deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-27 20:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into wdac

Browse Source
This commit is contained in:
Justin Hall 2018-03-19 15:09:06 -07:00
commit 6467bda424
49 changed files with 1126 additions and 387 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
.openpublishing.publish.config.json
View File

@ -135,6 +135,22 @@
"moniker_groups": [],
"version": 0
},
{
"docset_name": "privacy",
"build_source_folder": "windows/privacy",
"build_output_subfolder": "privacy",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "security",
"build_source_folder": "windows/security",

6
devices/surface-hub/troubleshoot-surface-hub.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
ms.author: jdecker
ms.date: 09/07/2017
ms.date: 03/16/2018
ms.localizationpriority: medium
---
@ -18,9 +18,13 @@ ms.localizationpriority: medium
Troubleshoot common problems, including setup issues, Exchange ActiveSync errors.
The [Surface Hub Hardware Diagnostic tool](https://www.microsoft.com/store/p/surface-hub-hardware-diagnostic/9nblggh51f2g?rtc=1&activetab=pivot%3aoverviewtab) contains interactive tests which allow you to confirm essential functionality of your Hub is working as expected. In addition to testing hardware, the diagnostic can test the resource account to verify that it is configured properly for your environment. If problems are encountered, results can be saved and shared with the Surface Hub Support Team. For usage information, see [Using the Surface Hub Hardware Diagnostic Tool to test a device account](https://support.microsoft.com/help/4077574/using-the-surface-hub-hardware-diagnostic-tool-to-test-a-device-accoun).
Common issues are listed in the following table, along with causes and possible fixes. The [Setup troubleshooting](#setup-troubleshooting) section contains a listing of on-device problems, along with several types of issues that may be encountered during the first-run experience. The [Exchange ActiveSync errors](#exchange-activesync-errors) section lists common errors the device may encounter when trying to synchronize with an Microsoft Exchange ActiveSync server.
## Setup troubleshooting

11
education/trial-in-a-box/educator-tib-get-started.md
View File

@ -11,7 +11,7 @@ ms.pagetype: edu
ROBOTS: noindex,nofollow
author: CelesteDG
ms.author: celested
ms.date: 01/12/2017
ms.date: 03/18/2018
---
# Educator Trial in a Box Guide
@ -186,6 +186,15 @@ Bring out the best in students by providing a platform for collaborating, explor
| <iframe width="420" height="236" src="https://www.youtube-nocookie.com/embed/hMmRud4B54o" frameborder="0" allowfullscreen></iframe></br>Watch teachers elevate the education of students using OneNote. | <iframe width="420" height="236" src="https://www.youtube.com/embed/hl9ZQiektJE" frameborder="0" allowfullscreen></iframe></br>Here what other teachers say about using Minecraft: Education Edition in their classrooms. |
| | |
## Update your apps
Microsoft Education works hard to bring you the most current Trial in a Box program experience. As a result, you may need to update your apps to get our latest innovations.
For more information about checking for updates, and how to optionally turn on automatic app updates, see the following articles:
- [Check updates for apps and games from Microsoft Store](https://support.microsoft.com/en-us/help/4026259/microsoft-store-check-updates-for-apps-and-games)
- [Turn on automatic app updates](https://support.microsoft.com/en-us/help/15081/windows-turn-on-automatic-app-updates)
## Get more info
* Learn more at <a href="https://www.microsoft.com/education" target="_blank">microsoft.com/education</a>

12
education/trial-in-a-box/itadmin-tib-get-started.md
View File

@ -11,7 +11,7 @@ ms.pagetype: edu
ROBOTS: noindex,nofollow
author: CelesteDG
ms.author: celested
ms.date: 12/11/2017
ms.date: 03/18/2018
---
# IT Admin Trial in a Box Guide
@ -259,6 +259,16 @@ Follow these instructions to confirm if you configured your tenant correctly and
3. In the **Downloads and updates** page, click **Get updates**.
* [Try the BYOD scenario](https://docs.microsoft.com/en-us/education/get-started/finish-setup-and-other-tasks#connect-other-devices-to-your-cloud-infrastructure)
## Update your apps
Microsoft Education works hard to bring you the most current Trial in a Box program experience. As a result, you may need to update your apps to get our latest innovations.
For more information about checking for updates, and how to optionally turn on automatic app updates, see the following articles:
- [Check updates for apps and games from Microsoft Store](https://support.microsoft.com/en-us/help/4026259/microsoft-store-check-updates-for-apps-and-games)
- [Turn on automatic app updates](https://support.microsoft.com/en-us/help/15081/windows-turn-on-automatic-app-updates)
## Get more info
* Learn more at <a href="https://www.microsoft.com/education" target="_blank">microsoft.com/education</a>

16
education/trial-in-a-box/support-options.md
View File

@ -11,13 +11,23 @@ ms.pagetype: edu
ROBOTS: noindex,nofollow
author: CelesteDG
ms.author: celested
ms.date: 12/11/2017
ms.date: 03/18/2018
---
# Microsoft Education Trial in a Box Support
Need help or have a question about using Microsoft Education? Start here.
## 1. Confirm your admin contact information is current
## 1. Update your apps
Microsoft Education works hard to bring you the most current Trial in a Box program experience. As a result, you may need to update your apps to get our latest innovations.
For more information about checking for updates, and how to optionally turn on automatic app updates, see the following articles:
- [Check updates for apps and games from Microsoft Store](https://support.microsoft.com/en-us/help/4026259/microsoft-store-check-updates-for-apps-and-games)
- [Turn on automatic app updates](https://support.microsoft.com/en-us/help/15081/windows-turn-on-automatic-app-updates)
## 2. Confirm your admin contact information is current
1. Go to the <a href="https://portal.office.com/adminportal/home" target="_blank">Office 365 admin center</a> and sign in with your Office 365 admin credentials.
2. In the admin center dashboard, select your profile on the upper righthand corner and select **My account** from the options.
@ -30,7 +40,7 @@ Need help or have a question about using Microsoft Education? Start here.
4. Click **Save**.
## 2. Request a call back
## 3. Request a call back
1. Click the **Need help?** button in the lower right-hand corner of the Office 365 console.

2
mdop/mbam-v25/mbam-25-security-considerations.md
View File

@ -32,7 +32,7 @@ This topic contains the following information about how to secure Microsoft BitL
## <a href="" id="bkmk-tpm"></a>Configure MBAM to escrow the TPM and store OwnerAuth passwords
**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](http://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details.
**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addition, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](http://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details.
Depending on its configuration, the Trusted Platform Module (TPM) will lock itself in certain situations ─ such as when too many incorrect passwords are entered ─ and can remain locked for a period of time. During TPM lockout, BitLocker cannot access the encryption keys to perform unlock or decryption operations, requiring the user to enter their BitLocker recovery key to access the operating system drive. To reset TPM lockout, you must provide the TPM OwnerAuth password.

5
store-for-business/microsoft-store-for-business-overview.md
View File

@ -282,7 +282,6 @@ Store for Business and Education is currently available in these markets.
<li>Philippines</li>
<li>Poland</li>
<li>Portugal</li>
<li>Puerto Rico</li>
<li>Qatar</li>
<li>Republic of Cabo Verde</li>
<li>Reunion</li>
@ -358,6 +357,10 @@ Customers in these markets can use Microsoft Store for Business and Education to
- Tajikistan
- Ukraine
### Support to only manage products
Customers in these markets can use Microsoft Store for Business and Education only to manage products that they've purchased from other channels. For example, they might have purchased products through Volume Licensing Service Center. However, they can't purhcase apps directly from Microsoft Store for Business and Education.
- Puerto Rico
This table summarize what customers can purchase, depending on which Microsoft Store they are using.
| Store | Free apps | Minecraft: Education Edition |

1
windows/client-management/mdm/TOC.md
View File

@ -217,6 +217,7 @@
#### [InternetExplorer](policy-csp-internetexplorer.md)
#### [Kerberos](policy-csp-kerberos.md)
#### [KioskBrowser](policy-csp-kioskbrowser.md)
#### [LanmanWorkstation](policy-csp-lanmanworkstation.md)
#### [Licensing](policy-csp-licensing.md)
#### [LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md)
#### [Location](policy-csp-location.md)

1
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -2535,7 +2535,6 @@ The following list shows the configuration service providers supported in Window
| [DeveloperSetup CSP](developersetup-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)2 (Provisioning only)|
| [DeviceStatus CSP](devicestatus-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [DevInfo CSP](devinfo-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [DiagnosticLog CSP](diagnosticlog-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [DMAcc CSP](dmacc-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [DMClient CSP](dmclient-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |

