deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 02:43:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'rs2' into bl-10743059

Browse Source
This commit is contained in:
Brian Lich
2017-03-28 10:02:31 -07:00
parent 34f3f29505 53ab1f9691
commit 60785c2202
16 changed files with 220 additions and 228 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.openpublishing.redirection.json
View File

@ -1,6 +1,11 @@
{
"redirections": [
{
"source_path": "windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md",
"redirect_url": "/itpro/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection",
"redirect_document_id": true
},
{
"source_path": "windows/manage/cortana-at-work-scenario-7.md",
"redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-7",
"redirect_document_id": true

72
devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
View File

@ -65,22 +65,22 @@ For more information, see [SurfaceHub configuration service provider](https://ms
| Automatically turn on the screen using motion sensors | InBoxApps/Welcome/AutoWakeScreen | Yes | Yes | Yes |
| Require a pin for wireless projection | InBoxApps/WirelessProjection/PINRequired | Yes | Yes | Yes |
| Enable wireless projection | InBoxApps/WirelessProjection/Enabled | Yes | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes.<br> Use a custom setting. | Yes |
| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Connect to your Operations Management Suite workspace | MOMAgent/WorkspaceID <br> MOMAgent/WorkspaceKey | Yes | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Welcome screen background image | InBoxApps/Welcome/CurrentBackgroundPath | Yes | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Meeting information displayed on the welcome screen | InBoxApps/Welcome/MeetingInfoOption | Yes | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Friendly name for wireless projection | Properties/FriendlyName | Yes <br> [Use a custom policy.](#example-intune)) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Friendly name for wireless projection | Properties/FriendlyName | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Device account, including password rotation | DeviceAccount/*`<name_of_policy>`* <br> See [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). | No | No | Yes |
| Specify Skype domain | InBoxApps/SkypeForBusiness/DomainName | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
| Auto launch Connect App when projection is initiated | InBoxApps/Connect/AutoLaunch | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
| Set default volume | Properties/DefaultVolume | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
| Set screen timeout | Properties/ScreenTimeout | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
| Set session timeout | Properties/SessionTimeout | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
| Set sleep timeout | Properties/SleepTimeout | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
| Allow session to resume after screen is idle | Properties/AllowSessionResume | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
| Allow device account to be used for proxy authentication | Properties/AllowAutoProxyAuth | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
| Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
| Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
| Specify Skype domain | InBoxApps/SkypeForBusiness/DomainName | Yes </br> | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Auto launch Connect App when projection is initiated | InBoxApps/Connect/AutoLaunch | Yes </br> | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Set default volume | Properties/DefaultVolume | Yes </br> | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Set screen timeout | Properties/ScreenTimeout | Yes </br> | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Set session timeout | Properties/SessionTimeout | Yes </br> | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Set sleep timeout | Properties/SleepTimeout | Yes </br> | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Allow session to resume after screen is idle | Properties/AllowSessionResume | Yes </br> | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Allow device account to be used for proxy authentication | Properties/AllowAutoProxyAuth | Yes </br> | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes </br> | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes </br> | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
### Supported Windows 10 settings
@ -92,46 +92,46 @@ The following tables include info on Windows 10 settings that have been validate
#### Security settings
| Setting | Details | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML\*? |
| -------- | -------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes. <br> | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. <br> | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes. <br> | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes. <br> . | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes. <br> | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
#### Browser settings
| Setting | Details | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML\*? |
| -------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
| Allow developer tools | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
| Allow SmartScreen | Keep this enabled to turn on SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
| Prevent ignoring SmartScreen Filter warnings for websites | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
| Prevent ignoring SmartScreen Filter warnings for files | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Allow developer tools | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Allow SmartScreen | Keep this enabled to turn on SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Prevent ignoring SmartScreen Filter warnings for websites | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Prevent ignoring SmartScreen Filter warnings for files | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
#### Windows Update settings
| Setting | Details | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML*? |
| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
| Defer feature updates| See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes|
| Configure device to use WSUS| Use to connect your Surface Hub to WSUS instead of Windows Update see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Defer feature updates| See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes|
| Configure device to use WSUS| Use to connect your Surface Hub to WSUS instead of Windows Update see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
#### Windows Defender settings
| Setting | Details | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML\*? |
| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Defender status | Use to initiate a Defender scan, force a signature update, query any threats detected. | [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/mt187856.aspx) | No. | No. | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
@ -140,8 +140,8 @@ The following tables include info on Windows 10 settings that have been validate
| Setting | Details | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML\*? |
| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
| Reboot the device immediately | Use in conjunction with OMS to minimize support costs see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). | ./Vendor/MSFT/Reboot/RebootNow <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | No | No | Yes |
| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
#### Install certificates

