OK**. ![Group Policy editor Download options](images/appguard-gp-download.png) @@ -177,16 +181,57 @@ You have the option to change each of these settings to work with your enterpris 5. Check to see the file has been downloaded into This PC > Downloads > Untrusted files. -**To change hardware acceleration options** -1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow hardware-accelerated rendering for Windows Defender Application Guard** setting. +#### Hardware acceleration options -2. Click **Enabled**. +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow hardware-accelerated rendering for Windows Defender Application Guard** setting. + +2. Click **Enabled** and click **OK**. ![Group Policy editor hardware acceleration options](images/appguard-gp-vgpu.png) -3. Contact Microsoft for further information to fully enable this setting. +3. Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session. -4. Once you have fully enabled this experimental feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session. +4. Assess the visual experience and battery performance. -5. Assess the visual experience and battery performance. +**Applies to:** +- Windows 10 Enterpise edition, version 1809 +- Windows 10 Professional edition, version 1809 + +#### File trust options + +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow users to trust files that open in Windows Defender Application Guard** setting. + +2. Click **Enabled**, set **Options** to 2, and click **OK**. + + ![Group Policy editor Download options](images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png) + +3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. + +4. Open a file in Edge, such an Office 365 file. + +5. Check to see that an antivirus scan completed before the file was opened. + +#### Camera and microphone options + +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow camera and microphone access in Windows Defender Application Guard** setting. + +2. Click **Enabled** and click **OK**. + + ![Group Policy editor Download options](images/appguard-gp-allow-camera-and-mic.png) + +3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. + +4. Open an application with video or audio capability in Edge. + +5. Check that the camera and microphone work as expected. + +#### Root certificate sharing options + +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow Windows Defender Application Guard to use Root Certificate Authorities from the user's device** setting. + +2. Click **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and click **OK**. + + ![Group Policy editor Download options](images/appguard-gp-allow-root-certificates.png) + +3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index deb8c0e185..f05f3f551f 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -16,6 +16,13 @@ #### [Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md) + +#### [Incidents queue](incidents-queue.md) +##### [View and organize the Incidents queue](view-incidents-queue.md) +##### [Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md) +##### [Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md) + + #### Alerts queue ##### [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) ##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) @@ -89,11 +96,12 @@ ###### [Get alert related file information](get-alert-related-files-info-windows-defender-advanced-threat-protection.md) ###### [Get alert related IP information](get-alert-related-ip-info-windows-defender-advanced-threat-protection.md) ###### [Get alert related machine information](get-alert-related-machine-info-windows-defender-advanced-threat-protection.md) -######Domain -####### [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection.md) -####### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection.md) -####### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection.md) -####### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection.md) + +#####Domain +###### [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection.md) +###### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection.md) +###### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection.md) +###### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection.md) #####File ###### [Block file API](block-file-windows-defender-advanced-threat-protection.md) @@ -129,18 +137,25 @@ ###### [Restrict app execution API](restrict-code-execution-windows-defender-advanced-threat-protection.md) ###### [Run antivirus scan API](run-av-scan-windows-defender-advanced-threat-protection.md) ###### [Stop and quarantine file API](stop-quarantine-file-windows-defender-advanced-threat-protection.md) - +#####Machines Security States +###### [Get MachineSecurityStates collection](get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md) +#####Machine Groups +###### [Get MachineGroups collection](get-machinegroups-collection-windows-defender-advanced-threat-protection.md) #####User ###### [Get alert related user information](get-alert-related-user-info-windows-defender-advanced-threat-protection.md) ###### [Get user information](get-user-information-windows-defender-advanced-threat-protection.md) ###### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection.md) ###### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection.md) +#####Windows updates (KB) info +###### [Get KbInfo collection](get-kbinfo-collection-windows-defender-advanced-threat-protection.md) +#####Common Vulnerabilities and Exposures (CVE) to KB map +###### [Get CVE-KB map](get-cvekbmap-collection-windows-defender-advanced-threat-protection.md) #### [Managed security service provider support](mssp-support-windows-defender-advanced-threat-protection.md) -### [Microsoft threat protection](threat-protection-integration.md) +### [Microsoft Threat Protection](threat-protection-integration.md) #### [Protect users, data, and devices with conditional access](conditional-access-windows-defender-advanced-threat-protection.md) #### [Microsoft Cloud App Security integration overview](microsoft-cloud-app-security-integration.md) @@ -305,7 +320,7 @@ #### [Configure managed security service provider (MSSP) support](configure-mssp-support-windows-defender-advanced-threat-protection.md) -### Configure Microsoft threat protection integration +### Configure Microsoft Threat Protection integration #### [Configure conditional access](configure-conditional-access-windows-defender-advanced-threat-protection.md) #### [Configure Microsoft Cloud App Security integration](microsoft-cloud-app-security-config.md) diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md index e8f8e79356..0e82c47568 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Configure advanced features in Windows Defender ATP description: Turn on advanced features such as block file in Windows Defender Advanced Threat Protection. keywords: advanced features, settings, block file, automated investigation, auto-resolve, skype, azure atp, office 365, azure information protection, intune search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md index fd419d2f79..d215d46fec 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Advanced hunting best practices in Windows Defender ATP description: Learn about Advanced hunting best practices such as what filters and keywords to use to effectively query data. keywords: advanced hunting, best practices, keyword, filters, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md index b594ad69f0..8a99a90642 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Advanced hunting reference in Windows Defender ATP description: Learn about Advanced hunting table reference such as column name, data type, and description keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md index 3eb5787182..316fdb9dd1 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Query data using Advanced hunting in Windows Defender ATP description: Learn about Advanced hunting in Windows Defender ATP and how to query ATP data. keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-queue-endpoint-detection-response.md b/windows/security/threat-protection/windows-defender-atp/alerts-queue-endpoint-detection-response.md index cce2d0c0a3..6ffa18b0b6 100644 --- a/windows/security/threat-protection/windows-defender-atp/alerts-queue-endpoint-detection-response.md +++ b/windows/security/threat-protection/windows-defender-atp/alerts-queue-endpoint-detection-response.md @@ -3,6 +3,7 @@ title: Alerts queue in Windows Defender Security Center description: View and manage the alerts surfaced in Windows Defender Security Center keywords: search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md index 526668ad8c..cc70b589cc 100644 --- a/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: View and organize the Windows Defender ATP Alerts queue description: Learn about how the Windows Defender ATP alerts queues work, and how to sort and filter lists of alerts. keywords: alerts, queues, alerts queue, sort, order, filter, manage alerts, new, in progress, resolved, newest, time in queue, severity, time period search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md index ee57104d76..385dfdea3a 100644 --- a/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Windows Defender ATP alert API fields description: Understand how the alert API fields map to the values in Windows Defender Security Center keywords: alerts, alert fields, fields, api, fields, pull alerts, rest api, request, response search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md index 68c07126d2..0bd1a15c11 100644 --- a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Assign user access to Windows Defender Security Center description: Assign read and write or read only access to the Windows Defender Advanced Threat Protection portal. keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md index 2dc0691f2a..ab1b1ae399 100644 --- a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Experience Windows Defender ATP through simulated attacks description: Run the provided attack scenario simulations to experience how Windows Defender ATP can detect, investigate, and respond to breaches. keywords: wdatp, test, scenario, attack, simulation, simulated, diy, windows defender advanced threat protection search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md index a1c25550d8..e5750beb78 100644 --- a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Use Automated investigations to investigate and remediate threats description: View the list of automated investigations, its status, detection source and other details. keywords: automated, investigation, detection, source, threat types, id, tags, machines, duration, filter export search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md index 6c995b3429..9835695e87 100644 --- a/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Use basic permissions to access Windows Defender Security Center description: Assign read and write or read only access to the Windows Defender Advanced Threat Protection portal. keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md index 933ac113b2..077304ed7f 100644 --- a/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Block file API description: Use this API to blocking files from being running in the organization. keywords: apis, graph api, supported apis, block file search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md index 5841eedc07..c2b79d845d 100644 --- a/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Check the health state of the sensor in Windows Defender ATP description: Check the sensor health on machines to identify which ones are misconfigured, inactive, or are not reporting sensor data. keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communications, communication search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md index 1d19deb5cb..278068d40a 100644 --- a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Collect investigation package API description: Use this API to create calls related to the collecting an investigation package from a machine. keywords: apis, graph api, supported apis, collect investigation package search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md index 295192756c..4221621c34 100644 --- a/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Access the Windows Defender ATP Community Center description: Access the Windows Defender ATP Community Center to share experiences, engange, and learn about the product. keywords: community, community center, tech community, conversation, announcements search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md index 3ff19840f0..72d6473f97 100644 --- a/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Enable conditional access to better protect users, devices, and data description: Enable conditional access to prevent applications from running if a device is considered at risk and an application is determined to be non-compliant. keywords: conditional access, block applications, security level, intune, search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md index 922143b7f4..fabaf74f07 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Configure HP ArcSight to pull Windows Defender ATP alerts description: Configure HP ArcSight to receive and pull alerts from Windows Defender Security Center keywords: configure hp arcsight, security information and events management tools, arcsight search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-atp/configure-attack-surface-reduction.md index f48dd12b3e..0c6419eb05 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-attack-surface-reduction.md @@ -3,6 +3,7 @@ title: description: keywords: search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -33,6 +34,6 @@ Topic | Description [Exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md)|How to automatically apply exploit mitigation techniques on both operating system processes and on individual apps [Network protection](../windows-defender-exploit-guard/enable-network-protection.md)|How to prevent users from using any apps to acces dangerous domains [Controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)|How to protect valuable data from malicious apps -[Attack surface reduction](../windows-defender-exploit-guard/enable-attack-surface-reduction.md)|How to prevent actions and aopps that are typically used for by exploit-seeking malware +[Attack surface reduction](../windows-defender-exploit-guard/enable-attack-surface-reduction.md)|How to prevent actions and apps that are typically used for by exploit-seeking malware [Network firewall](../windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)|How to protect devices and data across a network diff --git a/windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md index 7e52942346..a0cc6dab70 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Configure conditional access in Windows Defender ATP description: keywords: search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md index 1d3703c9be..16d4c73d26 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Configure alert notifications in Windows Defender ATP description: Send email notifications to specified recipients to receive new alerts based on severity with Windows Defender ATP on Windows 10 Enterprise, Pro, and Education editions. keywords: email notifications, configure alert notifications, windows defender atp notifications, windows defender atp alerts, windows 10 enterprise, windows 10 education search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,14 +11,12 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 07/16/2018 +ms.date: 10/08/2018 --- # Configure alert notifications in Windows Defender ATP **Applies to:** - - - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md index ba9cdde442..3ca88add4f 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Onboard Windows 10 machines using Group Policy to Windows Defender ATP description: Use Group Policy to deploy the configuration package on Windows 10 machines so that they are onboarded to the service. keywords: configure machines using group policy, machine management, configure Windows ATP machines, onboard Windows Defender Advanced Threat Protection machines, group policy search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -86,30 +87,6 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa >[!NOTE] > If you don't set a value, the default value is to enable sample collection. -### Configure reporting frequency settings -Windows Defender ATP reporting frequency was tested over a large number of machines and is optimized to provide a recommended balance between speed and performance. - -In cases where high-value assets or machines are at high risk, you can configure the reporting frequency to expedite mode, allowing the machine to report at a higher frequency. - -> [!NOTE] -> Using the Expedite mode might have an impact on the machine's battery usage and actual bandwidth used for sensor data. You should consider this when these measures are critical. - -For each machine, you can configure a registry key value that determines how frequent a machine reports sensor data to the portal. - -The configuration is set through the following registry key entry: - -``` -Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection” -Name: "latency" -Value: Normal or Expedite -``` -Where:
    -Key type is a string.