240
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 03/03/2018
ms.date: 03/15/2018
---
# What's new in MDM enrollment and management
@ -30,6 +30,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
- [What's new in Windows 10, version 1607](#whatsnew1607)
- [What's new in Windows 10, version 1703](#whatsnew10)
- [What's new in Windows 10, version 1709](#whatsnew1709)
- [What's new in Windows 10, version 1803](#whatsnew1803)
- [Change history in MDM documentation](#change-history-in-mdm-documentation)
- [Breaking changes and known issues](#breaking-changes-and-known-issues)
- [Get command inside an atomic command is not supported](#getcommand)
@ -1124,6 +1125,230 @@ For details about Microsoft mobile device management protocols for Windows 10 s
</tbody>
</table>
## <a href="" id="whatsnew1803"></a>What's new in Windows 10, version 1803
<table class="mx-tdBreakAll">
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<thead>
<tr class="header">
<th>New or updated topic</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1803:</p>
<ul>
<li>AccountPoliciesAccountLockoutPolicy/AccountLockoutDuration</li>
<li>AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold</li>
<li>AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter</li>
<li>ApplicationDefaults/EnableAppUriHandlers</li>
<li>Browser/AllowConfigurationUpdateForBooksLibrary</li>
<li>Browser/AlwaysEnableBooksLibrary</li>
<li>Browser/EnableExtendedBooksTelemetry</li>
<li>Browser/UseSharedFolderForBooks</li>
<li>Connectivity/AllowPhonePCLinking</li>
<li>DeliveryOptimization/DODelayBackgroundDownloadFromHttp</li>
<li>DeliveryOptimization/DODelayForegroundDownloadFromHttp</li>
<li>DeliveryOptimization/DOGroupIdSource</li>
<li>DeliveryOptimization/DOPercentageMaxBackDownloadBandwidth</li>
<li>DeliveryOptimization/DOPercentageMaxForeDownloadBandwidth</li>
<li>DeliveryOptimization/DORestrictPeerSelectionBy</li>
<li>DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth</li>
<li>DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth</li>
<li>Display/DisablePerProcessDpiForApps</li>
<li>Display/EnablePerProcessDpi</li>
<li>Display/EnablePerProcessDpiForApps</li>
<li>Experience/AllowWindowsSpotlightOnSettings</li>
<li>KioskBrowser/BlockedUrlExceptions</li>
<li>KioskBrowser/BlockedUrls</li>
<li>KioskBrowser/DefaultURL</li>
<li>KioskBrowser/EnableHomeButton</li>
<li>KioskBrowser/EnableNavigationButtons</li>
<li>KioskBrowser/RestartOnIdleTime</li>
<li>LanmanWorkstation/EnableInsecureGuestLogons</li>
<li>LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon</li>
<li>LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia</li>
<li>LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters</li>
<li>LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly</li>
<li>LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways</li>
<li>LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible</li>
<li>LocalPoliciesSecurityOptions/DomainMember_DigitallySignSecureChannelDataWhenPossible</li>
<li>LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges</li>
<li>LocalPoliciesSecurityOptions/DomainMember_MaximumMachineAccountPasswordAge</li>
<li>LocalPoliciesSecurityOptions/DomainMember_RequireStrongSessionKey</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees</li>
<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts</li>
<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares</li>
<li>LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers</li>
<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares</li>
<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</li>
<li>LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile</li>
<li>LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode</li>
<li>RestrictedGroups/ConfigureGroupMembership</li>
<li>Search/AllowCortanaInAAD</li>
<li>Search/DoNotUseWebResults</li>
<li>Security/ConfigureWindowsPasswords</li>
<li>System/FeedbackHubAlwaysSaveDiagnosticsLocally</li>
<li>SystemServices/ConfigureHomeGroupListenerServiceStartupMode</li>
<li>SystemServices/ConfigureHomeGroupProviderServiceStartupMode</li>
<li>SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode</li>
<li>SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode</li>
<li>SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode</li>
<li>SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode</li>
<li>TaskScheduler/EnableXboxGameSaveTask</li>
<li>TextInput/AllowHardwareKeyboardTextSuggestions</li>
<li>TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode</li>
<li>TextInput/ForceTouchKeyboardDockedState</li>
<li>TextInput/TouchKeyboardDictationButtonAvailability</li>
<li>TextInput/TouchKeyboardEmojiButtonAvailability</li>
<li>TextInput/TouchKeyboardFullModeAvailability</li>
<li>TextInput/TouchKeyboardHandwritingModeAvailability</li>
<li>TextInput/TouchKeyboardNarrowModeAvailability</li>
<li>TextInput/TouchKeyboardSplitModeAvailability</li>
<li>TextInput/TouchKeyboardWideModeAvailability</li>
<li>Update/ConfigureFeatureUpdateUninstallPeriod</li>
<li>UserRights/AccessCredentialManagerAsTrustedCaller</li>
<li>UserRights/AccessFromNetwork</li>
<li>UserRights/ActAsPartOfTheOperatingSystem</li>
<li>UserRights/AllowLocalLogOn</li>
<li>UserRights/BackupFilesAndDirectories</li>
<li>UserRights/ChangeSystemTime</li>
<li>UserRights/CreateGlobalObjects</li>
<li>UserRights/CreatePageFile</li>
<li>UserRights/CreatePermanentSharedObjects</li>
<li>UserRights/CreateSymbolicLinks</li>
<li>UserRights/CreateToken</li>
<li>UserRights/DebugPrograms</li>
<li>UserRights/DenyAccessFromNetwork</li>
<li>UserRights/DenyLocalLogOn</li>
<li>UserRights/DenyRemoteDesktopServicesLogOn</li>
<li>UserRights/EnableDelegation</li>
<li>UserRights/GenerateSecurityAudits</li>
<li>UserRights/ImpersonateClient</li>
<li>UserRights/IncreaseSchedulingPriority</li>
<li>UserRights/LoadUnloadDeviceDrivers</li>
<li>UserRights/LockMemory</li>
<li>UserRights/ManageAuditingAndSecurityLog</li>
<li>UserRights/ManageVolume</li>
<li>UserRights/ModifyFirmwareEnvironment</li>
<li>UserRights/ModifyObjectLabel</li>
<li>UserRights/ProfileSingleProcess</li>
<li>UserRights/RemoteShutdown</li>
<li>UserRights/RestoreFilesAndDirectories</li>
<li>UserRights/TakeOwnership</li>
<li>WindowsDefenderSecurityCenter/DisableAccountProtectionUI</li>
<li>WindowsDefenderSecurityCenter/DisableDeviceSecurityUI</li>
<li>WindowsDefenderSecurityCenter/HideRansomwareDataRecovery</li>
<li>WindowsDefenderSecurityCenter/HideSecureBoot</li>
<li>WindowsDefenderSecurityCenter/HideTPMTroubleshooting</li>
</ul>
<p>Security/RequireDeviceEncrption - updated to show it is supported in desktop.</p>
</tr>
<tr class="odd">
<td style="vertical-align:top">[BitLocker CSP](bitlocker-csp.md)</td>
<td style="vertical-align:top"><p>Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)</td>
<td style="vertical-align:top"><p>Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, version 1803.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[DMClient CSP](dmclient-csp.md)</td>
<td style="vertical-align:top"><p>Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:</p>
<ul>
<li>AADSendDeviceToken</li>
<li>BlockInStatusPage</li>
<li>AllowCollectLogsButton</li>
<li>CustomErrorText</li>
<li>SkipDeviceStatusPage</li>
<li>SkipUserStatusPage</li>
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[RemoteWipe CSP](remotewipe-csp.md)</td>
<td style="vertical-align:top"><p>Added the following nodes in Windows 10, version 1803:</p>
<ul>
<li>AutomaticRedeployment</li>
<li>doAutomaticRedeployment</li>
<li>LastError</li>
<li>Status</li>
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[Defender CSP](defender-csp.md)</td>
<td style="vertical-align:top"><p>Added new node (OfflineScan) in Windows 10, version 1803.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[UEFI CSP](uefi-csp.md)</td>
<td style="vertical-align:top"><p>Added a new CSP in Windows 10, version 1803.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[Update CSP](update-csp.md)</td>
<td style="vertical-align:top"><p>Added the following nodes in Windows 10, version 1803:</p>
<ul>
<li>Rollback</li>
<li>Rollback/FeatureUpdate</li>
<li>Rollback/QualityUpdateStatus</li>
<li>Rollback/FeatureUpdateStatus</li>
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[AssignedAccess CSP](assignedaccess-csp.md)</td>
<td style="vertical-align:top"><p>Added the following nodes in Windows 10, version 1803:</p>
<ul>
<li>Status</li>
<li>ShellLauncher</li>
<li>StatusConfiguration</li>
</ul>
<p>Updated the AssigneAccessConfiguration schema.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[MultiSIM CSP](multisim-csp.md)</td>
<td style="vertical-align:top"><p>Added a new CSP in Windows 10, version 1803.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)</td>
<td style="vertical-align:top"><p>Added the following node in Windows 10, version 1803:</p>
<ul>
<li>MaintainProcessorArchitectureOnUpdate</li>
</ul>
</td></tr>
<tr>
<td style="vertical-align:top">[eUICCs CSP](euiccs-csp.md)</td>
<td style="vertical-align:top"><p>Added the following node in Windows 10, version 1803:</p>
<ul>
<li>IsEnabled</li>
</ul>
</td></tr>
<tr>
<td style="vertical-align:top">[DeviceStatus CSP](devicestatus-csp.md)</td>
<td style="vertical-align:top"><p>Added the following node in Windows 10, version 1803:</p>
<ul>
<li>OS/Mode</li>
</ul>
</td></tr>
</td></tr>
</tbody>
</table>
## Breaking changes and known issues
### <a href="" id="getcommand"></a>Get command inside an atomic command is not supported
@ -1425,6 +1650,19 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>[How to import a custom ADMX file to a device using Intune](https://www.microsoft.com/showcase/video.aspx?uuid=a59888b1-429f-4a49-8570-c39a143d9a73)</li>
</ul>
</td></tr>
<tr>
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1803:</p>
<ul>
<li>ApplicationDefaults/EnableAppUriHandlers</li>
<li>Connectivity/AllowPhonePCLinking</li>
<li>RestrictedGroups/ConfigureGroupMembership</li>
</ul>
<p>The following policy was updated in Windows 10, version 1803:</p>
<ul>
<li>TextInput/AllowIMENetworkAccess - when this policy is set to 1, suggestions from the Microsoft AI chatbot Rinna are enabled in the Japanese IME.</li>
</ul>
</td></tr>
</tbody>
</table>

11
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -193,6 +193,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-applicationdefaults.md#applicationdefaults-defaultassociationsconfiguration" id="applicationdefaults-defaultassociationsconfiguration">ApplicationDefaults/DefaultAssociationsConfiguration</a>
</dd>
<dd>
<a href="./policy-csp-applicationdefaults.md#applicationdefaults-enableappurihandlers" id="applicationdefaults-enableappurihandlers">ApplicationDefaults/EnableAppUriHandlers</a>
</dd>
</dl>
### ApplicationManagement policies
@ -1903,6 +1906,14 @@ The following diagram shows the Policy configuration service provider in tree fo
</dd>
</dl>
### LanmanWorkstation policies
<dl>
<dd>
<a href="./policy-csp-lanmanworkstation.md#lanmanworkstation-enableinsecureguestlogons" id="lanmanworkstation-enableinsecureguestlogons">LanmanWorkstation/EnableInsecureGuestLogons</a>
</dd>
</dl>
### Licensing policies
<dl>

72
windows/client-management/mdm/policy-csp-applicationdefaults.md
View File

@ -11,6 +11,8 @@ ms.date: 03/12/2018
# Policy CSP - ApplicationDefaults
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>
@ -22,6 +24,9 @@ ms.date: 03/12/2018
<dd>
<a href="#applicationdefaults-defaultassociationsconfiguration">ApplicationDefaults/DefaultAssociationsConfiguration</a>
</dd>
<dd>
<a href="#applicationdefaults-enableappurihandlers">ApplicationDefaults/EnableAppUriHandlers</a>
</dd>
</dl>
@ -132,6 +137,73 @@ Here is the SyncMl example:
<!--/Example-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="applicationdefaults-enableappurihandlers"></a>**ApplicationDefaults/EnableAppUriHandlers**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting determines whether Windows supports web-to-app linking with app URI handlers.
Enabling this policy setting enables web-to-app linking so that apps can be launched with a http(s) URI.
Disabling this policy disables web-to-app linking and http(s) URIs will be opened in the default browser instead of launching the associated app.
If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Configure web-to-app linking with app URI handlers*
- GP name: *EnableAppUriHandlers*
- GP ADMX file name: *GroupPolicy.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
This setting supports a range of values between 0 and 1.
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
Footnote:

106
windows/client-management/mdm/policy-csp-lanmanworkstation.md Normal file
View File

@ -0,0 +1,106 @@
---
title: Policy CSP - LanmanWorkstation
description: Policy CSP - LanmanWorkstation
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 03/16/2018
---
# Policy CSP - LanmanWorkstation
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>
<!--Policies-->
## LanmanWorkstation policies
<dl>
<dd>
<a href="#lanmanworkstation-enableinsecureguestlogons">LanmanWorkstation/EnableInsecureGuestLogons</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="lanmanworkstation-enableinsecureguestlogons"></a>**LanmanWorkstation/EnableInsecureGuestLogons**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1803. This policy setting determines if the SMB client will allow insecure guest logons to an SMB server.
If you enable this policy setting or if you do not configure this policy setting, the SMB client will allow insecure guest logons.
If you disable this policy setting, the SMB client will reject insecure guest logons.
Insecure guest logons are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest logons are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication and do not use insecure guest logons by default. Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest logons and configuring file servers to require authenticated access.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Enable insecure guest logons*
- GP name: *Pol_EnableInsecureGuestLogons*
- GP ADMX file name: *LanmanWorkstation.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
This setting supports a range of values between 0 and 1.
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
<!--/Policies-->

41
windows/client-management/mdm/policy-csp-restrictedgroups.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 01/12/2018
ms.date: 03/15/2018
---
# Policy CSP - RestrictedGroups
@ -17,20 +17,22 @@ ms.date: 01/12/2018
<hr/>
<!--StartPolicies-->
<!--Policies-->
## RestrictedGroups policies
<dl>
<dd>
<a href="policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership" id="restrictedgroups-configuregroupmembership">RestrictedGroups/ConfigureGroupMembership</a>
<a href="#restrictedgroups-configuregroupmembership">RestrictedGroups/ConfigureGroupMembership</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<!--Policy-->
<a href="" id="restrictedgroups-configuregroupmembership"></a>**RestrictedGroups/ConfigureGroupMembership**
<!--StartSKU-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
@ -47,13 +49,13 @@ ms.date: 01/12/2018
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td></td>
<td></td>
</tr>
</table>
<!--EndSKU-->
<!--StartScope-->
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
@ -61,19 +63,13 @@ ms.date: 01/12/2018
<hr/>
<!--EndScope-->
<!--StartDescription-->
This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership.
<!--/Scope-->
<!--Description-->
This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group.
> [!Note]
> This policy is only scoped to the Administrators group at this time.
Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members.
Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group.
> [!Note]
> If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members.
<!--EndDescription-->
<!--/Description-->
<!--SupportedValues-->
<!--/SupportedValues-->
@ -83,7 +79,7 @@ Using the policy, you can specify what members are part of a group. Any members
<!--Validation-->
<!--/Validation-->
<!--EndPolicy-->
<!--/Policy-->
<hr/>
Footnote:
@ -91,6 +87,7 @@ Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
<!--EndPolicies-->
<!--/Policies-->