BIN
windows/configure/images/show-more-tiles.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 66 KiB

BIN
windows/configure/images/start-screen-size.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

BIN
windows/configure/images/wcd-app-commands.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 70 KiB

BIN
windows/configure/images/wcd-app-name.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 64 KiB

7
windows/configure/mobile-lockdown-designer.md
View File

@ -47,6 +47,11 @@ Perform these steps on the device running Windows 10 Mobile that you will use to
4. Enable **Device discovery**, and then turn on **Device Portal**.
>[!IMPORTANT]
>Check **Settings > Personalization > Start > Show more tiles** on the test mobile device. If **Show more tiles** is **On**, you must select **Large** on the [**Start screen** page](#start) in Lockdown Designer. If you want to apply a **Small** layout, set **Show more tiles** on the test mobile device to **Off**.
>
>![turn off show more tiles for small start screen size](images/show-more-tiles.png)
## Prepare the PC
[Install Lockdown Designer](https://www.microsoft.com/store/r/9nblggh40753) on the PC.
@ -130,7 +135,7 @@ The apps and settings available in the pages of Lockdown Designer should now be
| ![Quick actions](images/ld-quick.png) | On this page, you select the settings that you want visible to users. |
| ![Buttons](images/ld-buttons.png) | Each hardware button on a mobile device has different actions that can be disabled. In addition, the behavior for **Search** button can be changed to open an app other than **Search**.</br></br>Some devices may have additional hardware buttons provided by the OEM. These are listed as Custom1, Custom2, and Custom3. If your device has custom hardware buttons, contact your equipment provider to identify how their custom buttons are defined. |
| ![Other settings](images/ld-other.png) | This page contains several settings that you can configure:</br></br>- The context menu is displayed when a user presses and holds an application in the All Apps list. You can enable or disable the context menu.</br></br>- Tile manipulation allows users to pin, unpin, move, and resize tiles on the Start screen. You can enable or disable tile manipulation.</br></br>- The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both. |
| ![Start screen](images/ld-start.png) | On this page, you can start a remote simulation session with the test mobile device. Click **Start remote simulation**. You will see a **Start screen remote simulation in progress** message on the PC. (If the **Start remote simulation** button is not active, [pair the mobile device with the PC again](#pair).)</br></br>On the test mobile device, tiles for the apps that you allowed on the **Applications** page are displayed on the screen. You can move, resize, or unpin these tiles to achieve the desired layout.</br></br>When you are done changing the layout on the test mobile device, click **Accept** on the PC. |
| <span id="start" />![Start screen](images/ld-start.png) | On this page, you can start a remote simulation session with the test mobile device. Click **Start remote simulation**. You will see a **Start screen remote simulation in progress** message on the PC. (If the **Start remote simulation** button is not active, [pair the mobile device with the PC again](#pair).)</br></br>On the test mobile device, tiles for the apps that you allowed on the **Applications** page are displayed on the screen. You can move, resize, or unpin these tiles to achieve the desired layout.</br></br>When you are done changing the layout on the test mobile device, click **Accept** on the PC. |
## Validate and export