    -Possible values are: -- Normal - sets reporting frequency from the machine to Normal mode for the optimal speed and performance balance -- Expedite - sets reporting frequency from the machine to Expedite mode - -The default value in case the registry key doesn’t exist is Normal. ## Offboard machines using Group Policy For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index c9a8e4b1b1..69c7fa6817 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Onboard Windows 10 machines using Mobile Device Management tools description: Use Mobile Device Management tools to deploy the configuration package on machines so that they are onboarded to the service. keywords: onboard machines using mdm, machine management, onboard Windows ATP machines, onboard Windows Defender Advanced Threat Protection machines, mdm search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md index 71b333c546..e5fa2adf95 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md @@ -3,20 +3,21 @@ title: Onboard non-Windows machines to the Windows Defender ATP service description: Configure non-Winodws machines so that they can send sensor data to the Windows Defender ATP service. keywords: onboard non-Windows machines, macos, linux, machine management, configure Windows ATP machines, configure Windows Defender Advanced Threat Protection machines search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: mjcaparas ms.localizationpriority: medium -ms.date: 04/24/2018 +ms.date: 10/03/2018 --- # Onboard non-Windows machines **Applies to:** -- macOS X +- macOS - Linux - Windows Defender Advanced Threat Protection (Windows Defender ATP) @@ -26,7 +27,7 @@ ms.date: 04/24/2018 Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Windows Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products’ sensor data. -You'll need to know the exact Linux distros and macOS X versions that are compatible with Windows Defender ATP for the integration to work. +You'll need to know the exact Linux distros and macOS versions that are compatible with Windows Defender ATP for the integration to work. You'll need to take the following steps to onboard non-Windows machines: 1. Turn on third-party integration diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index d0bf0a6cbd..6758d81fd7 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Onboard Windows 10 machines using System Center Configuration Manager description: Use System Center Configuration Manager to deploy the configuration package on machines so that they are onboarded to the service. keywords: onboard machines using sccm, machine management, configure Windows ATP machines, configure Windows Defender Advanced Threat Protection machines, sccm search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -89,30 +90,6 @@ The default value in case the registry key doesn’t exist is 1. For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/library/gg681958.aspx). -### Configure reporting frequency settings -Windows Defender ATP reporting frequency was tested over a large number of machines and is optimized to provide a recommended balance between speed and performance. - -In cases where high-value assets or machines are at high risk, you can configure the reporting frequency to expedite mode, allowing the machine to report at a higher frequency. - -> [!NOTE] -> Using the Expedite mode might have an impact on the machine's battery usage and actual bandwidth used for sensor data. You should consider this when these measures are critical. - -For each machine, you can configure a registry key value that determines how frequent a machine reports sensor data to the portal. - -The configuration is set through the following registry key entry: - -``` -Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection” -Name: "latency" -Value: Normal or Expedite -``` -Where:
    -Key type is a string.
    -Possible values are: -- Normal - sets reporting frequency from the machine to Normal mode for the optimal speed and performance balance -- Expedite - sets reporting frequency from the machine to Expedite mode - -The default value in case the registry key doesn’t exist is Normal. ## Offboard machines using System Center Configuration Manager diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md index ea54c42092..04ac622d7d 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Onboard Windows 10 machines using a local script description: Use a local script to deploy the configuration package on machines so that they are onboarded to the service. keywords: configure machines using a local script, machine management, configure Windows ATP machines, configure Windows Defender Advanced Threat Protection machines search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md index 7f15b0fc5c..caa1e6b2b4 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Onboard non-persistent virtual desktop infrastructure (VDI) machines description: Deploy the configuration package on virtual desktop infrastructure (VDI) machine so that they are onboarded to Windows Defender ATP the service. keywords: configure virtual desktop infrastructure (VDI) machine, vdi, machine management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md index 8b93f17477..8a41625b88 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Onboard Windows 10 machines on Windows Defender ATP description: Onboard Windows 10 machines so that they can send sensor data to the Windows Defender ATP sensor keywords: Onboard Windows 10 machines, group policy, system center configuration manager, mobile device management, local script, gp, sccm, mdm, intune search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md index 82a78124e7..1dfed290f7 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Configure managed security service provider support description: Take the necessary steps to configure the MSSP integration with Windows Defender ATP keywords: managed security service provider, mssp, configure, integration search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -20,7 +21,7 @@ ms.date: 09/03/2018 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink) -[!include[Prereleaseinformation](prerelease.md)] +[!include[Prerelease information](prerelease.md)] You'll need to take the following configuration steps to enable the managed security service provider (MSSP) integration. @@ -58,7 +59,7 @@ This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs. >[!NOTE] > These set of steps are directed towards the MSSP customer.
    -> Access to the portal can can only be done by the MSSP customer. +> Access to the portal can only be done by the MSSP customer. As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Windows Defender Security Center. @@ -269,7 +270,7 @@ You'll need to have **Manage portal system settings** permission to whitelist th You can now download the relevant configuration file for your SIEM and connect to the Windows Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md). -- In the ArcSight configuration file / Splunk Authentication Properties file you will have to write your application key manually by settings the secret value. +- In the ArcSight configuration file / Splunk Authentication Properties file – you will have to write your application key manually by settings the secret value. - Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means). ## Fetch alerts from MSSP customer's tenant using APIs diff --git a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md index 4456ba11e8..4b2c89021e 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Configure machine proxy and Internet connection settings description: Configure the Windows Defender ATP proxy and internet settings to enable communication with the cloud service. keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index d31a895006..736da12933 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -3,13 +3,14 @@ title: Onboard servers to the Windows Defender ATP service description: Onboard servers so that they can send sensor data to the Windows Defender ATP sensor. keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, machine management, configure Windows ATP servers, onboard Windows Defender Advanced Threat Protection servers search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: mjcaparas ms.localizationpriority: medium -ms.date: 09/06/2018 +ms.date: 10/09/2018 --- # Onboard servers to the Windows Defender ATP service @@ -35,6 +36,9 @@ The service supports the onboarding of the following servers: - Windows Server, version 1803 - Windows Server 2019 + +For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Windows Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128). + ## Windows Server 2012 R2 and Windows Server 2016 To onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP, you’ll need to: @@ -130,6 +134,9 @@ To onboard Windows Server, version 1803 or Windows Server 2019, use the same met ## Integration with Azure Security Center Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. +>[!NOTE] +>You'll need to have the appropriate license to enable this feature. + The following capabilities are included in this integration: - Automated onboarding - Windows Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/en-us/azure/security-center/security-center-onboarding). diff --git a/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md index 5c36c805e4..84bdc39057 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Pull alerts to your SIEM tools from Windows Defender Advanced Threat Prot description: Learn how to use REST API and configure supported security information and events management tools to receive and pull alerts. keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md index 03f3013863..b9cd80ca8b 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Configure Splunk to pull Windows Defender ATP alerts description: Configure Splunk to receive and pull alerts from Windows Defender Security Center. keywords: configure splunk, security information and events management tools, splunk search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md index e9d21b6f95..2d717ef457 100644 --- a/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md @@ -3,6 +3,7 @@ title: Create custom detection rules in Windows Defender ATP description: Learn how to create custom detections rules based on advanced hunting queries keywords: create custom detections, detections, advanced hunting, hunt, detect, query search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md index 229300b01e..622309fb3f 100644 --- a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Create custom alerts using the threat intelligence API description: Create your custom alert definitions and indicators of compromise in Windows Defender ATP using the available APIs in Windows Enterprise, Education, and Pro editions. keywords: alert definitions, indicators of compromise, threat intelligence, custom threat intelligence, rest api, api search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md index b98dc92230..44863a8a91 100644 --- a/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Update data retention settings for Windows Defender Advanced Threat Prote description: Update data retention settings by selecting between 30 days to 180 days. keywords: data, storage, settings, retention, update search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md index 1efa791236..ca3fa2ed76 100644 --- a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Windows Defender ATP data storage and privacy description: Learn about how Windows Defender ATP handles privacy and data that it collects. keywords: Windows Defender ATP data storage and privacy, storage, privacy, licensing, geolocation, data retention, data search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md index 80d84f08c0..ece3b28679 100644 --- a/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Windows Defender Antivirus compatibility with Windows Defender ATP description: Learn about how Windows Defender works with Windows Defender ATP and how it functions when a third-party antimalware client is used. keywords: windows defender compatibility, defender, windows defender atp search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md index 4896e983e7..1010fe1684 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Enable the custom threat intelligence API in Windows Defender ATP description: Learn how to setup the custom threat intelligence application in Windows Defender ATP to create custom threat intelligence (TI). keywords: enable custom threat intelligence application, custom ti application, application name, client id, authorization url, resource, client secret, access tokens search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md index 1afddb33b9..1e416dcaa7 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Enable Secure Score in Windows Defender ATP description: Set the baselines for calculating the score of Windows Defender security controls on the Secure Score dashboard. keywords: enable secure score, baseline, calculation, analytics, score, secure score dashboard, dashboard search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md index 123c537dc8..d160ae5c3a 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Enable SIEM integration in Windows Defender ATP description: Enable SIEM integration to receive alerts in your security information and event management (SIEM) solution. keywords: enable siem connector, siem, connector, security information and events search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,14 +11,12 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 04/24/2018 +ms.date: 10/08/2018 --- # Enable SIEM integration in Windows Defender ATP **Applies to:** - - - Windows Defender Advanced Threat Protection (Windows Defender ATP) @@ -54,7 +53,8 @@ Enable security information and event management (SIEM) integration so you can p You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from Windows Defender Security Center. - +## Integrate Windows Defender ATP with IBM QRadar +You can configure IBM QRadar to collect alerts from Windows Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1). ## Related topics - [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md b/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md index 760908772b..439774a08a 100644 --- a/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md +++ b/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md @@ -3,6 +3,7 @@ title: Evaluate Windows Defender Advanced Threat Protection description: keywords: search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md index 03354b9f6a..4f2681cf36 100644 --- a/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Review events and errors using Event Viewer description: Get descriptions and further troubleshooting steps (if required) for all events reported by the Windows Defender ATP service. keywords: troubleshoot, event viewer, log summary, failure code, failed, Windows Defender Advanced Threat Protection service, cannot start, broken, can't start search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md index 68a5bbfdf5..e0399dc1d9 100644 --- a/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Experiment with custom threat intelligence alerts description: Use this end-to-end guide to start using the Windows Defender ATP threat intelligence API. keywords: alert definitions, indicators of compromise, threat intelligence, custom threat intelligence, rest api, api search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md index 860ff1eee2..2a7197649c 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Use the Windows Defender Advanced Threat Protection exposed APIs description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph. keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md index 94cb8338ce..0f32d44dd4 100644 --- a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Find machine information by internal IP API description: Use this API to create calls related to finding a machine entry around a specific timestamp by internal IP. keywords: ip, apis, graph api, supported apis, find machine, machine information search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md index 1de9e6fc6b..dc57717e8d 100644 --- a/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Fix unhealthy sensors in Windows Defender ATP description: Fix machine sensors that are reporting as misconfigured or inactive so that the service receives data from the machine. keywords: misconfigured, inactive, fix sensor, sensor health, no sensor data, sensor data, impaired communications, communication search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md index 11933fc1f8..c7ad32d81d 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get actor information API description: Retrieves an actor information report. keywords: apis, graph api, supported apis, get, actor, information search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md index 7d607f80b0..54c1dd45ee 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get actor related alerts API description: Retrieves all