72
windows/client-management/mdm/policy-csp-textinput.md
View File

@ -54,6 +54,9 @@ ms.date: 03/12/2018
<dd>
<a href="#textinput-allowlanguagefeaturesuninstall">TextInput/AllowLanguageFeaturesUninstall</a>
</dd>
<dd>
<a href="#textinput-allowlinguisticdatacollection">TextInput/AllowLinguisticDataCollection</a>
</dd>
<dd>
<a href="#textinput-enabletouchkeyboardautoinvokeindesktopmode">TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode</a>
</dd>
@ -218,7 +221,7 @@ The following list shows the supported values:
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
@ -237,20 +240,18 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
Allows the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary.
Most restricted value is 0.
In Windows 10, version 1803, we introduced new suggestion services in Japanese IME in addition to cloud suggestion. When AllowIMENetworkAccess is set to 1, all suggestion services are available as predictive input.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
- 1 (default) Allowed. In Windows 10, version 1803, suggestion services are also available in Japanese IME.
<!--/SupportedValues-->
<!--/Policy-->
@ -676,6 +677,65 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="textinput-allowlinguisticdatacollection"></a>**TextInput/AllowLinguisticDataCollection**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP name: *AllowLinguisticDataCollection*
- GP ADMX file name: *TextInput.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
This setting supports a range of values between 0 and 1.
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="textinput-enabletouchkeyboardautoinvokeindesktopmode"></a>**TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode**

13
windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703.md
View File

@ -831,9 +831,8 @@ This event represents the basic metadata about a file on the system. The file m
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file generating the events.
- **AvDisplayName** The version of the Appraiser file generating the events.
- **AvProductState** If the app is an anti-virus app, this is its display name.
- **AvDisplayName** If the app is an anti-virus app, this is its display name.
- **AvProductState** Represents state of antivirus program with respect to whether it's turned on and the signatures are up-to-date.
- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64
- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets.
@ -841,8 +840,8 @@ The following fields are available:
- **CompanyName** The company name of the vendor who developed this file.
- **FileId** A hash that uniquely identifies a file.
- **FileVersion** The File version field from the file metadata under Properties -> Details.
- **HasUpgradeExe** Represents state of antivirus program with respect to whether it's turned on and the signatures are up-to-date.
- **IsAv** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64
- **HasUpgradeExe** Does the anti-virus app have an upgrade.exe file?
- **IsAv** Is the file an anti-virus reporting EXE?
- **LinkDate** The date and time that this file was linked on.
- **LowerCaseLongPath** The full file path to the file that was inventoried on the device.
- **Name** The name of the file that was inventoried.
@ -1653,7 +1652,7 @@ The following fields are available:
- **KvaShadow** Microcode info of the processor.
- **MMSettingOverride** Microcode setting of the processor.
- **MMSettingOverrideMask** Microcode setting override of the processor.
- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system. The complete list of values can be found in DimProcessorArchitecture.
- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system.
- **ProcessorClockSpeed** Retrieves the clock speed of the processor in MHz.
- **ProcessorCores** Retrieves the number of cores in the processor.
- **ProcessorIdentifier** The processor identifier of a manufacturer.
@ -1662,7 +1661,7 @@ The following fields are available:
- **ProcessorPhysicalCores** Number of physical cores in the processor.
- **ProcessorUpdateRevision** The microcode version.
- **SocketCount** Number of physical CPU sockets of the machine.
- **SpeculationControl** Clock speed of the processor in MHz.
- **SpeculationControl** If the system has enabled protections needed to validate the speculation control vulnerability.
### Census.Speech

40
windows/configuration/basic-level-windows-diagnostic-events-and-fields.md
View File

@ -21,7 +21,7 @@ ms.date: 03/13/2018
- Windows 10, version 1709
The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store. When the level is set to Basic, it also includes the Security level information.
The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information.
The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.
@ -317,8 +317,8 @@ This event represents the basic metadata about a file on the system. The file m
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file generating the events.
- **AvDisplayName** The version of the Appraiser file generating the events.
- **AvProductState** If the app is an anti-virus app, this is its display name.
- **AvDisplayName** If the app is an anti-virus app, this is its display name.
- **AvProductState** Represents state of antivirus program with respect to whether it's turned on and the signatures are up-to-date.
- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64
- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets.
@ -326,8 +326,8 @@ The following fields are available:
- **CompanyName** The company name of the vendor who developed this file.
- **FileId** A hash that uniquely identifies a file.
- **FileVersion** The File version field from the file metadata under Properties -> Details.
- **HasUpgradeExe** Represents state of antivirus program with respect to whether it's turned on and the signatures are up-to-date.
- **IsAv** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64
- **HasUpgradeExe** Does the anti-virus app have an upgrade.exe file?
- **IsAv** Is the file an anti-virus reporting EXE?
- **LinkDate** The date and time that this file was linked on.
- **LowerCaseLongPath** The full file path to the file that was inventoried on the device.
- **Name** The name of the file that was inventoried.
@ -1617,7 +1617,7 @@ The following fields are available:
- **KvaShadow** Microcode info of the processor.
- **MMSettingOverride** Microcode setting of the processor.
- **MMSettingOverrideMask** Microcode setting override of the processor.
- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system. The complete list of values can be found in DimProcessorArchitecture.
- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system.
- **ProcessorClockSpeed** Retrieves the clock speed of the processor in MHz.
- **ProcessorCores** Retrieves the number of cores in the processor.
- **ProcessorIdentifier** The processor identifier of a manufacturer.
@ -1626,7 +1626,7 @@ The following fields are available:
- **ProcessorPhysicalCores** Number of physical cores in the processor.
- **ProcessorUpdateRevision** The microcode version.
- **SocketCount** Number of physical CPU sockets of the machine.
- **SpeculationControl** Clock speed of the processor in MHz.
- **SpeculationControl** If the system has enabled protections needed to validate the speculation control vulnerability.
### Census.Security
@ -1723,7 +1723,7 @@ The following fields are available:
- **AppraiserGatedStatus** Indicates whether a device has been gated for upgrading.
- **AppStoreAutoUpdate** Retrieves the Appstore settings for auto upgrade. (Enable/Disabled).
- **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured
- **AppStoreAutoUpdatePolicy** Retrieves the Windows Store App Auto Update group policy setting
- **AppStoreAutoUpdatePolicy** Retrieves the Microsoft Store App Auto Update group policy setting
- **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades.
- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it?
- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update?
@ -2195,7 +2195,7 @@ The following fields are available:
- **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field.
- **RootDirPath** The path to the root directory where the program was installed.
- **Source** How the program was installed (ARP, MSI, Appx, etc...)
- **StoreAppType** A sub-classification for the type of Windows Store app, such as UWP or Win8StoreApp.
- **StoreAppType** A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp.
- **Type** "One of (""Application"", ""Hotfix"", ""BOE"", ""Service"", ""Unknown""). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen."
- **Version** The version number of the program.
@ -2836,7 +2836,7 @@ The following fields are available:
### SoftwareUpdateClientTelemetry.UpdateDetected
This event sends data about an AppX app that has been updated from the Windows Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates.
This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates.
The following fields are available:
@ -2846,7 +2846,7 @@ The following fields are available:
- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
- **WUDeviceID** The unique device ID controlled by the software distribution client
- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
- **ServiceGuid** An ID which represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.)
- **ServiceGuid** An ID which represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.)
### SoftwareUpdateClientTelemetry.SLSDiscovery
@ -2859,7 +2859,7 @@ The following fields are available:
- **HResult** Indicates the result code of the event (success, cancellation, failure code HResult)
- **IsBackground** Indicates whether the SLS discovery event took place in the foreground or background
- **NextExpirationTime** Indicates when the SLS cab expires
- **ServiceID** An ID which represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.)
- **ServiceID** An ID which represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.)
- **SusClientId** The unique device ID controlled by the software distribution client
- **UrlPath** Path to the SLS cab that was downloaded
- **WUAVersion** The version number of the software distribution client
@ -2885,7 +2885,7 @@ The following fields are available:
- **EventType** "Possible values are ""Child"", ""Bundle"", or ""Driver""."
- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.)
- **RevisionNumber** Unique revision number of Update
- **ServerId** Identifier for the service to which the software distribution client is connecting, such as Windows Update and Windows Store.
- **ServerId** Identifier for the service to which the software distribution client is connecting, such as Windows Update and Microsoft Store.
- **SystemBIOSMajorRelease** Major version of the BIOS.
- **SystemBIOSMinorRelease** Minor version of the BIOS.
- **UpdateId** Unique Update ID
@ -2930,7 +2930,7 @@ The following fields are available:
- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID).
- **RevisionId** The revision ID for a specific piece of content.
- **RevisionNumber** The revision number for a specific piece of content.
- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Windows Store
- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store
- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate.
- **SHA256OfTimestampToken** A base64-encoded string of hash of the timestamp token blob.
- **SignatureAlgorithm** The hash algorithm for the metadata signature.
@ -3011,7 +3011,7 @@ The following fields are available:
- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download.
- **RevisionNumber** Identifies the revision number of this specific piece of content.
- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.).
- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
- **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway.
- **ShippingMobileOperator** The mobile operator that a device shipped on.
- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult).
@ -3079,7 +3079,7 @@ The following fields are available:
- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
- **ScanDurationInSeconds** The number of seconds a scan took
- **ScanEnqueueTime** The number of seconds it took to initialize a scan
- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.).
- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.).
- **ServiceUrl** The environment URL a device is configured to scan with
- **ShippingMobileOperator** The mobile operator that a device shipped on.
- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult).
@ -3177,7 +3177,7 @@ The following fields are available:
- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to install.
- **RepeatSuccessInstallFlag** Indicates whether this specific piece of content had previously installed successful, for example if another user had already installed it.
- **RevisionNumber** The revision number of this specific piece of content.
- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.).
- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
- **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway.
- **ShippingMobileOperator** The mobile operator that a device shipped on.
- **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult).
@ -3212,7 +3212,7 @@ The following fields are available:
- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby)
- **RelatedCV** "The previous correlation vector that was used by the client, before swapping with a new one "
- **ResumeCount** Number of times this active download has resumed from a suspended state
- **ServiceID** "Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) "
- **ServiceID** "Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) "
- **SuspendCount** Number of times this active download has entered a suspended state
- **SuspendReason** Last reason for why this active download entered a suspended state
- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client
@ -3220,7 +3220,7 @@ The following fields are available:
- **EventType** "Possible values are ""Child"", ""Bundle"", or ""Driver"""
- **FlightId** The unique identifier for each flight
- **RevisionNumber** Identifies the revision number of this specific piece of content
- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc)
- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc)
- **UpdateId** "Identifier associated with the specific piece of content "
- **WUDeviceID** "Unique device id controlled by the software distribution client "
@ -3735,7 +3735,7 @@ The following fields are available:
- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson).
## Windows Store events
## Microsoft Store events
### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation

2
windows/deployment/TOC.md
View File

@ -253,6 +253,8 @@
### [Device Health](update/device-health-monitor.md)
#### [Get started with Device Health](update/device-health-get-started.md)
#### [Using Device Health](update/device-health-using.md)
### [Enrolling devices in Windows Analytics](update/windows-analytics-get-started.md)
### [Troubleshooting Windows Analytics and FAQ](update/windows-analytics-FAQ-troubleshooting.md)
## [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md)