18
windows/configure/provision-pcs-with-apps.md
View File

@ -40,7 +40,7 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate
- **Restart required**: Optionally, specify if you want to initiate a reboot after a successful install of this app
- **Required win32 app dependencies**: Optionally, specify additional files that are required for the installation of the app.
- **Required win32 app dependencies**: Optionally, specify additional files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract).
### Exe or other installer
@ -52,22 +52,22 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate
- **Restart required**: Optionally, specify if you want to initiate a reboot after a successful install of this app
- **Required win32 app dependencies**: Optionally, specify additional files that are required for the installation of the app.
- **Required win32 app dependencies**: Optionally, specify additional files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract).
<span id="adv" />
## Add an app using advanced editor in Windows Configuration Designer
## Add a Classic Windows app using advanced editor in Windows Configuration Designer
1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandFiles**.
1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **PrimaryContext** > **Command**.
2. Add all the files required for the app install, including the data files and the installer.
2. Enter a name for the first app, and then click **Add**.
3. Go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandLine** and specify the command line that needs to be executed to install the app. This is a single command line (such as a script, executable, or msi) that triggers a silent install of your CommandFiles. Note that the install must execute silently (without displaying any UI). For MSI installers use, the `msiexec /quiet` option.
![enter name for first app](images/wcd-app-name.png)
> [!NOTE]
> If you are installing more than one app, then use `CommandLine` to invoke the script or batch file that orchestrates installation of the files. For more information, see [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md).
3. [Configure the settings for the appropriate installer type.](#settings-for-classic-windows-apps)
![enter settings for first app](images/wcd-app-commands.png)
### Add a universal app to your package
@ -87,7 +87,7 @@ Universal apps that you can distribute in the provisioning package can be line-o
5. For **DeviceContextAppLicense**, enter the **LicenseProductID**.
- In Windows Store for Business, generate the unencoded license for the app on the app's download page, and change the extension of the license file from **.xml** to **.ms-windows-store-license**.
- In Windows Store for Business, generate the unencoded license for the app on the app's download page.
![generate license for offline app](images/uwp-license.png)