alerts related to a given actor. keywords: apis, graph api, supported apis, get, actor, related, alerts search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md index 7bd281c1c2..b57243b615 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get alert information by ID API description: Retrieves an alert by its ID. keywords: apis, graph api, supported apis, get, alert, information, id search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md index feb7c72977..e914d35ccb 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get alert related actor information API description: Retrieves the actor information related to the specific alert. keywords: apis, graph api, supported apis, get, alert, actor, information, related search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md index 1dc2400622..bc89209fbe 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get alert related domain information description: Retrieves all domains related to a specific alert. keywords: apis, graph api, supported apis, get alert information, alert information, related domain search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md index 692038dece..3efd2de78e 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get alert related files information description: Retrieves all files related to a specific alert. keywords: apis, graph api, supported apis, get alert information, alert information, related files search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md index 13d6fa451e..3e296665a1 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get alert related IP information description: Retrieves all IPs related to a specific alert. keywords: apis, graph api, supported apis, get alert information, alert information, related ip search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md index c65563b583..c5d77400aa 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get alert related machine information description: Retrieves all machines related to a specific alert. keywords: apis, graph api, supported apis, get alert information, alert information, related machine search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md index 0ca328f129..6993fd471d 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get alert related user information description: Retrieves the user associated to a specific alert. keywords: apis, graph api, supported apis, get, alert, information, related, user search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md index 91370e6ab4..200e9bcb18 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get alerts API description: Retrieves top recent alerts. keywords: apis, graph api, supported apis, get, alerts, recent search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..8b5aa9abb1 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md @@ -0,0 +1,78 @@ +--- +title: Get CVE-KB map API +description: Retrieves a map of CVE's to KB's. +keywords: apis, graph api, supported apis, get, cve, kb +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: leonidzh +author: mjcaparas +ms.localizationpriority: medium +ms.date: 10/07/2018 +--- + +# Get CVE-KB map API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Retrieves a map of CVE's to KB's and CVE details. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/cvekbmap +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + +## Request body +Empty + +## Response +If successful and map exists - 200 OK. + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/CveKbMap +Content-type: application/json +``` + +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#CveKbMap", + "@odata.count": 4168, + "value": [ + { + "cveKbId": "CVE-2015-2482-3097617", + "cveId": "CVE-2015-2482", + "kbId":"3097617", + "title": "Cumulative Security Update for Internet Explorer", + "severity": "Critical" + }, + … +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md index edf69b8cc2..9ead2dbb39 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get domain related alerts API description: Retrieves a collection of alerts related to a given domain address. keywords: apis, graph api, supported apis, get, domain, related, alerts search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md index 42274f276d..37f79cad7c 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get domain related machines API description: Retrieves a collection of machines related to a given domain address. keywords: apis, graph api, supported apis, get, domain, related, machines search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md index a8d16cda6c..a3c16e6ca8 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get domain statistics API description: Retrieves the prevalence for the given domain. keywords: apis, graph api, supported apis, get, domain, domain related machines search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md index 3a8aecdcdc..7584b147fb 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get file information API description: Retrieves a file by identifier Sha1, Sha256, or MD5. keywords: apis, graph api, supported apis, get, file, information, sha1, sha256, md5 search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md index 3bc108f4c5..05c27cc3c8 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get file related alerts API description: Retrieves a collection of alerts related to a given file hash. keywords: apis, graph api, supported apis, get, file, hash search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md index 46a55266b9..1fbbc3a108 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get file related machines API description: Retrieves a collection of machines related to a given file hash. keywords: apis, graph api, supported apis, get, machines, hash search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md index 379a272b7f..097db254ff 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get file statistics API description: Retrieves the prevalence for the given file. keywords: apis, graph api, supported apis, get, file, statistics search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md index 58ec0179eb..6b46d49d1c 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get FileActions collection API description: Use this API to create calls related to get fileactions collection keywords: apis, graph api, supported apis, get, file, information, fileactions collection search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md index e30ca834b1..129a601d95 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get FileMachineAction object API description: Use this API to create calls related to get machineaction object keywords: apis, graph api, supported apis, filemachineaction object search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md index 4f981ccd54..b22756a78b 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get FileMachineActions collection API description: Use this API to create calls related to get filemachineactions collection keywords: apis, graph api, supported apis, filemachineactions collection search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md index b1ad30ecd5..fad5315c23 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get IP related alerts API description: Retrieves a collection of alerts related to a given IP address. keywords: apis, graph api, supported apis, get, ip, related, alerts search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md index 1796c563b1..acbfa51a4a 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get IP related machines API description: Retrieves a collection of machines related to a given IP address. keywords: apis, graph api, supported apis, get, ip, related, machines search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md index f04eee146e..5134bd1653 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get IP statistics API description: Retrieves the prevalence for the given IP. keywords: apis, graph api, supported apis, get, ip, statistics, prevalence search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..60756f6400 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md @@ -0,0 +1,77 @@ +--- +title: Get KB collection API +description: Retrieves a collection of KB's. +keywords: apis, graph api, supported apis, get, kb +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: leonidzh +author: mjcaparas +ms.localizationpriority: medium +ms.date: 10/07/2018 +--- + +# Get KB collection API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Retrieves a collection of KB's and KB details. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/kbinfo +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + +## Request body +Empty + +## Response +If successful - 200 OK. + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/KbInfo +Content-type: application/json +``` + +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#KbInfo", + "@odata.count": 271, + "value":[ + { + "id": "KB3097617 (10240.16549) Amd64", + "release": "KB3097617 (10240.16549)", + "publishingDate": "2015-10-16T21:00:00Z", + "version": "10.0.10240.16549", + "architecture": "Amd64" + }, + … +} +``` \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md index cdb7691d99..d61e334add 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get machine by ID API description: Retrieves a machine entity by ID. keywords: apis, graph api, supported apis, get, machines, entity, id search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md index f73f0600fd..4669b6ac62 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get machine log on users API description: Retrieves a collection of logged on users. keywords: apis, graph api, supported apis, get, machine, log on, users search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md index 2cbf47c5da..9a01fc1a18 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get machine related alerts API description: Retrieves a collection of alerts related to a given machine ID. keywords: apis, graph api, supported apis, get, machines, related, alerts search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md index 21214216c0..0628465533 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get MachineAction object API description: Use this API to create calls related to get machineaction object keywords: apis, graph api, supported apis, machineaction object search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md index 4f8250057a..889383cdab 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get MachineActions collection API description: Use this API to create calls related to get machineactions collection keywords: apis, graph api, supported apis, machineaction collection search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..1d2ab14e01 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md @@ -0,0 +1,77 @@ +--- +title: Get RBAC machine groups collection API +description: Retrieves a collection of RBAC machine groups. +keywords: apis, graph api, supported apis, get, RBAC, group +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: leonidzh +author: mjcaparas +ms.localizationpriority: medium +ms.date: 10/07/2018 +--- + +# Get KB collection API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Retrieves a collection of RBAC machine groups. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/machinegroups +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + +## Request body +Empty + +## Response +If successful - 200 OK. + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/machinegroups +Content-type: application/json +``` + +**Response** + +Here is an example of the response. +Field id contains machine group **id** and equal to field **rbacGroupId** in machines info. +Field **ungrouped** is true only for one group for all machines that have not been assigned to any group. This group as usual has name "UnassignedGroup". + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#MachineGroups", + "@odata.count":7, + "value":[ + { + "id":86, + "name":"UnassignedGroup", + "description":"", + "ungrouped":true}, + … +} +``` \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md index 15f5915642..5fc127f082 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get machines API description: Retrieves a collection of recently seen machines. keywords: apis, graph api, supported apis, get, machines search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..1b3f4fe295 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md @@ -0,0 +1,84 @@ +--- +title: Get machines security states collection API +description: Retrieves a collection of machines security states. +keywords: apis, graph api, supported apis, get, machine, security, state +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: leonidzh +author: mjcaparas +ms.localizationpriority: medium +ms.date: 10/07/2018 +--- + +# Get Machines security states collection API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Retrieves a collection of machines security states. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/machinesecuritystates +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + +## Request body +Empty + +## Response +If successful - 200 OK. + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/machinesecuritystates +Content-type: application/json +``` + +**Response** + +Here is an example of the response. +Field *id* contains machine id and equal to the field *id** in machines info. + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#MachineSecurityStates", + "@odata.count":444, + "@odata.nextLink":"https://graph.microsoft.com/testwdatppreview/machinesecuritystates?$skiptoken=[continuation token]", + "value":[ + { + "id":"000050e1b4afeee3742489ede9ad7a3e16bbd9c4", + "build":14393, + "revision":2485, + "architecture":"Amd64", + "osVersion":"10.0.14393.2485.amd64fre.rs1_release.180827-1809", + "propertiesRequireAttention":[ + "AntivirusNotReporting", + "EdrImpairedCommunications" + ] + }, + … + ] +} +``` \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md index b000396208..b360312126 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get package SAS URI API description: Use this API to get a URI that allows downloading an investigation package. keywords: apis, graph api, supported apis, get package, sas, uri search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-started.md b/windows/security/threat-protection/windows-defender-atp/get-started.md index ea37ae0629..0d0972f0bd 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-started.md +++ b/windows/security/threat-protection/windows-defender-atp/get-started.md @@ -3,6 +3,7 @@ title: Get started with Windows Defender Advanced Threat Protection description: Learn about the minimum requirements and initial steps you need to take to get started with Windows Defender ATP. keywords: get started, minimum requirements, setup, subscription, features, data storage, privacy, user access search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -14,6 +15,10 @@ ms.date: 09/03/2018 --- # Get started with Windows Defender Advanced Threat Protection +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + Learn about the minimum requirements and initial steps you need to take to get started with Windows Defender ATP. The following capabilities are available across multiple products that make up the Windows Defender ATP platform. @@ -40,7 +45,7 @@ Advanced hunting allows you to hunt for possible threats across your organizatio Integrate Windows Defender Advanced Threat Protection into your existing workflows. **Microsoft threat protection**