116
windows/deployment/update/device-health-get-started.md
View File

@ -5,7 +5,7 @@ keywords: Device Health, oms, operations management suite, prerequisites, requir
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.date: 11/14/2017
ms.date: 03/15/2018
ms.pagetype: deploy
author: jaimeo
---
@ -15,25 +15,11 @@ author: jaimeo
This topic explains the steps necessary to configure your environment for Windows Analytics: Device Health.
Steps are provided in sections that follow the recommended setup process:
1. Ensure that [prerequisites](#device-health-prerequisites) are met.
2. [Add Device Health](#add-device-health-to-microsoft-operations-management-suite) to Microsoft Operations Management Suite.
3. [Deploy your Commercial ID](#deploy-your-commercial-id-to-your-windows-10-devices and set the telemetry level) to your organizations devices.
## Device Health prerequisites
1. [Add Device Health](#add-device-health-to-microsoft-operations-management-suite) to Microsoft Operations Management Suite.
2. [Enroll devices in Windows Analytics](#deploy-your-commercial-id-to-your-windows-10-devices) to your organizations devices.
3. [Use Device Health to monitor frequency and causes of device crashes](#use-device-health-to-monitor-frequency-and-causes-of-device-crashes) once your devices are enrolled.
Device Health has the following requirements:
1. Device Health is currently only compatible with Windows 10 and Windows Server 2016 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops).
2. The solution requires that at least the [enhanced level of diagnostic data](https://technet.microsoft.com/itpro/windows/manage/configure-windows-diagnostic-data-in-your-organization#basic-level) is enabled on all devices that are intended to be displayed in the solution. To learn more about Windows diagnostic data, see [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization).
3. The diagnostic data of your organizations Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for each of the diagnostic data services](/windows/configuration//configure-windows-diagnostic-data-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on diagnostic data endpoints and summarizes the use of each endpoint:
Service | Endpoint
--- | ---
Connected User Experiences and Telemetry component | v10.vortex-win.data.microsoft.com<BR>settings-win.data.microsoft.com
Windows Error Reporting | watson.telemetry.microsoft.com
Online Crash Analysis | oca.telemetry.microsoft.com
>[!NOTE]
> If your deployment includes devices running Windows 10 versions prior to Windows 10, version 1703, you must **exclude** *authentication* for the endpoints listed in Step 3. Windows Error Reporting did not support authenticating proxies until Windows 10, version 1703. See [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization) for steps to exclude authentication for these endpoints.
## Add Device Health to Microsoft Operations Management Suite
@ -79,100 +65,14 @@ After you have added Device Health and devices have a Commercial ID, you will be
>[!NOTE]
>You can unsubscribe from the Device Health solution if you no longer want to monitor your organizations devices. User device data will continue to be shared with Microsoft while the opt-in keys are set on user devices and the proxy allows traffic.
## Deploy your Commercial ID to your Windows 10 devices and set the diagnostic data level
In order for your devices to show up in Windows Analytics: Device Health, they must be configured with your organizations Commercial ID. This is so that Microsoft knows that a given device is a member of your organization and to feed that devices data back to you. There are two primary methods for widespread deployment of your Commercial ID: Group Policy and Mobile Device Management (MDM).
- Using Group Policy<BR><BR>
Deploying your Commercial ID using Group Policy can be accomplished by configuring domain Group Policy Objects with the Group Policy Management Editor, or by configuring local Group Policy using the Local Group Policy Editor.
1. In the console tree, navigate to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**
2. Double-click **Configure the Commercial ID**
3. In the **Options** box, under **Commercial Id**, type the Commercial ID GUID, and then click **OK**.<P>
- Using Microsoft Mobile Device Management (MDM)<BR><BR>
Microsofts Mobile Device Management can be used to deploy your Commercial ID to your organizations devices. The Commercial ID is listed under **Provider/ProviderID/CommercialID**. You can find more information on deployment using MDM at the [DMClient Configuration Service Provider topic](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmclient-csp).
## Perform checks to ensure and verify successful deployment
While you're waiting for the initial data to populate, there are some configuration details it's worth confirming to ensure that the necessary data connections are set up properly.
### Check for disabled Windows Error Reporting (WER)
 
If WER is disabled or redirected on your Windows devices, then reliability information cannot be shown in Device Health.
Check these Registry settings in **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting**:
- Verify that the value "Disabled" (REG_DWORD), if set, is 0.
- Verify that the value "DontSendAdditionalData" (REG_DWORD), if set, is 0.
- Verify that the value "CorporateWERServer" (REG_SZ) is not configured.
 
If you need further information on Windows Error Reporting (WER) settings, see [WER Settings](https://msdn.microsoft.com/library/windows/desktop/bb513638(v=vs.85).aspx).
### Endpoint connectivity
Devices must be able to reach the endpoints specified in the "Device Health prerequisites" section of this topic.
>[!NOTE]
> If your deployment includes devices running Windows 10 versions prior to Windows 10, version 1703, you must **exclude** *authentication* for the endpoints listed in Step 3 of the "Device Health prerequisites" section of this topic. Windows Error Reporting did not support authenticating proxies until Windows 10, version 1703. (If you need more information about diagnostic data endpoints and how to manage them, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization).
If you are using proxy server authentication, it is worth taking extra care to check the configuration. Prior to Windows 10, version 1703, WER uploads error reports in the machine context. Both user (typically authenticated) and machine (typically anonymous) contexts require access through proxy servers to the diagnostic endpoints. In Windows 10, version 1703, and later WER will attempt to use the context of the user that is logged on for proxy authentication such that only the user account requires proxy access.
Therefore, it's important to ensure that both machine and user accounts have access to the endpoints using authentication (or to whitelist the endpoints so that outbound proxy authentication is not required).
To test access as a given user, you can run this Windows PowerShell cmdlet *while logged on as that user*:
```powershell
$endPoints = @(
'v10.vortex-win.data.microsoft.com'
'settings-win.data.microsoft.com'
'watson.telemetry.microsoft.com'
'oca.telemetry.microsoft.com'
'vortex.data.microsoft.com'
)
$endPoints | %{ Test-NetConnection -ComputerName $_ -Port 443 -ErrorAction Continue } | Select-Object -Property ComputerName,TcpTestSucceeded
```
If this is successful, `TcpTestSucceeded` should return `True` for each of the endpoints.
To test access in the machine context (requires administrative rights), run the above as SYSTEM using PSexec or Task Scheduler, as in this example:
```powershell
[scriptblock]$accessTest = {
$endPoints = @(
'v10.vortex-win.data.microsoft.com'
'settings-win.data.microsoft.com'
'watson.telemetry.microsoft.com'
'oca.telemetry.microsoft.com'
'vortex.data.microsoft.com'
)
$endPoints | %{ Test-NetConnection -ComputerName $_ -Port 443 -ErrorAction Continue } | Select-Object -Property ComputerName,TcpTestSucceeded
}
$scriptFullPath = Join-Path $env:ProgramData "TestAccessToMicrosoftEndpoints.ps1"
$outputFileFullPath = Join-Path $env:ProgramData "TestAccessToMicrosoftEndpoints_Output.txt"
$accessTest.ToString() > $scriptFullPath
$null > $outputFileFullPath
$taskAction = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument "-ExecutionPolicy Bypass -Command `"&{$scriptFullPath > $outputFileFullPath}`""
$taskTrigger = New-ScheduledTaskTrigger -Once -At (Get-Date).Addseconds(10)
$task = Register-ScheduledTask -User 'NT AUTHORITY\SYSTEM' -TaskName 'MicrosoftTelemetryAccessTest' -Trigger $taskTrigger -Action $taskAction -Force
Start-Sleep -Seconds 120
Unregister-ScheduledTask -TaskName $task.TaskName -Confirm:$false
Get-Content $outputFileFullPath
```
As in the other example, if this is successful, `TcpTestSucceeded` should return `True` for each of the endpoints.
## Enroll devices in Windows Analytics
Once you've added Update Compliance to Microsoft Operations Management Suite, you can now start enrolling the devices in your organization. For full instructions, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md).
## Use Device Health to monitor frequency and causes of device crashes
Once your devices are enrolled, you can move on to [Use Device Health](device-health-using.md).
## Related topics

2
windows/deployment/update/device-health-monitor.md
View File

@ -67,7 +67,7 @@ These steps are illustrated in following diagram:
[![](images/analytics-architecture.png)](images/analytics-architecture.png)
>[!NOTE]
>This process assumes that Windows diagnostic data is enabled and you [have assigned your Commercial ID to devices](update-compliance-get-started.md#deploy-your-commercial-id-to-your-windows-10-devices).
>This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md).

BIN
windows/deployment/update/images/WA-device-enrollment.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 43 KiB

BIN
windows/deployment/update/images/outdated_incomplete.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 60 KiB

BIN
windows/deployment/update/images/outdated_outdated.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 60 KiB

48
windows/deployment/update/update-compliance-get-started.md
View File

@ -6,9 +6,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: DaniHalfin
ms.author: daniha
ms.date: 10/13/2017
author: Jaimeo
ms.author: jaimeo
ms.date: 03/15/2018
---
# Get started with Update Compliance
@ -16,29 +16,10 @@ ms.date: 10/13/2017
This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance.
Steps are provided in sections that follow the recommended setup process:
1. Ensure that [prerequisites](#update-compliance-prerequisites) are met.
2. [Add Update Compliance](#add-update-compliance-to-microsoft-operations-management-suite) to Microsoft Operations Management Suite.
3. [Deploy your Commercial ID](#deploy-your-commercial-id-to-your-windows-10-devices) to your organizations devices.
1. [Add Update Compliance](#add-update-compliance-to-microsoft-operations-management-suite) to Microsoft Operations Management Suite.
2. [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics) to your organizations devices.
3. [Use Update Compliance to monitor Windows Updates](#use-update-compliance-to-monitor-windows-updates) once your devices are enrolled.
## Update Compliance prerequisites
Update Compliance has the following requirements:
1. Update Compliance is currently only compatible with Windows 10 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops).
2. The solution requires that Windows 10 diagnostic data is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of diagnostic data](/configuration/configure-windows-diagnostic-data-in-your-organization#basic-level) enabled. To learn more about Windows diagnostic data, see [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization).
3. The diagnostic data of your organizations Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for each of the diagnostic data services](/configuration/configure-windows-diagnostic-data-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on diagnostic data endpoints and summarizes the use of each endpoint:
Service | Endpoint
--- | ---
Connected User Experiences and Telemetry component | v10.vortex-win.data.microsoft.com<BR>settings-win.data.microsoft.com
Windows Error Reporting | watson.telemetry.microsoft.com
Online Crash Analysis | oca.telemetry.microsoft.com
4. To use Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a 3rd party AV program), and must have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Troublehsoot Windows Defender Antivirus reporting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md) topic for help on ensuring the configuration is correct.
For endpoints running Windows 10, version 1607 or earlier, [Windows diagnostic data must also be set to **Enhanced**](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level), to be compatible with Windows Defender Antivirus.
See the [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) content library for more information on enabling, configuring, and validating Windows Defender AV.
## Add Update Compliance to Microsoft Operations Management Suite
@ -81,20 +62,11 @@ After you are subscribed to OMS Update Compliance and your devices have a Commer
>[!NOTE]
>You can unsubscribe from the Update Compliance solution if you no longer want to monitor your organizations devices. User device data will continue to be shared with Microsoft while the opt-in keys are set on user devices and the proxy allows traffic.
## Deploy your Commercial ID to your Windows 10 devices
## Enroll devices in Windows Analytics
In order for your devices to show up in Windows Analytics: Update Compliance, they must be configured with your organizations Commercial ID. This is so that Microsoft knows that a given device is a member of your organization and to feed that devices data back to you. There are two primary methods for widespread deployment of your Commercial ID: Group Policy and Mobile Device Management (MDM).
- Using Group Policy<BR><BR>
Deploying your Commercial ID using Group Policy can be accomplished by configuring domain Group Policy Objects with the Group Policy Management Editor, or by configuring local Group Policy using the Local Group Policy Editor.
1. In the console tree, navigate to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**
2. Double-click **Configure the Commercial ID**
3. In the **Options** box, under **Commercial Id**, type the Commercial ID GUID, and then click **OK**.<P>
- Using Microsoft Mobile Device Management (MDM)<BR><BR>
Microsofts Mobile Device Management can be used to deploy your Commercial ID to your organizations devices. The Commercial ID is listed under **Provider/ProviderID/CommercialID**. More information on deployment using MDM can be found [here](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmclient-csp).
Once you've added Update Compliance to Microsoft Operations Management Suite, you can now start enrolling the devices in your organization. For full instructions, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md).
## Related topics
## Use Update Compliance to monitor Windows Updates
[Use Update Compliance to monitor Windows Updates](update-compliance-using.md)
Once your devices are enrolled, you can starte to [Use Update Compliance to monitor Windows Updates](update-compliance-using.md).