19
windows/configure/provisioning-script-to-install-app.md
View File

@ -29,6 +29,7 @@ This walkthrough describes how to leverage the ability to include scripts in a W
2. If you need to include a directory structure of files, you will need to cab the assets for easy inclusion in the provisioning packages.
<span id="cab" />
## Cab the application assets
1. Create a .DDF file as below, replacing *file1* and *file2* with the files you want to package, and adding the name of file/directory.
@ -89,7 +90,9 @@ This walkthrough describes how to leverage the ability to include scripts in a W
## Create the script to install the application
Create a script to perform whatever work is needed to install the application(s). The following examples are provided to help get started authoring the orchestrator script that will execute the required installers. In practice, the orchestrator script may reference many more assets than those in these examples.
In Windows 10, version 1607 and earlier, create a script to perform whatever work is needed to install the application(s). The following examples are provided to help get started authoring the orchestrator script that will execute the required installers. In practice, the orchestrator script may reference many more assets than those in these examples.
In Windows 10, version 1703, you dont need to create an orchestrator script. You can have one command line per app. If necessary, you can create a script that logs the output per app, as mentioned below (rather than one orchestrator script for the entire provisioning package).
>[!NOTE]
>All actions performed by the script must happen silently, showing no UI and requiring no user interaction.
@ -138,6 +141,7 @@ PsExec.exe -accepteula -i -s cmd.exe /c powershell.exe my_powershell_script.ps1'
echo result: %ERRORLEVEL% >> %LOGFILE%
```
<span id="cab-extract" />
### Extract from a .CAB example
This example script shows expansion of a .cab from the provisioning commands script, as well as installation of the expanded setup.exe
@ -154,7 +158,9 @@ echo result: %ERRORLEVEL% >> %LOGFILE%
### Calling multiple scripts in the package
You are currently allowed one CommandLine per PPKG. The batch files shown above are orchestrator scripts that manage the installation and calls any other scripts included in the PPKG. The orchestrator script is what should be invoked from the CommandLine specified in the package.
In Windows 10, version 1703, your provisioning package can include multiple CommandLines.
In Windows 10, version 1607 and earlier, you are allowed one CommandLine per provisioning package. The batch files shown above are orchestrator scripts that manage the installation and call any other scripts included in the provisioning package. The orchestrator script is what should be invoked from the CommandLine specified in the package.
Heres a table describing this relationship, using the PowerShell example from above:
@ -166,7 +172,7 @@ Heres a table describing this relationship, using the PowerShell example from
| ProvisioningCommands/DeviceContext/CommandFiles | my_powershell_script.ps1 | Other assets referenced by the orchestrator script. In this example there is only one, but there could be many assets referenced here. One common use case is using the orchestrator to call a series of install.exe or setup.exe installers to install several applications. Each of those installers must be included as an asset here. |
### Add script to provisioning package
### Add script to provisioning package (Windows 10, version 1607)
When you have the batch file written and the referenced assets ready to include, you can add them to a provisioning package in the Window Configuration Designer.
@ -197,10 +203,15 @@ When you are done, [build the package](provisioning-create-package.md#build-pack
2. When applied at first boot, provisioning runs early in the boot sequence and before a user context has been established; care must be taken to only include installers that can run at this time. Other installers can be provisioned via a management tool.
3. If the device is put into an unrecoverable state because of a bad script, you can reset it using [recovery options in Windows 10](https://support.microsoft.com/help/12415/windows-10-recovery-options).
4. The CommandFile assets are deployed on the device to a temporary folder unique to each package.
- For Windows 10, version 1607 and earlier:
a. For packages added during the out of box experience, this is usually in `%WINDIR%\system32\config\systemprofile\appdata\local\Temp\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands`
b. For packages added by double-clicking on an already deployed device, this will be in the temp folder for the user executing the PPKG: `%TMP%\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands`
- For Windows 10, version 1703:
a. For packages added during the out of box experience, this is usually in `%WINDIR%\system32\config\systemprofile\appdata\local\Temp\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands\0`
The `0` after `Commands\` refers to the installation order and indicates the first app to be installed. The number will increment for each app in the package.
b. For packages added by double-clicking on an already deployed device, this will be in the temp folder for the user executing the provisioning package: `%TMP%\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands\0`
5. The command line will be executed with the directory the CommandFiles were deployed to as the working directory. This means you do not need to specific the full path to assets in the command line or from within any script.