    -Bring the power of Microsoft threat protection to your organization. +Bring the power of Microsoft Threat Protection to your organization. ## In this section Topic | Description diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md index 44a41412fe..ac38166ec1 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get user information API description: Retrieve a User entity by key such as user name or domain. keywords: apis, graph api, supported apis, get, user, user information search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md index 12c741d3fe..4283b6db69 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get user related alerts API description: Retrieves a collection of alerts related to a given user ID. keywords: apis, graph api, supported apis, get, user, related, alerts search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md index 80a2b92234..4be3026444 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get user related machines API description: Retrieves a collection of machines related to a given user ID. keywords: apis, graph api, supported apis, get, user, user related alerts search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md b/windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md index 199ece9336..0f25416ca8 100644 --- a/windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md +++ b/windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md @@ -2,6 +2,7 @@ title: How hardware-based containers help protect Windows 10 (Windows 10) description: Windows 10 uses containers to isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised. ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-example-email-notification.png b/windows/security/threat-protection/windows-defender-atp/images/atp-example-email-notification.png index c46cc214d7..78290030a9 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-example-email-notification.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-example-email-notification.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incident-details.png b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-details.png index 0135cd0a3f..bb11c88b62 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-incident-details.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-details.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-incidentlinkedbyreason.png b/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-incidentlinkedbyreason.png new file mode 100644 index 0000000000..7fcdfcc834 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-incidentlinkedbyreason.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-linkedbytooltip.png b/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-linkedbytooltip.png new file mode 100644 index 0000000000..d103afdb87 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-linkedbytooltip.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-reason.png b/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-reason.png new file mode 100644 index 0000000000..7fcdfcc834 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-reason.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-tooltip.png b/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-tooltip.png new file mode 100644 index 0000000000..d103afdb87 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-tooltip.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-settings-powerbi.png b/windows/security/threat-protection/windows-defender-atp/images/atp-settings-powerbi.png new file mode 100644 index 0000000000..68d57863d9 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-settings-powerbi.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/incidents-queue.md b/windows/security/threat-protection/windows-defender-atp/incidents-queue.md new file mode 100644 index 0000000000..fa6a121754 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/incidents-queue.md @@ -0,0 +1,36 @@ +--- +title: Incidents queue in Windows Defender ATP +description: +keywords: incidents, aggregate, investigations, queue, ttp +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 10/08/2018 +--- + +# Incidents queue in Windows Defender ATP +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +When a cybersecurity threat is emerging, or a potential attacker is deploying its tactics, techniques/tools, and procedures (TTPs) on the network, Windows Defender ATP will quickly trigger alerts and launch matching automatic investigations. + +Windows Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded incident graph) and data representations to understand and deal with complex cross-entity threats to your organization's network. + + +## In this section + +Topic | Description +:---|:--- +[View and organize the Incidents queue](view-incidents-queue.md)| See the list of incidents and learn how to apply filters to limit the list and get a more focused view. +[Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md) | Learn how to manage incidents by assigning it, updating its status, or setting its classification and other actions. +[Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md)| See associated alerts, manage the incident, see alert metadata, and visualizations to help you investigate an incident. + + diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md index 3842b1c129..56ea8cdf4a 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Investigate Windows Defender Advanced Threat Protection alerts description: Use the investigation options to get details on alerts are affecting your network, what they mean, and how to resolve them. keywords: investigate, investigation, machines, machine, alerts queue, dashboard, IP address, file, submit, submissions, deep analysis, timeline, search, domain, URL, IP search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md index 6e47b6ddea..65acd1c33c 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Investigate Windows Defender Advanced Threat Protection domains description: Use the investigation options to see if machines and servers have been communicating with malicious domains. keywords: investigate domain, domain, malicious domain, windows defender atp, alert, URL search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md index 6640bb6e9f..d680bef4c2 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Investigate Windows Defender Advanced Threat Protection files description: Use the investigation options to get details on files associated with alerts, behaviours, or events. keywords: investigate, investigation, file, malicious activity, attack motivation, deep analysis, deep analysis report search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..bac3bc4093 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md @@ -0,0 +1,79 @@ +--- +title: Investigate incidents in Windows Defender ATP +description: See associated alerts, manage the incident, and see alert metadata to help you investigate an incident +keywords: investigate, incident, alerts, metadata, risk, detection source, affected machines, patterns, correlation +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 10/08/2018 +--- + +# Investigate incidents in Windows Defender ATP + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +Investigate incidents that affect your network, understand what they mean, and collate evidence to resolve them. + +## Analyze incident details +Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, machines, investigations, evidence, graph). + +![Image of incident details](images/atp-incident-details.png) + +### Alerts +You can investigate the alerts and see how they were linked together in an incident. +Alerts are grouped into incidents based on the following reasons: +- Automated investigation - The automated investigation triggered the linked alert while investigating the original alert +- File characteristics - The files associated with the alert have similar characteristics +- Manual association - A user manually linked the alerts +- Proximate time - The alerts were triggered on the same machine within a certain timeframe +- Same file - The files associated with the alert are exactly the same + +![Image of alerts tab in incident page showing the Linked by tool tip](images/atp-incidents-alerts-tooltip.png) + +![Image of alerts tab with incident details page showing the reasons the alerts were linked together in that incident](images/atp-incidents-alerts-reason.png) + +You can also manage an alert and see alert metadata along with other information. For more information, see [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md). + +### Machines +You can also investigate the machines that are part of, or related to, a given incident. For more information, see [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md). + +![Image of machines tab in incident details page](images/atp-incident-machine-tab.png) + +### Investigations +Select **Investigations** to see all the automatic investigations launched by the system in response to the incident alerts. + +![Image of investigations tab in incident details page](images/atp-incident-investigations-tab.png) + +## Going through the evidence +Windows Defender Advanced Threat Protection automatically investigates all the incidents' supported events and suspicious entities in the alerts, providing you with auto-response and information about the important files, processes, services, and more. This helps quickly detect and block potential threats in the incident. +Each of the analyzed entities will be marked as infected, remediated, or suspicious. + +![Image of evidence tab in incident details page](images/atp-incident-evidence-tab.png) + +## Visualizing associated cybersecurity threats +Windows Defender Advanced Threat Protection aggregates the threat information into an incident so you can see the patterns and correlations coming in from various data points. You can view such correlation through the incident graph. + +### Incident graph +The **Graph** tells the story of the cybersecurity attack. For example, it shows you what was the entry point, which indicator of compromise or activity was observed on which machine. etc. + +![Image of the incident graph](images/atp-incident-graph-tab.png) + +You can click the circles on the incident graph to view the details of the malicious files, associated file detections, how many instances has there been worldwide, whether it’s been observed in your organization, if so, how many instances. + +![Image of indcident details](images/atp-incident-graph-details.png) + +## Related topics +- [Incidents queue](incidents-queue.md) +- [View and organize the Incidents queue](view-incidents-queue.md) +- [Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md) + + diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md index 29592bd0f8..44daae5c16 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Investigate an IP address associated with an alert description: Use the investigation options to examine possible communication between machines and external IP addresses. keywords: investigate, investigation, IP address, alert, windows defender atp, external IP search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md index 607b3d55e1..cc74d3e88b 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Investigate machines in the Windows Defender ATP Machines list description: Investigate affected machines by reviewing alerts, network connection information, adding machine tags and groups, and checking the service health. keywords: machines, tags, groups, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity, service heatlh search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -113,6 +114,17 @@ Use the search bar to look for specific timeline events. Harness the power of us Filtering by event type allows you to define precise queries so that you see events with a specific focus. For example, you can search for a file name, then filter the results to only see Process events matching the search criteria or to only view file events, or even better: to view only network events over a period of time to make sure no suspicious outbound communications go unnoticed. + +>[!NOTE] +> For firewall events to be displayed, you'll need to enable the audit policy, see [Audit Filtering Platform connection](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection). +>Firewall covers the following events: +>- [5025](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5025) - firewall service stopped +>- [5031](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5031) - application blocked from accepting incoming connections on the network +>- [5157](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5157) - blocked connection + + + + - **User account** – Click the drop-down button to filter the machine timeline by the following user associated events: - Logon users - System diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md index c7a8ba2be1..dcbc200193 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Investigate a user account in Windows Defender ATP description: Investigate a user account for potential compromised credentials or pivot on the associated user account during an investigation. keywords: investigate, account, user, user entity, alert, windows defender atp search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md index 3bda2052aa..892fc60bd3 100644 --- a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Is domain seen in org API description: Use this API to create calls related to checking whether a domain was seen in the organization. keywords: apis, graph api, supported apis, domain, domain seen search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md index 0e5cdd372b..7b493211a5 100644 --- a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Is IP seen in org API description: Answers whether an IP was seen in the organization. keywords: apis, graph api, supported apis, is, ip, seen, org, organization search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md index 8a1af5560e..3ab7ab04d5 100644 --- a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Isolate machine API description: Use this API to create calls related isolating a machine. keywords: apis, graph api, supported apis, isolate machine search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md index c2460df138..002cb3f3e8 100644 --- a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Validate licensing provisioning and complete Windows Defender ATP set up description: Validating licensing provisioning, setting up initial preferences, and completing the user set up for Windows Defender Advanced Threat Protection portal. keywords: license, licensing, account, set up, validating licensing, windows defender atp search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md index 2969a1b1a1..2210ccbf19 100644 --- a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Create and manage machine groups in Windows Defender ATP description: Create machine groups and set automated remediation levels on them by confiring the rules that apply on the group keywords: machine groups, groups, remediation, level, rules, aad group, role, assign, rank search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -88,4 +89,5 @@ Machines that are not matched to any groups are added to Ungrouped machines (def ## Related topic -- [Manage portal access using role-based based access control](rbac-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Manage portal access using role-based based access control](rbac-windows-defender-advanced-threat-protection.md) +- [Get list of tenant machine groups using Graph API](get-machinegroups-collection-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md index 09ba1f5325..b6fc180e59 100644 --- a/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Create and manage machine tags description: Use machine tags to group machines to capture context and enable dynamic list creation as part of an incident keywords: tags, machine tags, machine groups, groups, remediation, level, rules, aad group, role, assign, rank search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md index d75eefe80b..830fa8ab3c 100644 --- a/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: View and organize the Windows Defender ATP machines list description: Learn about the available features that you can use from the Machines list such as sorting, filtering, and exporting the list to enhance investigations. keywords: sort, filter, export, csv, machine name, domain, last seen, internal IP, health state, active alerts, active malware detections, threat category, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, general malware, unwanted software search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md index 00142f3502..76a5039107 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Manage Windows Defender Advanced Threat Protection alerts description: Change the status of alerts, create suppression rules to hide alerts, submit comments, and review change history for individual alerts with the Manage Alert menu. keywords: manage alerts, manage, alerts, status, new, in progress, resolved, resolve alerts, suppress, supression, rules, context, history, comments, changes search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md index a5df326a4d..357ef56c3f 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Learn about the automated investigations dashboard in Windows Defender Se description: View the list of automated investigations, its status, detection source and other details. keywords: autoir, automated, investigation, detection, dashboard, source, threat types, id, tags, machines, duration, filter export search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md index 46adcfac19..bdecb21ec0 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Manage automation allowed/blocked lists description: Create lists that control what items are automatically blocked or allowed during an automatic investigation. keywords: manage, automation, whitelist, blacklist, block, clean, malicious search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md index 9a359aaabc..c29f83b9b6 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Manage automation file uploads description: Enable content analysis and configure the file extension and email attachment extensions that will be sumitted for analysis keywords: automation, file, uploads, content, analysis, file, extension, email, attachment search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md index d3ed61a295..7fa091f70d 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Manage automation folder exclusions description: Add automation folder exclusions to control the files that are excluded from an automated investigation. keywords: manage, automation, exclusion, whitelist, blacklist, block, clean, malicious search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/manage-edr.md b/windows/security/threat-protection/windows-defender-atp/manage-edr.md index 97ff8bd046..5252fa2868 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-edr.