2
windows/deployment/update/update-compliance-monitor.md
View File

@ -54,7 +54,7 @@ These steps are illustrated in following diagram:
![Update Compliance architecture](images/uc-01-wdav.png)
>[!NOTE]
>This process assumes that Windows diagnostic data is enabled and you [have assigned your Commercial ID to devices](update-compliance-get-started.md#deploy-your-commercial-id-to-your-windows-10-devices).
>This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md).

2
windows/deployment/update/update-compliance-using.md
View File

@ -32,7 +32,7 @@ In Update Compliance, data is separated into vertically-sliced sections. Each se
After Update Compliance has successfully been added from the solution gallery, youll see this tile:
![Empty Update Compliance Tile](images/uc-emptyworkspacetile.png)
When the solution is added, data is not immediately available. Data will begin to be collected after data is sent up that is associated with the Commercial ID associated with the device. If you havent read about assigning your Commercial ID to your devices, refer to [this topic](update-compliance-get-started.md#deploy-your-commercial-id-to-your-windows-10-devices). After Microsoft has collected and processed any device data associated with your Commercial ID, the tile will be replaced with the following summary:
When the solution is added, data is not immediately available. Data will begin to be collected after data is sent up that is associated with the Commercial ID associated with the device. This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). After Microsoft has collected and processed any device data associated with your Commercial ID, the tile will be replaced with the following summary:
![Filled Update Compliance Tile](images/uc-filledworkspacetile.png)

201
windows/deployment/update/windows-analytics-FAQ-troubleshooting.md Normal file
View File

@ -0,0 +1,201 @@
---
title: Frequently asked questions and troubleshooting Windows Analytics
description: Frequently asked questions about Windows Analytics and steps to take when things go wrong
keywords: windows analytics, oms, operations management suite, prerequisites, requirements, updates, upgrades, log analytics, health, FAQ, problems, troubleshooting, error
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
ms.date: 03/16/2018
---
# Frequently asked questions and troubleshooting Windows Analytics
This topic compiles the most common issues encountered with configuring and using Windows Analytics, as well as general questions.
## Troubleshooting common problems
If you've followed the steps in the [Enrolling devices in Windows Analytics](windows-analytics-get-started.md) topic and are still encountering problems, you might find the solution here.
[Devices not showing up](#devices-not-showing-up)
[Device Health crash data not appearing](#device-health-crash-data-not-appearing)
[Upgrade Readiness reports outdated updates](#upgrade-readiness-reports-outdated-updates)
[Upgrade Readiness reports incomplete inventory](#upgrade-readiness-reports-incomplete-inventory)
[Upgrade Readiness doesn't show app inventory data on some devices](#upgrade-readiness-doesnt-show-app-inventory-data-on-some-devices)
[Upgrade Readiness doesn't show IE site discovery data from some devices](#upgrade-readiness-doesnt-show-ie-site-discovery-data-from-some-devices)
### Devices not showing up
In Log Analytics, go to **Settings > Connected sources > Windows telemetry** and verify that you are subscribed to the Windows Analytics solutions you intend to use.
Even though devices can take 2-3 days after enrollment to show up due to latency in the system, you can now verify the status of your devices with a few hours of running the deployment script as described in [You can now check on the status of your computers within hours of running the deployment script](https://blogs.technet.microsoft.com/upgradeanalytics/2017/05/12/wheres-my-data/) on the Windows Analytics blog.
If devices are not showing up as expected, find a representative device and follow these steps to run the latest pilot version of the Upgrade Readiness deployment script on it to troubleshoot issues:
1. Download and extract the [Upgrade Readiness Deployment Script](https://www.microsoft.com/download/details.aspx?id=53327). Ensure that the **Pilot/Diagnostics** folder is included.
2. Edit the script as described in [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md).
3. Check that `isVerboseLogging` is set to `$true`.
4. Run the script again. Log files will be saved to the directory specified in the script.
5. Check the output of the script in the command window and/or log **UA_dateTime_machineName.txt** to ensure that all steps were completed successfully.
6. If you are still seeing errors you can't diagnose, then consider open a support case with Microsoft Support through your regular channel and provide this information.
If you want to check a large number of devices, you should run the latest script at scale from your management tool of choice (for example, System Center Configuration Manager) and check the results centrally.
If you think the issue might be related to a network proxy, check "Enable data sharing" section of the [Enrolling devices in Windows Analytics](windows-analytics-get-started.md) topic. Also see [Understanding connectivity scenarios and the deployment script](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog.
### Device Health crash data not appearing
#### Is WER disabled?
If Windows Error Reporting (WER) is disabled or redirected on your Windows devices, then reliability information cannot be shown in Device Health.
Check these registry settings in **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting**:
- Verify that the value "Disabled" (REG_DWORD), if set, is 0.
- Verify that the value "DontSendAdditionalData" (REG_DWORD), if set, is 0.
- Verify that the value "CorporateWERServer" (REG_SZ) is not configured.
If you need further information on Windows Error Reporting (WER) settings, see WER Settings.
#### Endpoint connectivity
Devices must be able to reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md).
If you are using proxy server authentication, it is worth taking extra care to check the configuration. Prior to Windows 10, version 1703, WER uploads error reports in the machine context. Both user (typically authenticated) and machine (typically anonymous) contexts require access through proxy servers to the diagnostic endpoints. In Windows 10, version 1703, and later WER will attempt to use the context of the user that is logged on for proxy authentication such that only the user account requires proxy access.
Therefore, it's important to ensure that both machine and user accounts have access to the endpoints using authentication (or to whitelist the endpoints so that outbound proxy authentication is not required). For suggested methods, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md#configuring-endpoint-access-with-proxy-servers).
To test access as a given user, you can run this Windows PowerShell cmdlet *while logged on as that user*:
```powershell
$endPoints = @(
'watson.telemetry.microsoft.com'
'oca.telemetry.microsoft.com'
'v10.events.data.microsoft.com'
)
$endPoints | %{ Test-NetConnection -ComputerName $_ -Port 443 -ErrorAction Continue } | Select-Object -Property ComputerName,TcpTestSucceeded
```
If this is successful, `TcpTestSucceeded` should return `True` for each of the endpoints.
To test access in the machine context (requires administrative rights), run the above as SYSTEM using PSexec or Task Scheduler, as in this example:
```powershell
[scriptblock]$accessTest = {
$endPoints = @(
'watson.telemetry.microsoft.com'
'oca.telemetry.microsoft.com'
'v10.events.data.microsoft.com'
)
$endPoints | %{ Test-NetConnection -ComputerName $_ -Port 443 -ErrorAction Continue } | Select-Object -Property ComputerName,TcpTestSucceeded
}
$scriptFullPath = Join-Path $env:ProgramData "TestAccessToMicrosoftEndpoints.ps1"
$outputFileFullPath = Join-Path $env:ProgramData "TestAccessToMicrosoftEndpoints_Output.txt"
$accessTest.ToString() > $scriptFullPath
$null > $outputFileFullPath
$taskAction = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument "-ExecutionPolicy Bypass -Command `"&{$scriptFullPath > $outputFileFullPath}`""
$taskTrigger = New-ScheduledTaskTrigger -Once -At (Get-Date).Addseconds(10)
$task = Register-ScheduledTask -User 'NT AUTHORITY\SYSTEM' -TaskName 'MicrosoftTelemetryAccessTest' -Trigger $taskTrigger -Action $taskAction -Force
Start-Sleep -Seconds 120
Unregister-ScheduledTask -TaskName $task.TaskName -Confirm:$false
Get-Content $outputFileFullPath
```
As in the other example, if this is successful, `TcpTestSucceeded` should return `True` for each of the endpoints.
### Upgrade Readiness shows many "Computers with outdated KB"
If you see a large number of devices reported as shown in this screenshot of the Upgrade Readiness tile:
[![Upgrade Readiness tile showing Computers with outdated KB datum in red box](images/outdated_outdated.png)](images/outdated_outdated.png)
On Windows 7 SP1 and Windows 8.1 devices, you must deploy the compatibility update as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md).
Note that the compatibility update retains the same KB number when a new version is released, so even if the update is installed on your devices, *they might not be running the latest version*. The compatibility update is now a critical update, so you can check that the latest version is installed from your management tool.
### Upgrade Readiness shows many "Computers with incomplete data"
If you see a large number of devices reported as shown in this screenshot of the Upgrade Readiness tile:
[![Upgrade Readiness tile showing Computers with incomplete data datum in red box](images/outdated_incomplete.png)](images/outdated_incomplete.png)
Download the latest deployment script and run it on an affected device to check for issues. See the [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md) topic for information about obtaining and running the script, and for a description of the error codes that can be displayed. Remember to wait up to 48-72 hours to see the results.
See ["Understanding connectivity scenarios and the deployment script"](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog for a summary of setting the ClientProxy for the script, which will enable the script properly check for diagnostic data endpoint connectivity.
If this becomes a recurring issue, schedule a full inventory scan monthly, as per the device enrollment guidelines for deployment at scale.
### Upgrade Readiness doesn't show app inventory data on some devices
Upgrade Readiness only collects app inventory on devices that are not yet upgraded to the target operating system version specified in the Upgrade Readiness Overview blade. This is because Upgrade Readiness targets upgrade planning (for devices not yet upgraded).
### Upgrade Readiness doesn't show IE site discovery data from some devices
Double-check that IE site discovery opt-in has been configured in the deployment script. (See the [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md) topic for information about obtaining and running the script, and for a description of the error codes that can be displayed. See ["Understanding connectivity scenarios and the deployment script"](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog for a summary of setting the ClientProxy for the script, which will enable the script properly check for diagnostic data endpoint connectivity.)
Also, on Windows 10 devices remember that IE site discovery requires data diagnostics set to the Enhanced level.
Finally, Upgrade Readiness only collects IE site discovery data on devices that are not yet upgraded to the target operating system version specified in the Upgrade Readiness Overview blade. This is because Upgrade Readiness targets upgrade planning (for devices not yet upgraded).
[comment]: # (Device names are not showing up properly? Starting with Windows 10 1803, the device name is no longer collected by default and requires a separate opt-in by setting HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection\AllowDeviceNameInTelemetry:DWORD == 1. This is done by default if you run the latest version of the deployment script, or can be set via policy. If the policy is not set, then the device name will show up as "Unknown (aka.ms/analyticsDeviceName)")
## Other common questions
### What are the requirements and costs for Windows Analytics solutions?
| Windows Analytics solution| Windows license requirements | Windows version requirements | Diagnostic data requirements |
|----------------------|-----------------------------------|------------------------------|------------------------------|
| Upgrade Readiness | No additional requirements | Windows 7 with Service Pack 1, Windows 8.1, Windows 10 | Basic level in most cases; Enhanced level to support Windows 10 app usage data and IE site discovery |
| Update Compliance | No additional requirements | Windows 10 | Basic level |
| Device Health | No additional requirements | - Windows 10 Enterprise or Windows 10 Education per-device with active Software Assurance<br>- Windows 10 Enterprise E3 or E5 per-device or per-user subscription (including Microsoft 365 F1, E3, or E5)<br>- Windows 10 Education A3 or A5 (including Microsoft 365 Education A3 or A5)<br>- Windows VDA E3 or E5 per-device or per-user subscription<br>- Windows Server 2016 or later | Windows 10 | Enhanced level |
>[!NOTE]
> Regarding licensing requirements for Device Health, you do not need per-seat licensing, but only enough licenses to cover your total device usage. For example, if you have 100 E3 licenses, you can monitor 100 devices with Device Health.
Beyond the cost of Windows operating system licenses, there is no additional cost for using Windows Analytics. In Azure Log Analytics, Windows Analytics is "zero-rated;" this means it is excluded from data limits and costs regardless of the Azure Log Analytics pricing tier you have chosen.
### How does Windows Analytics support privacy?
Windows Analytics is fully committed to privacy, centering on these tenets:
- **Transparency:** We fully document the Windows Analytics diagnostic events (see the links for additional information) so you can review them with your companys security and compliance teams. The Diagnostic Data Viewer lets you see diagnostic data sent from a given device (see [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) for details).
- **Control:** You ultimately control the level of diagnostic data you wish to share. In Windows 10 1709 we added a new policy to Limit enhanced diagnostic data to the minimum required by Windows Analytics
- **Security:** Your data is protected with strong security and encryption
- **Trust:** Windows Analytics supports the Microsoft Online Service Terms
See these topics for additional background information about related privacy issues:
- [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windowsconfiguration/configure-windows-diagnostic-data-in-your-organization)
- [Windows 7, Windows 8, and Windows 8.1 Appraiser Telemetry Events, and Fields](https://go.microsoft.com/fwlink/?LinkID=822965) (link downloads a PDF file)
- [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703)
- [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields)
- [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview)
- [Licensing Terms and Documentation](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31)
- [Learn about security and privacy at Microsoft datacenters](http://www.microsoft.com/datacenters)
- [Confidence in the trusted cloud](https://azure.microsoft.com/en-us/support/trust-center/)
### Can Windows Analytics be used without a direct client connection to the Microsoft Data Management Service?
No, the entire service is powered by Windows diagnostic data, which requires that devices have this direct connectivity.
### Can I choose the data center location?
Yes for Azure Log Analytics, but no for the Microsoft Data Management Service (which is hosted in the US).
### Why do SCCM and Upgrade Readiness show different counts of devices that are ready to upgrade?
System Center Configuration Manager (SCCM) considers a device ready to upgrade if *no installed app* has an upgrade decision of “not ready” (that is, they are all "ready" or "in progress"), while Upgrade Readiness considers a device ready to upgrade only if *all* installed apps are marked “ready”.
 