6. The runtime provisioning component will attempt to run the scripts from the PPKG at the earliest point possible, depending on the stage when the PPKG was added. For example, if the package was added during the Out-of-Box Experience, it will be run immediately after the package is applied, while the Out-of-Box Experience is still happening. This is before the user account configuration options are presented to the user. A spinning progress dialog will appear and “please wait” will be displayed on the screen.
6. The runtime provisioning component will attempt to run the scripts from the provisioning package at the earliest point possible, depending on the stage when the PPKG was added. For example, if the package was added during the Out-of-Box Experience, it will be run immediately after the package is applied, while the out of box experience is still happening. This is before the user account configuration options are presented to the user. A spinning progress dialog will appear and “please wait” will be displayed on the screen.
>[!NOTE]
>There is a timeout of 30 minutes for the provisioning process at this point. All scripts and installs need to complete within this time.

5
windows/keep-secure/choose-the-right-bitlocker-countermeasure.md
View File

@ -117,8 +117,9 @@ Tables 1 and 2 summarize the recommended mitigations for different types of atta
**Table 2.**&nbsp;&nbsp;How to choose the best countermeasures for Windows 10
The latest InstantGo devices, primarily tablets, are designed to be secure by default against all attacks that might compromise the BitLocker encryption key. Other Windows devices can be, too. DMA portbased attacks, which represent the attack vector of choice, are not possible on InstantGo devices, because these port types are prohibited. The inclusion of DMA ports on even non-InstantGo devices is extremely rare on recent devices, particularly on mobile ones. This could change if Thunderbolt is broadly adopted, so IT should consider this when purchasing new devices. In any case DMA ports can be disabled entirely, which is an increasingly popular option because the use of
DMA ports is infrequent in the non-developer space.
The latest InstantGo devices, primarily tablets, are designed to be secure by default against all attacks that might compromise the BitLocker encryption key. Other Windows devices can be secure by default too. DMA portbased attacks, which represent the attack vector of choice, are not possible on InstantGo devices because these port types are prohibited. The inclusion of DMA ports on even non-InstantGo devices is extremely rare on recent devices, particularly on mobile ones. This could change if Thunderbolt is broadly adopted, so IT should consider this when purchasing new devices. In any case, DMA ports can be disabled entirely, which is an increasingly popular option because the use of DMA ports is infrequent in the non-developer space. To prevent DMA port usage unless an authorized user is signed in, you can set the DataProtection/AllowDirectMemoryAccess policy by using Mobile Device Management (MDM) or the Group Policy setting **Disable new DMA devices when this computer is locked** (beginning with Windows 10, version 1703). This setting is **Not configured** by default. The path to the Group Policy setting is:
**Computer Configuration|Administrative Templates|Windows Components|BitLocker Drive Encryption**
Memory remanence attacks can be mitigated with proper configuration; in cases where the system memory is fixed and non-removable, they are not possible using published techniques. Even in cases where system memory can be removed and loaded into another device, attackers will find the attack vector extremely unreliable, as has been shown in the DRDC Valcartier groups analysis (see [An In-depth Analysis of the Cold Boot Attack](http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078)).

116
windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md
View File

@ -1,116 +0,0 @@
---
title: Configure an Azure Active Directory application for SIEM integration
description: Configure an Azure Active Directory application so that it can communicate with supported SIEM tools.
keywords: configure aad for siem integration, siem integration, application, oauth 2
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
---
# Configure an Azure Active Directory application for SIEM integration
**Applies to:**
- Azure Active Directory
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
You need to add an application in your Azure Active Directory (AAD) tenant then authorize the Windows Defender ATP Alerts Export application to communicate with it so that your security information and events management (SIEM) tool can pull alerts from Windows Defender ATP portal.
1. Login to the [Azure management portal](https://ms.portal.azure.com).
2. Select **Active Directory**.
3. Select your tenant.
4. Click **Applications**, then select **Add** to create a new application.
5. Click **Add an application my organization is developing**.
6. Choose a client name for the application, for example, *Alert Export Client*.
7. Select **WEB APPLICATION AND/OR WEB API** in the Type section.
8. Assign a sign-on URL and app ID URI to the application, for example, `https://alertexportclient`.
9. Confirm the request details and verify that you have successfully added the app.
10. Select the application you've just created from the directory application list and click the **Configure** tab.
11. Scroll down to the **keys** section and select a duration for the application key.
12. Type the following URLs in the **Reply URL** field:
- `https://DataAccess-PRD.trafficmanager.net:444/api/FetchAccessTokenFromAuthCode`
- `https://localhost:44300/WDATPconnector`
13. Click **Save** and copy the key in a safe place. You'll need this key to authenticate the client application on Azure Active Directory.
14. Open a web browser and connect to the following URL: `https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=f7c1acd8-0458-48a0-a662-dba6de049d1c&tenantId=<tenant ID>&clientSecret=1234`<br>
An Azure login page appears.