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-edr.md @@ -3,6 +3,7 @@ title: Manage endpoint detection and response capabilities description: keywords: search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..6f9871b74e --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md @@ -0,0 +1,62 @@ +--- +title: Manage Windows Defender ATP incidents +description: Manage incidents by assigning it, updating its status, or setting its classification. +keywords: incidents, manage, assign, status, classification, true alert, false alert +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 010/08/2018 +--- + +# Manage Windows Defender ATP incidents + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + + +Managing incidents is an important part of every cybersecurity operation. You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**. You can assign incidents to yourself, change the status, classify, rename, or comment on them to keep track of their progress. + +![Image of the incidents management pane](images/atp-incidents-mgt-pane.png) + +Selecting an incident from the **Incidents queue** brings up the **Incident management pane** where you can open the incident page for details. + +![Image of incident detail page](images/atp-incident-details-page.png) + + +## Assign incidents +If an incident has not been assigned yet, you can select **Assign to me** to assign the incident to yourself. Doing so assumes ownership of not just the incident, but also all the alerts associated with it. + +## Change the incident status +You can categorize incidents (as **Active**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to incidents. + +For example, your SoC analyst can review the urgent **Active** incidents for the day, and decide to assign them to himself for investigation. + +Alternatively, your SoC analyst might set the incident as **Resolved** if the incident has been remediated. + +## Classify the incident +You can choose not to set a classification, or decide to specify whether an incident is true or false. Doing so helps the team see patterns and learn from them. + +## Rename incident +By default, incidents are assigned with numbers. You can rename the incident if your organization uses a naming convention for easier cybersecurity threat identification. + +![Image of incident renaming](images/atp-rename-incident.png) + +## Add comments and view the history of an incident +You can add comments and view historical events about an incident to see previous changes made to it. + +Whenever a change or comment is made to an alert, it is recorded in the Comments and history section. + +Added comments instantly appear on the pane. + +## Related topics +- [Incidents queue](incidents-queue.md) +- [View and organize the Incidents queue](view-incidents-queue.md) +- [Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md index 1fa0357ade..15632e8fdf 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Manage Windows Defender Advanced Threat Protection suppression rules description: Manage suppression rules keywords: manage suppression, rules, rule name, scope, action, alerts, turn on, turn off search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/management-apis.md b/windows/security/threat-protection/windows-defender-atp/management-apis.md index 2e0966140c..ca0c7f20f7 100644 --- a/windows/security/threat-protection/windows-defender-atp/management-apis.md +++ b/windows/security/threat-protection/windows-defender-atp/management-apis.md @@ -3,6 +3,7 @@ title: Overview of management and APIs description: keywords: search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -42,6 +43,17 @@ An important aspect of machine management is the ability to analyze the environm - The Secure score dashboard provides metrics based method of prioritizing the most important proactive security measures. - Windows Defender ATP includes a built-in PowerBI based reporting solution to quickly review trends and details related to Windows Defender ATP alerts and secure score of machines. The platform also supports full customization of the reports, including mashing of Windows Defender ATP data with your own data stream to produce business specific reports. + +## In this section +Topic | Description +:---|:--- +Understand threat intelligence concepts | Learn about alert definitions, indicators of compromise, and other threat intelligence concepts. +Supported Windows Defender ATP APIs | Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. +Managed security service provider | Get a quick overview on managed security service provider support. + + + + ## Related topics - [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) - [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md index b37cd582c8..01da764410 100644 --- a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md +++ b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md @@ -3,6 +3,7 @@ title: Configure Microsoft Cloud App Security integration description: Learn how to turn on the settings to enable the Windows Defender ATP integration with Microsoft Cloud App Security. keywords: cloud, app, security, settings, integration, discovery, report search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md index 51dfb9bf97..b47abbd464 100644 --- a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md +++ b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md @@ -3,6 +3,7 @@ title: Microsoft Cloud App Security integration overview description: keywords: search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md index 84f62905aa..db250caeda 100644 --- a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Minimum requirements for Windows Defender ATP description: Minimum network and data storage configuration, machine hardware and software requirements, and deployment channel requirements for Windows Defender ATP. keywords: minimum requirements, Windows Defender Advanced Threat Protection minimum requirements, network and data storage, machine configuration, deployment channel search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md index 0ec05caa9c..55ddba1528 100644 --- a/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Managed security service provider (MSSP) support description: Understand how Windows Defender ATP integrates with managed security service providers (MSSP) keywords: mssp, integration, managed, security, service, provider search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md index af9a42584f..c5dbddb3a0 100644 --- a/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Offboard machines from the Windows Defender ATP service description: Onboard Windows 10 machines, servers, non-Windows machines from the Windows Defender ATP service keywords: offboarding, windows defender advanced threat protection offboarding, windows atp offboarding search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md index 34c07f0734..33b5461d23 100644 --- a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Onboard machines to the Windows Defender ATP service description: Onboard Windows 10 machines, servers, non-Windows machines and learn how to run a detection test. keywords: onboarding, windows defender advanced threat protection onboarding, windows atp onboarding, sccm, group policy, mdm, local script, detection test search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -64,7 +65,7 @@ The hardware requirements for Windows Defender ATP on machines is the same as th - Linux >[!NOTE] ->You'll need to know the exact Linux distros and macOS X versions that are compatible with Windows Defender ATP for the integration to work. +>You'll need to know the exact Linux distros and macOS versions that are compatible with Windows Defender ATP for the integration to work. ### Network and data storage and configuration requirements diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md index 1428a1b310..4d48b928bd 100644 --- a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Onboard previous versions of Windows on Windows Defender ATP description: Onboard supported previous versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor keywords: onboard, windows, 7, 81, oms, sp1, enterprise, pro, down level search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 06/18/2018 +ms.date: 10/10/2018 --- # Onboard previous versions of Windows @@ -50,7 +51,7 @@ The following steps are required to enable this integration: ### Before you begin Review the following details to verify minimum system requirements: -- Install the [February monthly update rollout](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) +- Install the [February monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) or a later monthly update rollup. >[!NOTE] >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. @@ -60,6 +61,14 @@ Review the following details to verify minimum system requirements: >[!NOTE] >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. +- Install either [.NET framework 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/en-us/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework) + + >[NOTE] + >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. + >Don't install .NET framework 4.0.x, since it will negate the above installation. + + + - Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in your environment with Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-concept-hybrid#prerequisites) 1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603) or [Windows 32-bit agent](https://go.microsoft.com/fwlink/?LinkId=828604). diff --git a/windows/security/threat-protection/windows-defender-atp/onboard.md b/windows/security/threat-protection/windows-defender-atp/onboard.md index 39ee66db3c..461847ca9e 100644 --- a/windows/security/threat-protection/windows-defender-atp/onboard.md +++ b/windows/security/threat-protection/windows-defender-atp/onboard.md @@ -3,6 +3,7 @@ title: Configure and manage Windows Defender ATP capabilities description: Configure and manage Windows Defender ATP capabilities such as attack surface reduction, next generation protection, and security controls keywords: configure, manage, capabilities, attack surface reduction, next generation protection, security controls, endpoint detection and response, auto investigation and remediation, security controls, controls search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -14,6 +15,9 @@ ms.date: 09/03/2018 --- # Configure and manage Windows Defender ATP capabilities +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) Configure and manage all the Windows Defender ATP capabilities to get the best security protection for your organization. @@ -24,7 +28,7 @@ Topic | Description [Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) | By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. [Configure next generation protection](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats. [Configure Secure score dashboard security controls](secure-score-dashboard-windows-defender-advanced-threat-protection.md) | Configure the security controls in Secure score to increase the security posture of your organization. -Configure Microsoft threat protection integration| Configure other solutions that integrate with Windows Defender ATP. +Configure Microsoft Threat Protection integration| Configure other solutions that integrate with Windows Defender ATP. Management and API support| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports. [Configure Windows Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md) | Configure portal related settings such as general settings, advanced features, enable the preview experience and others. diff --git a/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md index 98d08c46d6..5d7e92ddb8 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md @@ -3,6 +3,7 @@ title: Overview of attack surface reduction description: Learn about the attack surface reduction capability in Windows Defender ATP keywords: search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md index 9b2912076d..64bf36aac0 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md @@ -3,6 +3,7 @@ title: Custom detections overview description: Understand how how you can leverage the power of advanced hunting to create custom detections keywords: custom detections, detections, advanced hunting, hunt, detect, query search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md index 31b65ba716..ccc6ab2c87 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md @@ -3,6 +3,7 @@ title: Overview of endpoint detection and response capabilities description: Learn about the endpoint detection and response capabilities in Windows Defender ATP keywords: search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -19,7 +20,7 @@ ms.date: 09/03/2018 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -The Widows Defender ATP endpoint detection and response capabilities provides near real-time actionable advance attacks detections, enables security analysts to effectively prioritize alerts, unfold the full scope of a breach and take response actions to remediate the threat. +The Windows Defender ATP endpoint detection and response capabilities provides near real-time actionable advance attacks detections, enables security analysts to effectively prioritize alerts, unfold the full scope of a breach and take response actions to remediate the threat. When a threat is detected, alerts are be created in the system for an analyst to investigate. Alerts with the same attack techniques or attributed to the same attacker are aggregated into an entity called _incident_. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats. diff --git a/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md b/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md index 9d8cdabaae..88596a6cef 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md @@ -1,6 +1,7 @@ --- title: Hardware-based isolation (Windows 10) description: Learn about how hardware-based isolation in Windows 10 helps to combat malware. +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md index 598138a8ef..76ba54657b 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Overview of advanced hunting capabilities description: Hunt for possible threats accross your organization using a powerful search and query tool keywords: advanced hunting, hunting, search, query, tool, intellisense, telemetry search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -30,6 +31,7 @@ With advanced hunting, you can take advantage of the following capabilities: Topic | Description :---|:--- [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md) | Learn how to use the basic or advanced query examples to search for possible emerging threats in your organization. +[Custom detections](overview-custom-detections.md)| With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. diff --git a/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md index 222e5cfffa..5cd11935ed 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Overview of Secure score in Windows Defender Security Center description: Expand your visibility into the overall security posture of your organization keywords: secure score, security controls, improvement opportunities, security score over time, score, posture, baseline search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -74,3 +75,4 @@ Clicking the link under the Misconfigured machines column opens up the **Machine ## Related topic - [Threat analytics](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) +- [Threat analytics for Spectre and Meltdown](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/overview.md b/windows/security/threat-protection/windows-defender-atp/overview.md index b40bd3d25d..df560a652f 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview.md +++ b/windows/security/threat-protection/windows-defender-atp/overview.md @@ -3,6 +3,7 @@ title: Overview of Windows Defender ATP description: keywords: search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -14,6 +15,9 @@ ms.date: 09/03/2018 --- # Overview of Windows Defender ATP capabilities +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) Understand the concepts behind the capabilities in Windows Defender ATP so you take full advantage of the complete threat protection platform. @@ -28,7 +32,7 @@ Topic | Description [Secure score](overview-secure-score-windows-defender-advanced-threat-protection.md) | Quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to better protect your organization - all in one place. [Advanced hunting](overview-hunting-windows-defender-advanced-threat-protection.md) | Use a powerful search and query language to create custom queries and detection rules. [Management and