Currently, you can choose the criteria you wish to use:
- To use the SCCM criteria, create the collection of devices ready to upgrade within the SCCM console (using the analytics connector).
- To use the Upgrade Readiness criteria, export the list of ready-to-upgrade devices from the corresponding Upgrade Readiness report, and then build the SCCM collection from that spreadsheet.

153
windows/deployment/update/windows-analytics-get-started.md Normal file
View File

@ -0,0 +1,153 @@
---
title: Enrolling devices in Windows Analytics (Windows 10)
description: Enroll devices to enable use of Update Compliance, Upgrade Readiness, and Device Health in Windows Analytics.
keywords: windows analytics, oms, operations management suite, prerequisites, requirements, updates, upgrades, log analytics, health
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
ms.date: 03/08/2018
---
# Enrolling devices in Windows Analytics
If you have not already done so, consult the topics for any of the three Windows Analytics solutions (Update Compliance, Upgrade Readiness, and Device Health) you intend to use and follow the steps there to add the solutions to Microsoft Operations Management Suite.
- [Get started with Device Health](device-health-get-started.md)
- [Get started with Update Compliance](update-compliance-get-started.md)
- [Get started with Upgrade Readiness](../upgrade/upgrade-readiness-get-started.md)
If you've already done that, you're ready to enroll your devices in Windows Analytics by following these steps:
## Copy your Commercial ID key
Microsoft uses a unique commercial ID to map information from user computers to your OMS workspace. This should be generated for you automatically. Copy your commercial ID key in OMS and then deploy it to user computers.
1. On the **Settings** dashboard, navigate to the **Windows Telemetry** panel under **Connected Sources** .
![Operations Management Suite Settings dialog showing Connected sources and Windows telemetry selected and the commercial ID location marked by a black box in the lower right.](images/WA-device-enrollment.png)
2. Copy your Commercial ID (which should already be populated). Save this Commercial ID because you will need it later for use in the deployment scripts and policies.
>**Important**<br> Regenerate a Commercial ID key only if your original ID key can no longer be used. Regenerating a commercial ID key resets the data in your workspace for all solutions that use the ID. Additionally, youll need to deploy the new commercial ID key to user computers again.
## Enable data sharing
To enable data sharing, configure your proxy sever to whitelist the following endpoints. You might need to get approval from your security group to do this.
| **Endpoint** | **Function** |
|---------------------------------------------------------|-----------|
| `https://v10.events.data.microsoft.com` | Connected User Experience and Telemetry component endpoint for Windows 10, version 1803|
| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Telemetry component endpoint for Windows 10, version 1709 or earlier |
| `https://vortex-win.data.microsoft.com` | Connected User Experience and Telemetry component endpoint for operating systems older than Windows 10 |
| `https://settings-win.data.microsoft.com` | Enables the compatibility update to send data to Microsoft.
| `http://adl.windows.com` | Allows the compatibility update to receive the latest compatibility data from Microsoft. |
| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. |
| `https://oca.telemetry.microsoft.com` | Online Crash Analysis; required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. |
### Configuring endpoint access with proxy servers
If your organization uses proxy server authentication for outbound traffic, use one or more of the following approaches to ensure that the diagnostic data is not blocked by proxy authentication:
- **Best option:** Configure your proxy servers to **not** require proxy authentication for any traffic to the diagnostic data endpoints. This is the most comprehensive solution and it works for all versions of Windows 10.
- **User proxy authentication:** Alternatively, you can configure devices on the user side. First, update the devices to Windows 10, version 1703 or later. Then, ensure that users of the devices have proxy permission to reach the diagnostic data endpoints. This requires that the devices have console users with proxy permissions, so you couldn't use this method with headless devices.
- **Device proxy authentication:** Another option--the most complex--is as follows: First, configure a system level proxy server on the devices. Then, configure these devices to use machine-account-based outbound proxy authentication. Finally, configure proxy servers to allow the machine accounts access to the diagnostic data endpoints.
## Deploy the compatibility update and related updates
The compatibility update scans your devices and enables application usage tracking. If you dont already have these updates installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using Windows Server Update Services (WSUS) or your software distribution solution, such as System Center Configuration Manager.
| **Operating System** | **Updates** |
|----------------------|-----------------------------------------------------------------------------|
| Windows 10 | The latest cumulative updates must be installed on Windows 10 devices to make sure that the required compatibility updates are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com) <P>Note: Windows 10 LTSB is not supported by Upgrade Readiness. See [Upgrade readiness requirements](../upgrade/upgrade-readiness-requirements.md) for more information. |
| Windows 8.1 | [KB 2976978](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)<br>Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues might be encountered when the latest Windows operating system is installed. <br>For more information about this update, see <https://support.microsoft.com/kb/2976978><br><BR>[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)<br>Provides updated configuration and definitions for compatibility diagnostics performed on the system.<br>For more information about this KB, see <https://support.microsoft.com/kb/3150513><br>**NOTE:** KB2976978 is a critical update, so it should already be installed by your management tool. You should, however, verify that it was deployed. |
| Windows 7 SP1 | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664) <br>Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues might be encountered when the latest Windows operating system is installed. <br>For more information about this update, see <https://support.microsoft.com/kb/2952664><br><BR>[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)<br>Provides updated configuration and definitions for compatibility diagnostics performed on the system.<br>For more information about this update, see <https://support.microsoft.com/kb/3150513><br>**NOTE:** If KB 3510513 is reported as out of date, you should manually find a recent version at [KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513) and ensure that it is installed and deployed. |
>[!IMPORTANT]
>Restart devices after you install the compatibility updates for the first time.
If you are planning to enable IE Site Discovery in Upgrade Readiness, you will need to install a few additional updates.
| **Site discovery** | **Update** |
|----------------------|-----------------------------------------------------------------------------|
| [Review site discovery](../upgrade/upgrade-readiness-additional-insights.md#site-discovery) | [KB3080149](http://www.catalog.update.microsoft.com/Search.aspx?q=3080149)<br>Updates the Diagnostic and Telemetry tracking service to existing devices. This update is only necessary on Windows 7 and Windows 8.1 devices. <br>For more information about this update, see <https://support.microsoft.com/kb/3150513><br><br>Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. |
## Enroll a few pilot devices
You can use the Upgrade Readiness deployment script to automate and verify your deployment. We always recommend manually running this script on a few representative devices to verify things are properly configured and the device can connect to the diagnostic data endpoints. Make sure to run the pilot version of the script, which will provide extra diagnostics.
See the [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md) topic for information about obtaining and running the script, and for a description of the error codes that can be displayed. See ["Understanding connectivity scenarios and the deployment script"](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog for a summary of setting the ClientProxy for the script, which will enable the script properly check for diagnostic data endpoint connectivity.
After data is sent from devices to Microsoft, it generally takes 48-56 hours for the data to populate in Windows Analytics. The compatibility update takes several minutes to run. If the update does not get a chance to finish running or if the computers are inaccessible (turned off or sleeping for example), data will take longer to populate in Windows Analytics. For this reason, you can expect most of your devices to be populated in Windows Analytics in about 1-2 weeks after deploying the update and configuration to user computers. As described in the Windows Analytics blog post ["You can now check on the status of your computers within hours of running the deployment script"](https://blogs.technet.microsoft.com/upgradeanalytics/2017/05/12/wheres-my-data/), you can verify that devices have successfully connected to the service within a few hours. Most of those devices should start to show up in the Windows Analytics console within a few days.
## Deploy additional optional settings
Certain of the Windows Analytics features have additional settings you can use.
- **Update Compliance** is only compatible with Windows 10 desktop devices (workstations and laptops). To use the Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a partner antivirus application), and must have enabled cloud-delivered protection, as described in [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting) topic for help with ensuring that the configuration is correct.
- For devices running Windows 10, version 1607 or earlier, Windows diagnostic data must also be set to Enhanced (see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level)) in order to be compatible with Windows Defender Antivirus. See the [Windows Defender Antivirus in Windows 10 and Windows Server 2016](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) for more information about enabling, configuring, and validating Windows Defender AV.
- **Device Health** is only compatible with Windows 10 desktop devices (workstations and laptops) and Windows Server 2016. The solution requires that at least the Enhanced level of diagnostic data is enabled on all devices that are intended to be displayed in the solution. In Windows 10, version 1709, a new policy was added to "limit enhanced telemetry to the minimum required by Windows Analytics". To learn more about Windows diagnostic data, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization).
- **IE site discovery** is an optional feature of Upgrade Readiness that provides an inventory of websites that are accessed by client devices using Internet Explorer on Windows 7, Windows 8.1, and Windows 10. To enable IE site discovery, make sure the required updates are installed (per previous section) and enable IE site discovery in the deployment script batch file.
## Deploying Windows Analytics at scale
When you have completed a pilot deployment, you are ready to automate data collection and distribute the deployment script to the remaining devices in your organization.
### Automate data collection
To ensure that user computers are receiving the most up-to-date data from Microsoft, we recommend that you establish the following data sharing and analysis processes:
- Enable automatic updates for the compatibility update and related updates. These updates include the latest application and driver issue information as we discover it during testing.
- Schedule the Upgrade Readiness deployment script to automatically run monthly. Scheduling the script ensures that full inventory is sent monthly even if devices were not connected or had low battery power at the time the system normally sends inventory. Make sure to run the production version of the script, which is lighter weight and non-interactive. The script also has a number of built-in error checks, so you can monitor the results. If you can't run the deployment script at scale, another option is to configure things centrally via Group Policy or Mobile Device Management (MDM). Although we recommend using the deployment script, both options are discussed in the sections below.
When you run the deployment script, it initiates a full scan. The daily scheduled task to capture the changes is created when the update package is installed. For Windows 10 devices, this task is already included in the operating system. A full scan averages about 2 MB, but the scans for changes are very small. The scheduled task is named "Windows Compatibility Appraiser" and can be found in the Task Scheduler Library under Microsoft > Windows > Application Experience. Changes are invoked via the nightly scheduled task. It attempts to run around 3:00AM every day. If the system is powered off at that time, the task will run when the system is turned on.
### Distribute the deployment script at scale
Use a software distribution system such as System Center Configuration Manager to distribute the Upgrade Readiness deployment script at scale. For more information, see [New version of the Upgrade Analytics Deployment Script available](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/) on the Upgrade Readiness blog. For information on how to deploy PowerShell scripts by using Windows Intune, see [Manage PowerShell scripts in Intune for Windows 10 devices](https://docs.microsoft.com/intune/intune-management-extension).
### Distributing policies at scale
There are a number of policies that can be centrally managed to control Windows Analytics device configuration. All of these policies have *preference* registry key equivalents that can be set by using the deployment script. Policy settings override preference settings if both are set.
>[!NOTE]
>You can only set the diagnostic data level to Enhanced by using policy. For example, this is necessary for using Device Health.
These policies are under Microsoft\Windows\DataCollection:
| Policy | Value |
|-----------------------|------------------|
| CommercialId | In order for your devices to show up in Windows Analytics, they must be configured with your organizations Commercial ID. |
| AllowTelemetry (in Windows 10) | 1 (Basic), 2 (Enhanced) or 3 (Full) diagnostic data. Windows Analytics will work with basic diagnostic data, but more features are available when you use the Enhanced level (for example, Device Health requires Enhanced diagnostic data and Upgrade Readiness only collects app usage and site discovery data on Windows 10 devices with Enhanced diagnostic data). For more information, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization). |
| LimitEnhancedDiagnosticDataWindowsAnalytics (in Windows 10) | Only applies when AllowTelemetry=2. Limits the Enhanced diagnostic data events sent to Microsoft to just those needed by Windows Analytics. For more information, see [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields).|
| CommercialDataOptIn (in Windows 7 and Windows 8) | 1 is required for Upgrade Readiness, which is the only solution that runs on Windows 7 or Windows 8. |
You can set these values by using Group Policy (in Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds) or by using Mobile Device Management (in Provider/ProviderID/CommercialID). For more information about deployment using MDM, see the [DMClient CSP](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp) topic in MDM documentation.
The corresponding preference registry values are available in **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** and can be configured by the deployment script. If a given setting is configured by both preference registry settings and policy, the policy values will override. However, the **IEDataOptIn** setting is different--you can only set this with the preference registry keys:
- IEOptInLevel = 0 Internet Explorer data collection is disabled
- IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones
- IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones
- IEOptInLevel = 3 Data collection is enabled for all sites
For more information about Internet Explorer Security Zones, see [About URL Security Zones](https://docs.microsoft.com/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537183(v=vs.85)).
### Distribution at scale without using the deployment script
We recommend using the deployment script to configure devices. However if this is not an option, you can still manage settings by policy as described in the previous section. However, if you don't run the deployment script, you might have to wait a long time (possibly weeks) before devices send the initial full inventory scan.