> [!NOTE]
> - Replace *tenant ID* with your actual tenant ID.
> - Keep the *clientSecret* as is. This is a dummy value, but the parameter must appear.
15. Sign in with the credentials of a user from your tenant.
16. Click **Accept** to provide consent. Ignore the error.
17. Click **Application configuration** under your tenant.
18. Click **Permissions to other applications**, then select **Add application**.
19. Click **All apps** from the **SHOW** field and submit.
20. Click **WDATPAlertExport**, then select **+** to add the application. You should see it on the **SELECTED** panel.
21. Submit your changes.
22. On the **WDATPAlertExport** record, in the **Delegated Permissions** field, select **Access WDATPAlertExport**.
23. Save the application changes.
After configuring the application in AAD, you'll need to obtain a refresh token. You'll need to use the token when you configure the connector for your SIEM tool in the next steps. The token lets the connector access Windows Defender ATP events to be pulled by your SIEM.
## Obtain a refresh token using an events URL
Obtain a refresh token used to retrieve the Windows Defender Advanced Threat Protection events to your SIEM. This section provides information on how you can use an events URL to obtain the required refresh token.
>[!NOTE]
>For HP ArcSight, you can obtain a refresh token using the restutil tool. For more information, see [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md).
### Before you begin
Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page:
- OAuth 2 Client ID
- OAuth 2 Client secret
You'll use these values to obtain a refresh token.
>[!IMPORTANT]
>Before using the OAuth 2 Client secret described in the next steps, you **must** encode it. Use a URL encoder to transform the OAuth 2 client secret.
### Obtain a refresh token
1. Open a web browser and connect to the following URL: `https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=<client ID>&tenantId=<tenant ID>&clientSecret=<client secret>`
>[!NOTE]
>- Replace the *client ID* value with the one you got from your AAD application.
>- Replace *tenant ID* with your actual tenant ID.
>- Replace *client secret* with your encoded client secret. The client secret **must** be pasted encoded.
2. Click **Accept**. When you authenticate, a web page opens with your refresh token.
3. Save the refresh token which you'll find it the `<RefreshToken></RefreshToken>`value. You'll need this value when configuring your SIEM tool.
After configuring your AAD application and generating a refresh token, you can proceed to configure your SIEM tool.
## Related topics
- [Configure security information and events management (SIEM) tools to pull alerts](configure-siem-windows-defender-advanced-threat-protection.md)
- [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)

186
windows/keep-secure/configure-exclusions-windows-defender-antivirus.md
View File

@ -1,6 +1,6 @@
---
title: Set up exclusions for Windows Defender AV scans
description: You can exclude files (including files modified by specified processes) and folders from being scanned by Windows Defender AV
description: You can exclude files (including files modified by specified processes) and folders from being scanned by Windows Defender AV. Validate your exclusions with PowerShell.
keywords:
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -12,7 +12,7 @@ localizationpriority: medium
author: iaanw
---
# Exclude files and processes from Windows Defender AV scans
# Configure and validate file and folder exclusions in Windows Defender AV scans
**Applies to:**
@ -27,22 +27,25 @@ author: iaanw
**Manageability available with**
- Group Policy
- System Center Configuration Manager
- PowerShell
- Windows Management Instrumentation (WMI)
- System Center Configuration Manager
- Microsoft Intune
- Windows Defender Security Center
You can exclude certain files, folders, processes, and process-modified files from being scanned by Windows Defender AV. The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md).
Changes made via Group Policy to the exclusion lists will show in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists.
However, changes made in the Windows Defender Security Center app will not show in the lists in the Group Policy settings.
You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [System Center Configuration Manager, Microsoft Intune, and with the Windows Defender Security Center app](#man-tools).
You can add, remove, and review the lists for exclusions in Group Policy, System Center Configuration Manager, Microsoft Intune, and with the Windows Defender Security Center app.
You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), although you will need to use several different cmdlets.
You can also use PowerShell cmdlets and WMI to configure the exclusion lists, although you will need to use several different cmdlets.
By default, local changes made to the lists (by users with administrator privileges) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, Intune, PowerShell, or WMI. The Group Policy lists will take precedence in the case of conflicts. You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to disable this setting.
PowerShell can be used to [validate that your exclusion lists are working as expected](#validate).
<a id="gp"></a>
## Use Group Policy to configure exclusion lists
**Use Group Policy to configure file extension exclusions:**
@ -66,7 +69,10 @@ You can also use PowerShell cmdlets and WMI to configure the exclusion lists, al
![The Group Policy setting for file exclusions](images/defender/wdav-extension-exclusions.png)
<a id="exclude-paths-files"></a>
**Use Group Policy to exclude specified paths or folders from scans:**
**Use Group Policy to exclude specified files or folders from scans:**
>[!NOTE]