APIs](management-apis.md) | Windows Defender ATP supports a wide variety of tools to help you manage and interact with the platform so that you can integrate the service into your existing workflows. -[Microsoft threat protection](threat-protection-integration.md) | Microsoft security products work better together. Learn about other security capabilities in the Microsoft threat protection stack. +[Microsoft Threat Protection](threat-protection-integration.md) | Microsoft security products work better together. Learn about other security capabilities in the Microsoft threat protection stack. [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) |Learn to navigate your way around Windows Defender Security Center. diff --git a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md index aa1c10660e..1457a0d7dd 100644 --- a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Windows Defender Advanced Threat Protection portal overview description: Use Windows Defender Security Center to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches. keywords: Windows Defender Security Center, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines list, settings, machine management, advanced attacks search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md index 269e894610..9cac40a33b 100644 --- a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md @@ -3,14 +3,17 @@ title: Create and build Power BI reports using Windows Defender ATP data description: Get security insights by creating and building Power BI dashboards using data from Windows Defender ATP and other data sources. keywords: settings, power bi, power bi service, power bi desktop, reports, dashboards, connectors , security insights, mashup search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: mjcaparas ms.localizationpriority: medium -ms.date: 04/24/2018 +ms.date: 10/19/2018 --- + + # Create and build Power BI reports using Windows Defender ATP data **Applies to:** @@ -122,7 +125,9 @@ You can create a custom dashboard in Power BI Desktop to create visualizations t ### Before you begin 1. Make sure you use Power BI Desktop June 2017 and above. [Download the latest version](https://powerbi.microsoft.com/en-us/desktop/). -2. In the navigation pane, select **Settings** > **Power BI reports**. +2. In the Windows Defender Security Center navigation pane, select **Settings** > **Power BI reports**. + + ![Image of settings Power BI reports](images/atp-settings-powerbi.png) 3. Click **Download connector** to download the WDATPPowerBI.zip file and extract it. diff --git a/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md index 538450ea18..b61ff7d784 100644 --- a/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: PowerShell code examples for the custom threat intelligence API description: Use PowerShell code to create custom threat intelligence using REST API. keywords: powershell, code examples, threat intelligence, custom threat intelligence, rest api, api search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md index 76c28f6e1f..828c4d45ac 100644 --- a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Configure Windows Defender Security Center settings description: Use the settings page to configure general settings, permissions, apis, and rules. keywords: settings, general settings, permissions, apis, rules search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md index a295925903..2e309e3b2e 100644 --- a/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Turn on the preview experience in Windows Defender ATP description: Turn on the preview experience in Windows Defender Advanced Threat Protection to try upcoming features. keywords: advanced features, settings, block file search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md index 3eab3eda81..33048913ee 100644 --- a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Windows Defender ATP preview features description: Learn how to access Windows Defender Advanced Threat Protection preview features. keywords: preview, preview experience, Windows Defender Advanced Threat Protection, features, updates search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -41,6 +42,10 @@ The following features are included in the preview release: - [Threat analytics](threat-analytics.md)
    Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. +- [Incidents](incidents-queue.md)
    +Windows Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded incident graph) and data representations to understand and deal with complex cross-entity threats to your organization's network. + + - [Custom detection](overview-custom-detections.md)
    With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. diff --git a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md index 58f784e646..34c1292d77 100644 --- a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Pull Windows Defender ATP alerts using REST API description: Pull alerts from Windows Defender ATP REST API. keywords: alerts, pull alerts, rest api, request, response search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md index f84794a823..46742baa03 100644 --- a/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Python code examples for the custom threat intelligence API description: Use Python code to create custom threat intelligence using REST API. keywords: python, code examples, threat intelligence, custom threat intelligence, rest api, api search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md index 20e2299d14..5503cf2607 100644 --- a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Use role-based access control to grant fine-grained access to Windows Def description: Create roles and groups within your security operations to grant access to the portal. keywords: rbac, role, based, access, control, groups, control, tier, aad search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md index 5e12dabe3d..d9baf6c10d 100644 --- a/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Request sample API description: Use this API to create calls related to requesting a sample from a machine. keywords: apis, graph api, supported apis, request sample search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index 148d0a9793..37af693216 100644 --- a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Take response actions on a file in Windows Defender ATP description: Take response actions on file related alerts by stopping and quarantining a file or blocking a file and checking activity details. keywords: respond, stop and quarantine, block file, deep analysis search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index 064fb37360..06a49fb0f5 100644 --- a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Take response actions on a machine in Windows Defender ATP description: Take response actions on a machine such as isolating machines, collecting an investigation package, managing tags, running av scan, and restricting app execution. keywords: respond, isolate, isolate machine, collect investigation package, action center, restrict, manage tags, av scan, restrict app search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md index 5feacd51aa..565ee7cc61 100644 --- a/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Take response actions on files and machines in Windows Defender ATP description: Take response actions on files and machines by stopping and quarantining files, blocking a file, isolating machines, or collecting an investigation package. keywords: respond, stop and quarantine, block file, deep analysis, isolate machine, collect investigation package, action center search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md index 985a82d123..c3845d021a 100644 --- a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Restrict app execution API description: Use this API to create calls related to restricting an application from executing. keywords: apis, graph api, supported apis, collect investigation package search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md index 9132144898..52cab18906 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Run antivirus scan API description: Use this API to create calls related to running an antivirus scan on a machine. keywords: apis, graph api, supported apis, remove machine from isolation search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md index ad774f962c..ad6fbc2bec 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Run a detection test on a newly onboarded Windows Defender ATP machine description: Run the detection script on a newly onboarded machine to verify that it is properly onboarded to the Windows Defender ATP service. keywords: detection test, detection, powershell, script, verify, onboarding, windows defender advanced threat protection onboarding, clients, servers, test search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md index 48a0fcb12c..0cbf13fef4 100644 --- a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Configure the security controls in Secure score description: Configure the security controls in Secure score keywords: secure score, dashboard, security recommendations, security control state, security score, score improvement, microsoft secure score, security controls, security control, improvement opportunities, edr, antivirus, av, os security updates search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md index 0fdb2ab3d7..907d6c7b27 100644 --- a/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Windows Defender Security Center Security operations dashboard description: Use the dashboard to identify machines at risk, keep track of the status of the service, and see statistics and information about machines and alerts. keywords: dashboard, alerts, new, in progress, resolved, risk, machines at risk, infections, reporting, statistics, charts, graphs, health, active malware detections, threat category, categories, password stealer, ransomware, exploit, threat, low severity, active malware search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md index 20028f9555..65de179e29 100644 --- a/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Check the Windows Defender ATP service health description: Check Windows Defender ATP service health, see if the service is experiencing issues and review previous issues that have been resolved. keywords: dashboard, service, issues, service health, current status, status history, summary of impact, preliminary root cause, resolution, resolution time, expected resolution time search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md index 2e4f1e0fd1..837e642aa1 100644 --- a/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Stop and quarantine file API description: Use this API to create calls related to stopping and quarantining a file. keywords: apis, graph api, supported apis, stop, quarantine, file search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md index a6c64df7ff..83fbe686fb 100644 --- a/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Supported Windows Defender Advanced Threat Protection query APIs description: Learn about the specific supported Windows Defender Advanced Threat Protection entities where you can create API calls to. keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -34,4 +35,8 @@ File | Run API calls such as get file information, file related alerts, file rel IP | Run API calls such as get IP related alerts, IP related machines, IP statistics, and check if and IP is seen in your organization. Machines | Run API calls such as find machine information by IP, get machines, get machines by ID, information about logged on users, and alerts related to a given machine ID. User | Run API calls such as get alert related user information, user information, user related alerts, and user related machines. +KbInfo | Run API call that gets list of Windows KB's information +CveKbMap | Run API call that gets mapping of CVE's to corresponding KB's +MachineSecurityStates | Run API call that gets list of machines with their security properties and versions +MachineGroups | Run API call that gets list of machine group definitions diff --git a/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md index 2ee0df491f..fe228f3acc 100644 --- a/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Supported Windows Defender Advanced Threat Protection response APIs description: Learn about the specific response related Windows Defender Advanced Threat Protection API calls. keywords: response apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md index affe0ea030..321085bc62 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Threat analytics for Spectre and Meltdown description: Get a tailored organizational risk evaluation and actionable steps you can take to minimize risks in your organization. keywords: threat analytics, risk evaluation, OS mitigation, microcode mitigation, mitigation status search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -45,7 +46,7 @@ To access Threat analytics, from the navigation pane select **Dashboards** > **T Click a section of each chart to get a list of the machines in the corresponding mitigation status. ## Related topics -- [Threat analtyics](threat-analytics-windows-defender-advanced-threat-protection.md) +- [Threat analytics](threat-analytics.md) - [Overview of Secure Score in Windows Defender Security Center](overview-secure-score-windows-defender-advanced-threat-protection.md) - [Configure the security controls in Secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/threat-analytics.md b/windows/security/threat-protection/windows-defender-atp/threat-analytics.md index cb47452b3c..3bde0d0f86 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-analytics.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-analytics.md @@ -3,6 +3,7 @@ title: Windows Defender Advanced Threat Protection Threat analytics description: Get a tailored organizational risk evaluation and actionable steps you can take to minimize risks in your organization. keywords: threat analytics, risk evaluation, OS mitigation, microcode mitigation, mitigation status search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md index c189fa2336..3f5a0597bd 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Understand threat intelligence concepts in Windows Defender ATP description: Create custom threat alerts for your organization and learn the concepts around threat intelligence in Windows Defender Advanced Threat Protection. keywords: threat intelligence, alert definitions, indicators of compromise, ioc search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md index b491a5a109..4c9c126a2d 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md @@ -1,8 +1,9 @@ --- -title: Microsoft threat protection -description: -keywords: +title: Windows Defender ATP in Microsoft Threat Protection +description: Learn about the capabilities within the Microsoft Threat Protection +keywords: microsoft threat protection, conditional access, office, advanced threat protection, azure atp, azure security center, microsoft cloud app security search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,10 +11,18 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/12/2018 +ms.date: 10/12/2018 --- -# Microsoft threat protection +# Microsoft Threat Protection + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Windows Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workplace. + +For more information on Microsoft Threat Protection, see [Announcing Microsoft Threat Protection](https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Announcing-Microsoft-Threat-Protection/ba-p/262783). Microsoft's multiple layers of threat protection across data, applications, devices, and identities can help protect your organization from advanced cyber threats. @@ -23,7 +32,7 @@ Each layer in the threat protection stack plays a critical role in protecting cu Windows Defender ATP's dynamic machine risk score is integrated into the conditional access evaluation, ensuring that only secure devices have access to resources. ## Office 365 Advanced Threat Protection (Office 365 ATP) -The integration between Office 365 ATP and Windows Defender ATP enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked. +[Office 365 ATP](https://docs.microsoft.com/office365/securitycompliance/office-365-atp) helps protect your organization from malware in email messages or files through ATP Safe Links, ATP Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Office 365 ATP and Windows Defender ATP enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked. ## Azure Advanced Threat Protection (Azure ATP) Suspicious activities are processes running under a user context. The integration between Windows Defender ATP and Azure ATP provides the flexibility of conducting cyber security investigation across activities and identities. diff --git a/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md index 505296a18a..4dd9223f2d 100644 --- a/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Windows Defender Security Center time zone settings description: Use the menu to configure the time