31
windows/deployment/upgrade/upgrade-readiness-additional-insights.md
View File

@ -20,36 +20,7 @@ The site discovery feature in Upgrade Readiness provides an inventory of web sit
> [!NOTE]
> Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. The data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees.
### Install prerequisite security update for Internet Explorer
Ensure the following prerequisites are met before using site discovery:
1. Install the prerequisite KBs to add Site Discovery support and the latest fixes from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/home.aspx). Install the following:
- For Windows 7 and Windows 8.1 - March, 2017 (or later) Security Monthly Rollup
- For Windows 10 - Cumulative Update for Windows 10 Version 1607 (KB4015217) (or later)
2. Enable Internet Explorer data collection, which is disabled by default. The best way to enable it is to modify the [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md) to allow Internet Explorer data collection before you run it. In addition, to enable Site Discovery on Windows 10 you must set computers to the **Enhanced** diagnostic data level for the Feedback and Diagnostics setting (Privacy > Feedback & Diagnostics settings), and enable **Page Prediction within Internet Explorer 11**.
If you do not plan to use the Upgrade Readiness deployment script to enable Site discovery, you must create the following registry entry.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection
Entry name: IEDataOptIn
Data type: DWORD
Values:
> *IEOptInLevel = 0 Internet Explorer data collection is disabled*
>
> *IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones*
>
> *IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones*
>
> *IEOptInLevel = 3 Data collection is enabled for all sites*
For more information about Internet Explorer Security Zones, see [About URL Security Zones](https://msdn.microsoft.com/library/ms537183.aspx).
![Create the IEDataOptIn registry key](../images/upgrade-analytics-create-iedataoptin.png)
[In order to use site discovery, a separate opt-in is required; see Enrolling]
### Review most active sites

96
windows/deployment/upgrade/upgrade-readiness-get-started.md
View File

@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: jaimeo
ms.date: 09/20/2017
ms.date: 03/18/2018
---
# Get started with Upgrade Readiness
@ -25,17 +25,12 @@ When you are ready to begin using Upgrade Readiness, perform the following steps
1. Review [data collection and privacy](#data-collection-and-privacy) information.
2. [Add Upgrade Readiness to OMS](#add-upgrade-readiness-to-operations-management-suite).
3. [Enable data sharing](#enable-data-sharing).
4. [Deploy required updates](#deploy-the-compatibility-update-and-related-kbs) to computers, and validate using a pilot deployment.
5. [Deploy Upgrade Readiness at scale](#deploy-upgrade-readiness-at-scale).
3. [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics).
4. [Use Upgrade Readiness to manage Windows Upgrades](#use-upgrade-readiness-to-manage-windows-upgrades) once your devices are enrolled.
## Data collection and privacy
To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see the following topics:
- [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization)
- [Manage connections from Windows operating system components to Microsoft services](/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services)
- [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see the following topics, refer to [Frequently asked questions and troubleshooting Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md), which discusses the issues and provides links to still more detailed information.
## Add Upgrade Readiness to Operations Management Suite
@ -57,87 +52,12 @@ If you are not using OMS:
5. To add the Upgrade Readiness solution to your workspace, go to the **Solutions Gallery**. Select the **Upgrade Readiness** tile in the gallery and then select **Add** on the solutions details page. The solution is now visible on your workspace. Note that you may need to scroll to find Upgrade Readiness.
### Copy your commercial ID key
## Enroll devices in Windows Analytics
Microsoft uses a unique commercial ID to map information from user computers to your OMS workspace. This should be generated for you automatically. Copy your commercial ID key in OMS and then deploy it to user computers.
Once you've added Update Compliance to Microsoft Operations Management Suite, you can now start enrolling the devices in your organization. For full instructions, see [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started.md).
## Use Upgrade Readiness to manage Windows Upgrades
1. On the **Settings** dashboard, navigate to the **Windows telemetry** panel.
![Operations Management Suite dialog showing settings icon (a gear) in the title bar indicated by a red box.](../images/upgrade-analytics-settings.png)
2. On the **Connected Sources** tab, navigate to the Windows telemetry panel.
>**Important**<br> Regenerate a commercial ID key only if your original ID key can no longer be used. Regenerating a commercial ID key resets the data in your workspace for all solutions that use the ID. Additionally, youll need to deploy the new commercial ID key to user computers again.
## Enable data sharing
To enable data sharing, whitelist the following endpoints. Note that you may need to get approval from your security group to do this.
| **Endpoint** | **Function** |
|---------------------------------------------------------|-----------|
| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Telemetry component endpoint for Windows 10 computers. User computers send data to Microsoft through this endpoint.
| `https://vortex-win.data.microsoft.com` | Connected User Experience and Telemetry component endpoint for operating systems older than Windows 10
| `https://settings-win.data.microsoft.com` | Enables the compatibility update to send data to Microsoft.
| `http://adl.windows.com` | Allows the compatibility update to receive the latest compatibility data from Microsoft. |
Note: The compatibility update KB runs under the computers system account.
### Connection settings
The settings that are used to enable client computers to connect to Windows diagnostic data depend on the type of connection scenario you use. These scenarios are discussed in [this blog post](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) and are summarized below.
| **Connection scenario** | **ClientProxy setting** <BR>in **runconfig.bat** | **Local computer configuration** |
|---------------------------------------------------------|-----------|-----------|
| Direct connection to the Internet (no proxy) | **ClientProxy=Direct** | No additional configuration necessary |
| WinHTTP proxy | **ClientProxy=System** | Specify `netsh winhttp set proxy <server>:<port>` on client computers |
| Other proxy | **ClientProxy=User** | Configure the Windows Registry value: <p style="font-size: 12px"> **HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection\DisableEnterpriseAuthProxy** </p> to 0 on client computers |
## Deploy the compatibility update and related KBs
The compatibility update KB scans your computers and enables application usage tracking. If you dont already have these KBs installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using Windows Server Update Services (WSUS) or your software distribution solution, such as System Center Configuration Manager.
| **Operating System** | **KBs** |
|----------------------|-----------------------------------------------------------------------------|
| Windows 10 | The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility updates are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com) <P>Note: Windows 10 LTSB is not supported by Upgrade Readiness. See [Upgrade readiness requirements](upgrade-readiness-requirements.md) for more information. |
| Windows 8.1 | [KB 2976978](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)<br>Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed. <br>For more information about this KB, see <https://support.microsoft.com/kb/2976978><br><BR>[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)<br>Provides updated configuration and definitions for compatibility diagnostics performed on the system.<br>For more information about this KB, see <https://support.microsoft.com/kb/3150513><br>NOTE: KB2976978 must be installed before you can download and install KB3150513. |
| Windows 7 SP1 | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664) <br>Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed. <br>For more information about this KB, see <https://support.microsoft.com/kb/2952664><br><BR>[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)<br>Provides updated configuration and definitions for compatibility diagnostics performed on the system.<br>For more information about this KB, see <https://support.microsoft.com/kb/3150513><br>NOTE: KB2952664 must be installed before you can download and install KB3150513. |
IMPORTANT: Restart user computers after you install the compatibility update KBs for the first time.
If you are planning to enable IE Site Discovery, you will need to install a few additional KBs.
| **Site discovery** | **KB** |
|----------------------|-----------------------------------------------------------------------------|
| [Review site discovery](upgrade-readiness-additional-insights.md#site-discovery) | [KB3080149](http://www.catalog.update.microsoft.com/Search.aspx?q=3080149)<br>Updates the Diagnostic and Telemetry tracking service to existing devices. This update is only necessary on Windows 7 and Windows 8.1 devices. <br>For more information about this KB, see <https://support.microsoft.com/kb/3150513><br><br>Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. |
### Deploy the Upgrade Readiness deployment script
You can use the Upgrade Readiness deployment script to automate and verify your deployment.
See [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md) for information on obtaining and running the script, and for a description of the error codes that can be displayed.
>After data is sent from computers to Microsoft, it generally takes 48 hours for the data to populate in Upgrade Readiness. The compatibility update KB takes several minutes to run. If the KB does not get a chance to finish running or if the computers are inaccessible (turned off or sleeping for example), data will take longer to populate in Upgrade Readiness. For this reason, you can expect most your computers to be populated in OMS in about 1-2 weeks after deploying the KB and configuration to user computers.
## Deploy Upgrade Readiness at scale
When you have completed a pilot deployment, you are ready to automate data collection and distribute the deployment script to the remaining computers in your organization.
### Automate data collection
To ensure that user computers are receiving the most up to date data from Microsoft, we recommend that you establish the following data sharing and analysis processes.
- Enable automatic updates for the compatibility update and related KBs. These KBs are updated frequently to include the latest application and driver issue information as we discover it during testing.
- Schedule the Upgrade Readiness deployment script to automatically run so that you dont have to manually initiate an inventory scan each time the compatibility update KBs are updated.
- Schedule monthly user computer scans to view monthly active computer and usage information.
>When you run the deployment script, it initiates a full scan. The daily scheduled task to capture the deltas is created when the update package is installed. For Windows 10 devices, it's already part of the OS. A full scan averages about 2 MB, but the delta scans are very small. The scheduled task is named **Windows Compatibility Appraiser** and can be found in the Task Scheduler Library under Microsoft > Windows > Application Experience. Deltas are invoked via the nightly scheduled task. It attempts to run around 3:00AM every day. If the system is powered off at that time, the task will run when the system is turned on.
### Distribute the deployment script at scale
Use a software distribution system such as System Center Configuration Manager to distribute the Upgrade Readiness deployment script at scale. For more information, see the [Upgrade Readiness blog](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/).
Now that your devices are enrolled, you can move on to [Use Upgrade Readiness to manage Windows Upgrades](https://docs.microsoft.com/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades).