>The exclusion will apply to any file with the defined file name - regardless of its location. If a folder is defined in the exclusion, then all files and subdirectories under that folder will be excluded.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@ -81,7 +87,7 @@ You can also use PowerShell cmdlets and WMI to configure the exclusion lists, al
1. Set the option to **Enabled**.
2. Under the **Options** section, click **Show...**
3. Enter each path or file on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extesnsion. Enter **0** in the **Value** column for all processes.
3. Enter each path or file on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column for all processes.
7. Click **OK**.
@ -89,9 +95,11 @@ You can also use PowerShell cmdlets and WMI to configure the exclusion lists, al
**Use Group Policy to exclude files that have been used or modified by specified processes from scans:**
>[!NOTE] You can exclude files that are opened by specified processes from being scanned. The specified process won't be excluded - but any files that are opened by that process will be. If you need to exclude the process itself, [exclude it as a file](#exclude-paths-files).
>[!NOTE]
>You can exclude files that are opened by specified processes from being scanned. The specified process won't be excluded - but any files that are opened by that process (regardless of where they are or what they are named) will be excluded. If you need to exclude the process itself, [exclude it as a file](#exclude-paths-files).
>You can only exclude files modified by processes if the process is an executable.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
@ -105,16 +113,16 @@ You can also use PowerShell cmdlets and WMI to configure the exclusion lists, al
1. Set the option to **Enabled**.
2. Under the **Options** section, click **Show...**
3. Enter each process on its own line under the **Value name** column. Ensure you enter a fully qualified path to the process, including the drive letter, folder path, filename, and extesnsion. The process must be an executable. Enter **0** in the **Value** column for all processes.
3. Enter each process on its own line under the **Value name** column. Ensure you enter a fully qualified path to the process, including the drive letter, folder path, filename, and extension. The process must be an executable. Enter **0** in the **Value** column for all processes.
7. Click **OK**.
![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png)
<a id="ps"></a>
## Use PowerShell cmdlets and WMI to configure exclusion lists
Excluding and reviewing file extensions, paths and files (including processes), and files opened by processes with PowerShell requires using a combination of four cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the Defender module.
Excluding and reviewing file extensions, paths and files (including processes), and files opened by processes with PowerShell requires using a combination of four cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/defender).
There are three exclusion lists:
- ExclusionExtension
@ -127,48 +135,111 @@ You can modify each of the lists with the following cmdlets:
- Remove-MpPreference to remove or delete items from the defined list
- Get-MpPreference to review the items in the list, either all at once with all other Windows Defender AV settings, or individually for each of the lists
>[!IMPORTANT]
>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
The format for the command is:
The following matrix provides sample commands based on what you want to exclude, and whether you want to create a list, add to the list, or remove items from the list.
<table>
<tr><th>Configuration action</th><th>Type of exclusion</th><th>PowerShell command</th></tr>
<tr><td rowspan="3">Create or overwrite a list</td><td>File extensions that should be excluded from scans</td><td>
Set-MpPreference -ExclusionExtension ".extension1, .extension2, .extension3"</td></tr>
<tr><td>Files (including processes) and paths that should be excluded from scans</td><td>
Set-MpPreference -ExclusionPath "c:\example, d:\test\process.exe, c:\test\file.bat"</td></tr>
<tr><td>Files opened by the specified processes (executables)</td><td>
Set-MpPreference -ExclusionProcess "c:\example\test.exe"</td></tr>
<tr><td rowspan="3">Add to a list</td><td>File extensions that should be excluded from scans</td><td>
Add-MpPreference -ExclusionExtension ".extension4, .extension5"</td></tr>
<tr><td>Files (including processes) and paths that should be excluded from scans</td><td>
Add-MpPreference -ExclusionPath "d:\test, d:\example\file.png"</td></tr>
<tr><td>Files opened by specified processes (executables)</td><td>
Add-MpPreference -ExclusionProcess "f:\test\sample.exe"</td></tr>
<tr><td rowspan="3">Remove items from a list</td><td>File extensions that should be excluded from scans</td><td>
Remove-MpPreference -ExclusionExtension ".extension1, .extension4, .extension5"</td></tr>
<tr><td>Files (including processes) and paths that should be excluded from scans</td><td>
Remove-MpPreference -ExclusionPath "c:\example, d:\example\file.png"</td></tr>
<tr><td>Files opened by specified processes (executables)</td><td>
Remove-MpPreference -ExclusionProcess "c:\example\test.exe"</td></tr>
</table>
### Review the exclusion lists with PowerShell
You can retrieve the items in any of the lists in two ways:
- Retrieve the status of all Windows Defender AV preferences. Each of the three lists will be displayed on separate lines, but the items within the list will be combined into the same line.
- Write the status of all preferences to a variable, and only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
In both instances the items are sorted alphabetically.
The following sequence of code examples helps to show how this works.
1. Create an example list of extensions that should be excluded from scans:
```PowerShell