zone and view license information. keywords: settings, Windows Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md index d86deb3f28..813babce81 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Troubleshoot custom threat intelligence issues in Windows Defender ATP description: Troubleshoot issues that might arise when using the custom threat intelligence feature in Windows Defender ATP. keywords: troubleshoot, custom threat intelligence, custom ti, rest api, api, alert definitions, indicators of compromise search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md index 3310063e5a..bb2326d2d8 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Troubleshoot onboarding issues and error messages description: Troubleshoot onboarding issues and error message while completing setup of Windows Defender Advanced Threat Protection. keywords: troubleshoot, troubleshooting, Azure Active Directory, onboarding, error message, error messages, windows defender atp search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index 87d878f234..7f38e2545a 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Troubleshoot Windows Defender ATP onboarding issues description: Troubleshoot issues that might arise during the onboarding of machines or to the Windows Defender ATP service. keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, sensor data and diagnostics search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md index cd9048386c..2d4fc88758 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Troubleshoot SIEM tool integration issues in Windows Defender ATP description: Troubleshoot issues that might arise when using SIEM tools with Windows Defender ATP. keywords: troubleshoot, siem, client secret, secret search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md index 12f36df3a9..272709e22a 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md @@ -3,6 +3,7 @@ title: Troubleshoot Windows Defender Advanced Threat Protection capabilities description: Find solutions to issues on sensor state, service issues, or other Windows Defender ATP capabilities keywords: troubleshoot, sensor, state, service, issues, attack surface reduction, next generation protection search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md index fc9f502186..2f5332e094 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Troubleshoot Windows Defender Advanced Threat Protection service issues description: Find solutions and work arounds to known issues such as server errors when trying to access the service. keywords: troubleshoot Windows Defender Advanced Threat Protection, troubleshoot Windows ATP, server error, access denied, invalid credentials, no data, dashboard portal, whitelist, event viewer search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md index 7ea3ec1258..c0abbe6cdd 100644 --- a/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Unblock file API description: Use this API to create calls related to allowing a file to be executed in the organization keywords: apis, graph api, supported apis, unblock file search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md index c0ef9d02f6..f7b0fe34b5 100644 --- a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Release machine from isolation API description: Use this API to create calls related to release a machine from isolation. keywords: apis, graph api, supported apis, remove machine from isolation search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md index 4c8788c337..393d41412f 100644 --- a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Remove app restriction API description: Use this API to create calls related to removing a restriction from applications from executing. keywords: apis, graph api, supported apis, remove machine from isolation search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md index c45ead9ecd..9a12d912f6 100644 --- a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Use the custom threat intelligence API to create custom alerts description: Use the threat intelligence API in Windows Defender Advanced Threat Protection to create custom alerts keywords: threat intelligence, alert definitions, indicators of compromise search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md index 42e5a71b83..f41440d094 100644 --- a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Overview of Windows Defender Security Center description: Learn about the features on Windows Defender Security Center, including how alerts work, and suggestions on how to investigate possible breaches and attacks. keywords: dashboard, alerts queue, manage alerts, investigation, investigate alerts, investigate machines, submit files, deep analysis, high, medium, low, severity, ioc, ioa search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -15,6 +16,10 @@ ms.date: 03/12/2018 # Overview of Windows Defender Security Center +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-usewdatp-abovefoldlink) Windows Defender Security Center is the portal where you can access Windows Defender Advanced Threat Protection capabilities. diff --git a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md index 122fd23da5..829e256921 100644 --- a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Create and manage roles for role-based access control description: Create roles and define the permissions assigned to the role as part of the role-based access control implimentation keywords: user roles, roles, access rbac search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md b/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md new file mode 100644 index 0000000000..d905eb0d2b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md @@ -0,0 +1,75 @@ +--- +title: View and organize the Incidents queue +description: See the list of incidents and learn how to apply filters to limit the list and get a more focused view. +keywords: view, organize, incidents, aggregate, investigations, queue, ttp +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 10/08/2018 +--- + +# View and organize the Windows Defender Advanced Threat Protection Incidents queue +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +The **Incidents queue** shows a collection of incidents that were flagged from machines in your network. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision. + +By default, the queue displays incidents seen in the last 30 days, with the most recent incident showing at the top of the list, helping you see the most recent incidents first. + +There are several options you can choose from to customize the Incidents queue view. + +On the top navigation you can: +- Customize columns to add or remove columns +- Modify the number of items to view per page +- Select the items to show per page +- Batch-select the incidents to assign +- Navigate between pages +- Apply filters + +![Image of incidents queue](images/atp-incident-queue.png) + +## Sort and filter the incidents queue +You can apply the following filters to limit the list of incidents and get a more focused view. + +Incident severity | Description +:---|:--- +High
    (Red) | Threats often associated with advanced persistent threats (APT). These incidents indicate a high risk due to the severity of damage they can inflict on machines. +Medium
    (Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages. +Low
    (Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization. +Informational
    (Grey) | Informational incidents are those that might not be considered harmful to the network but might be good to keep track of. + +### Category +Incidents are categorized based on the description of the stage by which the cybersecurity kill chain is in. This view helps the threat analyst to determine priority, urgency, and corresponding response strategy to deploy based on context. + +### Alerts +Indicates the number of alerts associated with or part of the incidents. + + +### Machines +You can limit to show only the machines at risk which are associated with incidents. + +### Users +You can limit to show only the users of the machines at risk which are associated with incidents. + +### Assigned to +You can choose to show between unassigned incidents or those which are assigned to you. + +### Status +You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved + +### Classification +Use this filter to choose between focusing on incidents flagged as true or false incidents. + +## Related topics +- [Incidents queue](incidents-queue.md) +- [Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md) +- [Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md) + diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md index a67e865ccb..b4a4da13ba 100644 --- a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Windows Defender Advanced Threat Protection description: Windows Defender Advanced Threat Protection is an enterprise security platform that helps secops to prevent, detect, investigate, and respond to possible cybersecurity threats related to advanced persistent threats. keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -31,7 +32,7 @@ Topic | Description :---|:--- [Overview](overview.md) | Understand the concepts behind the capabilities in Windows Defender ATP so you take full advantage of the complete threat protection platform. [Get started](get-started.md) | Learn about the requirements of the platform and the initial steps you need to take to get started with Windows Defender ATP. -[Cconfigure and manage capabilities](onboard.md)| Configure and manage the individual capabilities in Windows Defender ATP. +[Configure and manage capabilities](onboard.md)| Configure and manage the individual capabilities in Windows Defender ATP. [Troubleshoot Windows Defender ATP](troubleshoot-wdatp.md) | Learn how to address issues that you might encounter while using the platform. ## Related topic diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md index ea7e9fd67b..9791947810 100644 --- a/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md +++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md @@ -3,6 +3,7 @@ title: Windows Defender Security Center description: Windows Defender Security Center is the portal where you can access Windows Defender Advanced Threat Protection. keywords: windows, defender, security, center, defender, advanced, threat, protection search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 18134f19d0..c66852c277 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 10/02/2018 +ms.date: 10/17/2018 --- # Reduce attack surfaces with attack surface reduction rules @@ -56,7 +56,7 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -Block only Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c The rules apply to the following Office apps: @@ -120,8 +120,6 @@ Malware and other threats can attempt to obfuscate or hide their malicious code This rule prevents scripts that appear to be obfuscated from running. -It uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script, or blocks scripts when an attempt is made to access them. - ### Rule: Block Win32 API calls from Office macro Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system. @@ -168,7 +166,7 @@ With this rule, admins can prevent unsigned or untrusted executable files from r - Executable files (such as .exe, .dll, or .scr) - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) -### Rule: Block only Office communication applications from creating child processes +### Rule: Block Office communication applications from creating child processes Office communication apps will not be allowed to create child processes. This includes Outlook. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index 2ed1ca2fa0..75725299ff 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 10/02/2018 +ms.date: 10/17/2018 --- # Customize attack surface reduction rules @@ -61,7 +61,7 @@ Use advanced protection against ransomware | [!include[Check mark yes](images/sv Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark no](images/svg/check-no.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -Block only Office communication applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block Office communication applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869 Block Adobe Reader from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index dd2ed4fda3..2ba64377c3 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 10/02/2018 +ms.date: 10/17/2018 --- # Enable attack surface reduction rules @@ -46,7 +46,7 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -Block only Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md new file mode 100644 index 0000000000..1be7c7a0fb --- /dev/null +++ b/windows/security/threat-protection/windows-platform-common-criteria.md @@ -0,0 +1,169 @@ +--- +title: Common Criteria Certifications +description: This topic details how Microsoft supports the Common Criteria certification program. +ms.prod: w10 +ms.localizationpriority: medium +ms.author: daniha +author: danihalfin +ms.date: 10/8/2018 +--- + +# Common Criteria Certifications + +Microsoft is committed to optimizing the security of its products and services. As part of that commitment, Microsoft supports the Common Criteria certification program, continues to ensure that products incorporate the features and functions required by relevant Common Criteria protection profiles, and completes Common Criteria certifications of Microsoft Windows products. + +## Common Criteria Security Targets + +### Information for Systems Integrators and Accreditors + +The Security Target describes security functionality and assurance measures used to evaluate Windows. + + - [Microsoft Windows 10 (Fall Creators Update)](http://download.microsoft.com/download/B/6/A/B6A5EC2C-6351-4FB9-8FF1-643D4BD5BE6E/Windows%2010%201709%20GP%20OS%20Security%20Target.pdf) + - [Microsoft Windows 10 (Creators Update)](http://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf) + - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](http://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf) + - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](http://download.microsoft.com/download/1/5/e/15eee6d3-f2a8-4441-8cb1-ce8c2ab91c24/windows%2010%20anniversary%20update%20mdf%20security%20target%20-%20public%20\(april%203%202017\).docx) + - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](http://download.microsoft.com/download/f/8/c/f8c1c2a4-719c-48ae-942f-9fd3ce5b238f/windows%2010%20au%20and%20server%202016%20gp%20os%20security%20target%20-%20public%20\(december%202%202016\)%20\(clean\).docx) + - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](http://download.microsoft.com/download/b/f/5/bf59e430-e57b-462d-8dca-8ac3c93cfcff/windows%2010%20anniversary%20update%20ipsec%20vpn%20client%20security%20target%20-%20public%20\(december%2029%202016\)%20\(clean\).docx) + - [Microsoft Windows 10 IPsec VPN Client](http://download.microsoft.com/download/3/7/2/372beb03-b1ed-4bb6-9b9b-b8f43afc570d/st_vid10746-st.pdf) + - [Microsoft Windows 10 November 2015 Update with Surface Book](http://download.microsoft.com/download/a/c/2/ac2a6ed8-4d2f-4f48-a9bf-f059d6c9af38/windows%2010%20mdf3%20security%20target%20-%20public%20\(june%2022%202016\)\(final\).docx) + - [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10677-st.pdf) + - [Windows 10 and Windows Server 2012 R2](http://www.commoncriteriaportal.org/files/epfiles/st_windows10.pdf) + - [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-st.pdf) + - [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-st.pdf) + - [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-st.pdf) + - [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-st.pdf) + - [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-st.pdf) + - [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-st.pdf) + - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-st.pdf) + - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-st.pdf) + - [Windows 7 and Windows Server 2008 R2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-st.pdf) + - [Microsoft Windows Server 2008 R2 Hyper-V Role](http://www.microsoft.com/download/en/details.aspx?id=29305) + - [Windows Vista and Windows Server 2008 at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf) + - [Microsoft Windows Server 2008 Hyper-V Role](http://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf) + - [Windows Vista and Windows Server 2008 at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf) + - [Windows Server 2003 SP2 including R2, x64, and IA64; Windows XP Professional SP2 and x64 SP2; and Windows XP Embedded SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10184-st.pdf) + - [Windows Server 2003 Certificate Server](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf) + - [Windows Rights Management Services (RMS) 1.0 SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf) + +## Common Criteria Deployment and Administration + +### Information for IT Administrators + +These documents describe how to configure Windows to replicate the configuration used during the Common Criteria evaluation. + +**Windows 10, Windows 10 Mobile, Windows Server 2016, Windows Server 2012 R2** + + + - [Microsoft Windows 10 (Fall Creators Update)](http://download.microsoft.com/download/5/D/2/5D26F473-0FCE-4AC4-9065-6AEC0FE5B693/Windows%2010%201709%20GP%20OS%20Administrative%20Guide.pdf) + - [Microsoft Windows 10 (Creators Update)](http://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf) + - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](http://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf) + - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](http://download.microsoft.com/download/4/c/1/4c1f4ea4-2d66-4232-a0f5-925b2bc763bc/windows%2010%20au%20operational%20guidance%20\(16%20mar%202017\)\(clean\).docx) + - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](http://download.microsoft.com/download/b/5/2/b52e9081-05c6-4895-91a3-732bfa0eb4da/windows%2010%20au%20and%20server%202016%20gp%20os%20operational%20guidance%20\(final\).docx) + - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client Operational Guidance](http://download.microsoft.com/download/2/c/c/2cc8f929-233e-4a40-b673-57b449680984/windows%2010%20au%20and%20server%202016%20ipsec%20vpn%20client%20operational%20guidance%20\(21%20dec%202016\)%20\(public\).docx) + - [Microsoft Windows 10 IPsec VPN Client](http://download.microsoft.com/download/3/3/f/33fa01dd-b380-46e1-833f-fd85854b4022/st_vid10746-agd.pdf) + - [Microsoft Windows 10 November 2015 Update with Surface Book Administrative Guide](http://download.microsoft.com/download/3/2/c/32c6fa02-b194-478f-a0f6-0215b47d0f40/windows%2010%20mdf3%20mobile%20device%20pp%20operational%20guidance%20\(may%2027,%202016\)\(public\).docx) + - [Microsoft Windows 10 Mobile and Windows 10 Administrative Guide](http://download.microsoft.com/download/2/d/c/2dce3435-9328-48e2-9813-c2559a8d39fa/microsoft%20windows%2010%20and%20windows%2010%20mobile%20guidance.pdf) + - [Windows 10 and Windows Server 2012 R2 Administrative Guide](http://download.microsoft.com/download/0/f/d/0fd33c9a-98ac-499e-882f-274f80f3d4f0/microsoft%20windows%2010%20and%20server%202012%20r2%20gp%20os%20guidance.pdf) + - [Windows 10 Common Criteria Operational Guidance](http://download.microsoft.com/download/d/6/f/d6fb4cec-f0f2-4d00-ab2e-63bde3713f44/windows%2010%20mobile%20device%20operational%20guidance.pdf) + +**Windows 8.1 and Windows Phone 8.1** + + - [Microsoft Surface Pro 3 Common Criteria Mobile Operational Guidance](http://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx) + - [Windows 8.1 and Windows Phone 8.1 CC Supplemental Admin Guide](http://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx) + +**Windows 8, Windows RT, and Windows Server 2012** + + - [Windows 8 and Windows Server 2012](http://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx) + - [Windows 8 and Windows RT](http://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx) + - [Windows 8 and Windows Server 2012 BitLocker](http://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf) + - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx) + +**Windows 7 and Windows Server 2008 R2** + + - [Windows 7 and Windows Server 2008 R2 Supplemental CC Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00) + - [Windows Server 2008 R2 Hyper-V Common Criteria Configuration Guide](http://www.microsoft.com/download/en/details.aspx?id=29308) + +**Windows Vista and Windows Server 2008** + + - [Windows Vista and Windows Server 2008 Supplemental CC Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567) + - [Windows Server 2008 Hyper-V Role Common Criteria Administrator Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08) + +**Windows Server 2003 SP2 including R2, x64, and Itanium** + + - [Windows Server 2003 SP2 R2 Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=39598841-e693-4891-9234-cfd1550f3949) + - [Windows Server 2003 SP2 R2 Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=4f7b6a93-0307-480f-a5af-a20268cbd7cc) + +**Windows Server 2003 SP1(x86), x64, and IA64** + + - [Windows Server 2003 with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=8a26829f-c177-4b79-913a-4135fb7b96ef) + - [Windows Server 2003 with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=3f9ecd0a-74dd-4d23-a4e5-d7b63fed70e8) + +**Windows Server 2003 SP1** + + - [Windows Server 2003 Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=75736009-59e9-4a71-879e-cf581817b8cc) + - [Windows Server 2003 Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=a0ad1856-beb7-4285-b47c-381e8a210c38) + +**Windows XP Professional SP2 (x86) and x64 Edition** + + - [Windows XP Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=9a7f0b16-72ce-4675-aec8-58785c4e37ee) + - [Windows XP Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=165da57d-f066-4ddf-9462-cbecfcd68694) + - [Windows XP Common Criteria User Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=7c1a4761-9b9e-429c-84eb-cd7b034c5779) + - [Windows XP Professional with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=346f041e-d641-4af7-bdea-c5a3246d0431) + - [Windows XP Professional with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=a7075319-cc3d-4420-a00b-8c9a7068ad54) + - [Windows XP Professional with x64 Hardware User’s Guide](http://www.microsoft.com/downloads/details.aspx?familyid=26c49cf5-6159-4197-97ce-bf1fdfc54569) + +**Windows XP Professional SP2, and XP Embedded SP2** + + - [Windows XP Professional Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9bcac470-a0b3-4d34-a561-fa8308c0ff60) + - [Windows XP Professional Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9f04915e-571a-422d-8ffa-5797051e81de) + - [Windows XP Professional User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=d39d0028-7093-495c-80da-2b5b29a54bd8) + +**Windows Server 2003 Certificate Server** + + - [Windows Server 2003 Certificate Server Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d) + - [Windows Server 2003 Certificate Server Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=46abc8b5-11be-4e3d-85c2-63226c3688d2) + - [Windows Server 2003 Certificate Server User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=74f66d84-2654-48d0-b9b5-b383d383425e) + +## Common Criteria Evaluation Technical Reports and Certification / Validation Reports + +### Information for Systems Integrators and Accreditors + +An Evaluation Technical Report (ETR) is a report submitted to the Common Criteria certification authority for how Windows complies with the claims made in the Security Target. A Certification / Validation Report provides the results of the evaluation by the validation team. + + - [Microsoft Windows 10 (Fall Creators Update)](http://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf) + - [Microsoft Windows 10 (Creators Update)](http://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf) + - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](http://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf) + - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](http://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf) + - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](http://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf) + - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](http://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf) + - [Microsoft Windows 10 IPsec VPN Client](http://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf) + - [Microsoft Windows 10 November 2015 Update with Surface Book](http://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf) + - [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10694-vr.pdf) + - [Windows 10 and Windows Server 2012 R2](https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf) + - [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-vr.pdf) + - [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-vr.pdf) + - [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-vr.pdf) + - [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-vr.pdf) + - [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-vr.pdf) + - [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-vr.pdf) + - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf) + - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf) + - [Windows 7 and Windows Server 2008 R2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf) + - [Windows Vista and Windows Server 2008 Validation Report at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf) + - [Windows Server 2008 Hyper-V Role Certification Report](http://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf) + - [Windows Vista and Windows Server 2008 Certification Report at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf) + - [Windows XP / Windows Server 2003 with x64 Hardware ETR](http://www.microsoft.com/downloads/details.aspx?familyid=6e8d98f9-25b9-4c85-9bd9-24d91ea3c9ef) + - [Windows XP / Windows Server 2003 with x64 Hardware ETR, Part II](http://www.microsoft.com/downloads/details.aspx?familyid=0c35e7d8-9c56-4686-b902-d5ffb9915658) + - [Windows Server 2003 SP2 including R2, Standard, Enterprise, Datacenter, x64, and Itanium Editions Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf) + - [Windows XP Professional SP2 and x64 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf) + - [Windows XP Embedded SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf) + - [Windows XP and Windows Server 2003 ETR](http://www.microsoft.com/downloads/details.aspx?familyid=63cf2a1e-f578-4bb5-9245-d411f0f64265) + - [Windows XP and Windows Server 2003 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9506-vr.pdf) + - [Windows Server 2003 Certificate Server ETR](http://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314) + - [Windows Server 2003 Certificate Server Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf) + - [Microsoft Windows Rights Management Services (RMS) 1.0 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf) + +## Other Common Criteria Related Documents + + - [Identifying Windows XP and Windows Server 2003 Common Criteria Certified Requirements for the NIST Special Publication 800-53](http://download.microsoft.com/download/a/9/6/a96d1dfc-2bd4-408d-8d93-e0ede7529691/xpws03_ccto800-53.doc) + diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md index b296cc0cdf..287a4e1617 100644 --- a/windows/whats-new/whats-new-windows-10-version-1607.md +++ b/windows/whats-new/whats-new-windows-10-version-1607.md @@ -103,7 +103,7 @@ Several new features and management options have been added to Windows Defender - [Windows Defender Offline in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media. - [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus) to configure options and run scans. - [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware. -- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more informaiton about threat detections and removal. +- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more information about threat detections and removal. - [Run a Windows Defender scan from the command line](/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus). - [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus) during download and install times. diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index 62ee95e835..1a8be89a59 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -51,7 +51,7 @@ Windows Autopilot self-deploying mode enables a zero touch device provisioning e This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process. -You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider,and provision policies and applications, all with no user authentication or user interaction required. +You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required. To learn more about Autopilot self-deploying mode and to see step-by-step instructions to perform such a deployment, [Windows Autopilot self-deploying mode](https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/self-deploying). @@ -60,6 +60,7 @@ To learn more about Autopilot self-deploying mode and to see step-by-step instru We introduced a simplified assigned access configuration experience in **Settings** that allows device administrators to easily set up a PC as a kiosk or digital sign. A wizard experience walks you through kiosk setup including creating a kiosk account that will automatically sign in when a device starts. To use this feature, go to **Settings**, search for **assigned access**, and open the **Set up a kiosk** page. + ![set up a kiosk](images/kiosk-mode.png "set up a kiosk") Microsoft Edge kiosk mode running in single-app assigned access has two kiosk types. @@ -111,9 +112,6 @@ We’ve continued to work on the **Current threats** area in [Virus & threat pr ![Virus & threat protection settings](images/virus-and-threat-protection.png "Virus & threat protection settings") -You can enable a new protection setting, **Block suspicious behaviors**, which brings [Windows Defender Exploit Guard attack surface reduction technology](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) to all users. To enable this setting, go to the **Virus & threat protection** section and click **Manage settings**, as shown in the following screenshot: - -![Block suspicious behaviors](images/block-suspicious-behaviors.png "Block suspicious behaviors") With controlled folder access you can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether. @@ -123,7 +121,7 @@ We added a new assessment for the Windows time service to the **Device performan We’re continuing to work on how other security apps you’ve installed show up in the **Windows Security** app. There’s a new page called **Security providers** that you can find in the **Settings** section of the app. Click **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers’ apps or get more information on how to resolve issues reported to you through **Windows Security**. -This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which inclueds domain, private, and public networks). +This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks). 
    HKLM\SOFTWARE\Microsoft\Security Center\Feature DisableAvCheck (DWORD) = 1
    @@ -131,7 +129,7 @@ This also means you’ll see more links to other security apps within **Windows #### Silent enforcement on fixed drives -Through a Modern Decice Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI. +Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI. This is an update to the [BitLocker CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and leveraged by Intune and others. @@ -147,7 +145,7 @@ For example, you can choose the XTS-AES 256 encryption algorithm, and have it ap Windows Defender Application Guard (WDAG) introduced a new user interface inside **Windows Security** in this release. Standalone users can now install and configure their Windows Defender Application Guard settings in Windows Security without needing to change registry key settings. -Additionally, users who are managed by enterprise policies will be able to check their settings to see what their administrators have configured for their machines to better understand the behavior of Windows Defender Application Guard. This new UI improves the overall experience for users while managing and checking their Windows Defender Application Guard settings. As long as devices meet the minimum requirements, these settings will appear in Windows Security.For detailed information, click [here](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/test/m-p/214102#M1709). +Additionally, users who are managed by enterprise policies will be able to check their settings to see what their administrators have configured for their machines to better understand the behavior of Windows Defender Application Guard. This new UI improves the overall experience for users while managing and checking their Windows Defender Application Guard settings. As long as devices meet the minimum requirements, these settings will appear in Windows Security. For detailed information, click [here](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/test/m-p/214102#M1709). To try this, 1. Go to**Windows Security** and select **App & browser control**. @@ -203,7 +201,7 @@ Threat Analytics is a set of interactive reports published by the Windows Defend - [Managed security service provider (MSSP) support](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)
    Windows Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: -Get access to MSSP customer's Windows Defender Security Center portal, fet email notifications, and fetch alerts through security information and event management (SIEM) tools. +Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. - [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)
    Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. @@ -239,4 +237,4 @@ Until now, Windows logon only supported the use of identities federated to ADFS 3. On the lock screen, select web sign-in under sign-in options. 4. Click the “Sign in” button to continue. -![Web sign-in](images/websignin.png "web sign-in") \ No newline at end of file +![Web sign-in](images/websignin.png "web sign-in")