**Use PowerShell cmdlets to create a new list of file extension exclusions:**
1. Review the current list of exclusions:
```PowerShell
Get-MpPreference
Set-MpPreference -ExclusionExtension
Add-MpPreference -ExclusionExtension
Remove-MpPreference -ExclusionExtension
PS C:\> Set-MpPreference -ExclusionExtension ".test1, .test2"
```
>[!IMPORTANT]
>Use the `Set-MpPreference` cmdlet to create a list. This will overwrite the existing list.
>Use `Add-MpPreference` to add items to the list, and `Remove-MpPreference` to remove or delete items from the list.
>Assigning `Get-MpPreference` to a variable and then querying `ExclusionExtension` will place the items from each instance of `Add-MpPreference` on its own line. Using `Get-MpPreference` on its own will place all items together.
2. Add some additional extensions:
```PowerShell
PS C:\> Add-MpPreference -ExclusionExtension ".test40, test50"
```
3. Add another set of extensions:
```PowerShell
PS C:\> Add-MpPreference -ExclusionExtension ".secondadd1, .secondadd2"
```
4. Review the list as a combined list:
```PowerShell
PS C:\> Get-MpPreference
```
![PowerShell output for Get-MpPreference showing the exclusion list alongside other preferences](images/defender/wdav-powershell-get-exclusions-all.png)
5. Use a variable to store and retrieve only the exclusions list:
```PowerShell
PS C:\> $WDAVprefs = Get-MpPreference
PS C:\> $WDAVprefs.ExclusionExtension
```
![PowerShell output showing only the entries in the exclusion list](images/defender/wdav-powershell-get-exclusions-variable.png)
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
**Use Windows Management Instruction (WMI) to configure file extension exclusions:**
### Use Windows Management Instruction (WMI) to configure file extension exclusions
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
Use the [ **Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
```WMI
DisableAutoExclusions
ExclusionExtension
ExclusionPath
ExclusionProcess
```
The use of **Set**, **Add**, and **Remove** are analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`.
See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
<a id="man-tools"></a>
## Use System Center Configuration Manager, Intune, or the Windows Defender Security Center app to configure exclusion lists
@ -232,28 +303,41 @@ DisableAutoExclusions
See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
## Use wildcards in exclusion lists
You can use the asterisk **\***, question mark **?**, or environment variables (such as %APPDATA%) as wildcards when defining items in the exclusion lists.
You cannot use a wildcard in place of a drive letter.
The following table describes how the wildcards can be used and provides some examples.
Wildcard | Use | Example use | Example matches
---|---|---|---
**\*** (asterisk) | Replaces any number of chararacters | <ul><li>C:\MyData\my\*.zip</li><li>C:\somepath\\\*\Data</li><li>.t\*t</li></ul> | <ul><li>C:\MyData\my-archived-files-43.zip</li><li>C:\somepath\folder1\folder2\Data</li><li>.test</li></ul>
**?** (question mark) | Replaces a single character | <ul><li>C:\MyData\my\*.zip</li><li>C:\somepath\\\*\Data</li><li>.t\*t</li></ul> | <ul><li>C:\MyData\my1.zip</li><li>C:\somepath\P\Data</li><li>.txt </li></ul>
Environment variables | The defined variable will be populated as a path when the exclusion is evaluated | <ul><li>%ALLUSERSPROFILE%\CustomLogFiles</li><li>%APPDATA%\Data\file.png</li></ul> | <ul><li>C:\ProgramData\CustomLogFiles\Folder1\file1.txt</li><li>C:\Users\username\AppData\Roaming\Data\file.png</li></ul>
<a id="validate"></a>
## Validate exclusions lists with the EICAR test file
You can validate that your exclusion lists are working by using PowerShell with either the `Invoke-WebRequest` cmdlet or the .NET WebClient class to download a test file.
In the following PowerShell snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the .testing extension, replace *test.txt* with *test.testing*. If you are testing a path, ensure you run the cmdlet within that path.
```PowerShell
Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt"
```
If Windows Defender AV reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR testfile website](http://www.eicar.org/86-0-Intended-use.html).
You can also use the following PowerShell code, which calls the .NET WebClient class to download the testfile - as with the `Invoke-WebRequest` cmdlet, replace *c:\test.txt* with a file that conforms to the rule you are validating:
```PowerShell
$client = new-object System.Net.WebClient
$client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt")
```
## Related topics

2
windows/keep-secure/configure-local-policy-overrides-windows-defender-antivirus.md
View File

@ -73,7 +73,7 @@ Scan | Configure local setting override for the scan type to use for a scheduled
<a id="merge-lists"></a>
## Configure how locally and globally defined threat remediation and exclusions lists are merged
You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-windows-defender-antivirus.md) and [specified remediation lists](configure-remediation-windows-defender-antivirus.md).

BIN
windows/keep-secure/images/defender/wdav-powershell-get-exclusions-all.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 38 KiB

BIN
windows/keep-secure/images/defender/wdav-powershell-get-exclusions-variable.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 9.5 KiB

4
windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
View File

@ -62,7 +62,9 @@ The following tables provide more information about the hardware, firmware, and
The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met.
### Additional Qualification Requirements starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4
### Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4
| Protections for Improved Security - requirement | Description |
|---------------------------------------------|----------------------------------------------------|