35
windows/deployment/upgrade/upgrade-readiness-requirements.md
View File

@ -2,8 +2,8 @@
title: Upgrade Readiness requirements (Windows 10)
description: Provides requirements for Upgrade Readiness.
ms.prod: w10
author: greg-lindsay
ms.date: 11/08/2017
author: jaimeo
ms.date: 03/15/2018
---
# Upgrade Readiness requirements
@ -16,7 +16,7 @@ This article introduces concepts and steps needed to get up and running with Upg
To perform an in-place upgrade, user computers must be running the latest version of either Windows 7 SP1 or Windows 8.1. After you enable Windows diagnostic data, Upgrade Readiness performs a full inventory of computers so that you can see which version of Windows is installed on each computer.
The compatibility update KB that sends diagnostic data from user computers to Microsoft data centers works with Windows 7 SP1 and Windows 8.1 only. Upgrade Readiness cannot evaluate Windows XP or Windows Vista for upgrade eligibility.
The compatibility update that sends diagnostic data from user computers to Microsoft data centers works with Windows 7 SP1 and Windows 8.1 only. Upgrade Readiness cannot evaluate Windows XP or Windows Vista for upgrade eligibility.
<!--With Windows 10, edition 1607, the compatibility update KB is installed automatically.-->
@ -29,7 +29,7 @@ See [Windows 10 Specifications](http://www.microsoft.com/en-US/windows/windows-1
### Windows 10
Keeping Windows 10 up to date involves deploying a feature update, and Upgrade Readiness tools help you prepare and plan for these Windows updates.
The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility KBs are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com).
The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility updates are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com).
Windows 10 LTSB is not supported by Upgrade Readiness. The Long-Term Servicing Channel of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not compatible with Upgrade Readiness. See [Windows as a service overview](../update/waas-overview.md#long-term-servicing-channel) to understand more about LTSB.
@ -47,34 +47,7 @@ Important: You can use either a Microsoft Account or a Work or School account to
Upgrade Readiness can be integrated with your installation of Configuration Manager. For more information, see [Integrate Upgrade Readiness with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics).
## Diagnostic data and data sharing
After youve signed in to Operations Management Suite and added the Upgrade Readiness solution to your workspace, youll need to complete the following tasks to allow user computer data to be shared with and assessed by Upgrade Readiness.
See [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965) for more information about what user computer data Upgrade Readiness collects and assesses. See [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization) for more information about how Microsoft uses Windows diagnostic data.
**Whitelist diagnostic data endpoints.** To enable diagnostic data to be sent to Microsoft, youll need to whitelist the following Microsoft endpoints on your proxy server or firewall. You may need to get approval from your security group to do this.
`https://v10.vortex-win.data.microsoft.com/collect/v1`<BR>
`https://vortex-win.data.microsoft.com/health/keepalive`<BR>
`https://settings.data.microsoft.com/qos`<BR>
`https://settings-win.data.microsoft.com/qos`<BR>
`https://go.microsoft.com/fwlink/?LinkID=544713`<BR>
`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc`<BR>
>**Note** The compatibility update KB runs under the computers system account and does not support user authentication in this release.
**Generate your commercial ID key.** Microsoft uses a unique commercial ID GUID to map data from your computers to your OMS workspace. Youll need to generate your commercial ID key in OMS. We recommend that you save your commercial ID key as youll need it later.
**Subscribe your OMS workspace to Upgrade Readiness.** For Upgrade Readiness to receive and display upgrade readiness data from Microsoft, youll need to subscribe your OMS workspace to Upgrade Readiness.
**Enable diagnostic data and connect data sources.** To allow Upgrade Readiness to collect system, application, and driver data and assess your organizations upgrade readiness, communication must be established between Upgrade Readiness and user computers. Youll need to connect Upgrade Readiness to your data sources and enable diagnostic data to establish communication.
**Deploy compatibility update and related KBs.** The compatibility update KB scans your systems and enables application usage tracking. If you dont already have this KB installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using Windows Server Update Services (WSUS) or your software distribution solution, such as System Center Configuration Manager.
>**Important**<br> The compatibility update and related KBs are updated frequently to include new compatibility issues as they become known to Microsoft. We recommend that you use a deployment system that allows for automatic updates of these KBs. The compatibility update KB collects inventory information from computers only when it is updated.
**Configure and deploy Upgrade Readiness deployment script.** Configure and deploy the Upgrade Readiness deployment script to user computers to finish setting up.
## Important information about this release

6
windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md
View File

@ -33,9 +33,9 @@ The following color-coded status changes are reflected on the upgrade overview b
- If the current value is an older OS version than the recommended value, but not deprecated, the version is displayed in amber.
- If the current value is a deprecated OS version, the version is displayed in red.
Click on a row to drill down and see details about individual computers. If KBs are missing, see [Deploy the compatibility update and related KBs](upgrade-readiness-get-started.md#deploy-the-compatibility-update-and-related-kbs) for information on required KBs.
Click a row to drill down and see details about individual computers. If updates are missing, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md) for information on required updates.
In the following example, there is no delay in data processing, more than 10% of computers (6k\8k) have incomplete data, more than 30% of computers (6k/8k) require a KB update, there are no pending user changes, and the currently selected target OS version is the same as the recommended version:
In the following example, there is no delay in data processing, more than 10% of computers (6k\8k) have incomplete data, more than 30% of computers (6k/8k) require an update, there are no pending user changes, and the currently selected target OS version is the same as the recommended version:
![Upgrade overview](../images/ur-overview.png)
@ -45,7 +45,7 @@ In the following example, there is no delay in data processing, more than 10% of
If data processing is delayed, the "Last updated" banner will indicate the date on which data was last updated. You can continue using your workspace as normal. However, any changes or additional information that is added might not be displayed until data is refreshed. When your workspace is in this state, there is no action required; data is typically refreshed and the display will return to normal again within 24 hours.
If there are computers with incomplete data, verify that you have installed the latest compatibilty update KBs. Install the updated KBs if necessary and then run the most recent [Update Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the Microsoft download center. The updated data payload should appear in Upgrade Readiness within 48 hours of a successful run on the deployment script.
If there are computers with incomplete data, verify that you have installed the latest compatibilty updates. Install the updates if necessary and then run the most recent [Update Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the Microsoft download center. The updated data payload should appear in Upgrade Readiness within 48 hours of a successful run on the deployment script.
Select **Total computers** for a list of computers and details about them, including:

4
windows/deployment/windows-10-deployment-scenarios.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
ms.sitesec: library
ms.date: 01/10/2018
ms.date: 03/16/2018
author: greg-lindsay
---
@ -36,7 +36,7 @@ The following table summarizes various Windows 10 deployment scenarios. The scen
Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured.
</td>
<td align="center" style="width:16%; border:1;">
<a href="https://docs.microsoft.com/en-us/windows/deployment/windows-10-autopilot">Overview of Windows AutoPilot</a>
<a href="https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-10-autopilot">Overview of Windows AutoPilot</a>
</td>
</tr>
<tr>

1
windows/privacy/TOC.md Normal file
View File

@ -0,0 +1 @@
# [Index](index.md)

3
windows/privacy/breadcrumb/toc.yml Normal file
View File

@ -0,0 +1,3 @@
- name: Docs
tocHref: /
topicHref: /

46
windows/privacy/docfx.json Normal file
View File

@ -0,0 +1,46 @@
{
"build": {
"content": [
{
"files": [
"**/*.md",
"**/*.yml"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"_themes/**",
"_themes.pdf/**",
"README.md",
"LICENSE",
"LICENSE-CODE",
"ThirdPartyNotices"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"**/includes/**",
"_themes/**",
"_themes.pdf/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"breadcrumb_path": "/windows/privacy/breadcrumb/toc.json",
"extendBreadcrumb": true
},
"fileMetadata": {},
"template": [],
"dest": "privacy",
"markdownEngineName": "markdig"
}
}

1
windows/privacy/index.md Normal file
View File

@ -0,0 +1 @@
# Welcome to privacy!

4
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
View File

@ -99,7 +99,7 @@ Hybrid Windows Hello for Business deployments can use Azures Multifactor Auth
> [!div class="checklist"]
> * Azure MFA Service
> * Windows Server 2016 AD FS and Azure (optional, if federated)
> * Windows Server 2016 AD FS and third party MFA Adapter (optiona, if federated)
> * Windows Server 2016 AD FS and third party MFA Adapter (optional, if federated)
<br>
@ -136,4 +136,4 @@ For federerated and non-federated environments, start with **Configure Windows H
4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md)
7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)

2
windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
View File

@ -94,7 +94,7 @@ For many years, Microsoft has recommended using pre-boot authentication to prote
Although effective, pre-boot authentication is inconvenient to users. In addition, if a user forgets their PIN or loses their startup key, theyre denied access to their data until they can contact their organizations support team to obtain a recovery key. Today, most new PCs running Windows 10, Windows 8.1, or Windows 8 provide sufficient protection against DMA attacks without requiring pre-boot authentication. For example, most modern PCs include USB port options (which are not vulnerable to DMA attacks) but do not include FireWire or Thunderbolt ports (which are vulnerable to DMA attacks).
BitLocker-encrypted devices with DMA ports enabled, including FireWire or Thunderbolt ports, should be configured with pre-boot authentication if they are running Windows 10, Windows 7, Windows 8, or Windows 8.1 and disabling the ports using policy or firmware configuration is not an option. Windows 8.1 and later Modern Standby devices do not need pre-boot authentication to defend against DMA-based port attacks, as the ports will not be present on certified devices. A non-Modern Standby Windows 8.1 and later device requires pre-boot authentication if DMA ports are enabled on the device and additional mitigations described in this document are not implemented. Many customers find that the DMA ports on their devices are never used, and they choose to eliminate the possibility of an attack by disabling the DMA ports themselves, either at the hardware level or through Group Policy.
BitLocker-encrypted devices with DMA ports enabled, including FireWire or Thunderbolt ports, should be configured with pre-boot authentication if they are running Windows 10, Windows 7, Windows 8, or Windows 8.1 and disabling the ports using policy or firmware configuration is not an option. Many customers find that the DMA ports on their devices are never used, and they choose to eliminate the possibility of an attack by disabling the DMA ports themselves, either at the hardware level or through Group Policy.
Many new mobile devices have the system memory soldered to the motherboard, which helps prevent the cold bootstyle attack, where the system memory is frozen, removed, and then placed into another device. Those devices, and most PCs, can still be vulnerable when booting to a malicious operating system, however.
You can mitigate the risk of booting to a malicious operating system:

2
windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
View File

@ -29,7 +29,7 @@ These settings, located at **Computer Configuration\Administrative Templates\Net
|Policy name|Supported versions|Description|
|-----------|------------------|-----------|
|Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) Please include a full domain name (www.contoso.com) in the configuration 2) You may use "." as a wildcard character to automatically trust subdomains. Configuring '.constoso.com' will automatically trust 'subdomain1.contoso.com', 'subdomain2.contoso.com etc. |
|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) Please include a full domain name (www.contoso.com) in the configuration 2) You may optionally use "." as a wildcard character to automatically trust subdomains. Configuring ".constoso.com" will automatically trust "subdomain1.contoso.com", "subdomain2.contoso.com" etc. |
|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
### Application-specific settings

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-appsource.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 33 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-data-ready.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.8 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-get-data.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 65 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-loading.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.8 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-accept.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-consent.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 76 KiB

After

Width:  |  Height:  |  Size: 30 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-extension.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-powerbi-importing.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.1 KiB

91
windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
ms.date: 10/23/2017
ms.date: 03/16/2018
---
# Create and build Power BI reports using Windows Defender ATP data
@ -32,33 +32,94 @@ Windows Defender ATP supports the use of Power BI data connectors to enable you
Data connectors integrate seamlessly in Power BI, and make it easy for power users to query, shape and combine data to build reports and dashboards that meet the needs of your organization.
You can easily get started by:
- Creating a dashboard on the Power BI service
- Creating a dashboard on the Power BI service:
- From the Windows Defender ATP portal or
- From the Power BI portal
- Building a custom dashboard on Power BI Desktop and tweaking it to fit the visual analytics and reporting requirements of your organization
You can access these options from the Windows Defender ATP portal. Both the Power BI service and Power BI Desktop are supported.
## Create a Windows Defender ATP dashboard on Power BI service
## Create a Power BI dashboard from the Windows Defender ATP portal
Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal.
1. In the navigation pane, select **Preferences setup** > **Power BI reports**.
2. Click **Create dashboard**. This opens up a new tab in your browser and loads the Power BI service with data from your organization.
![Preferences setup with create dashboard button](images/atp-create-dashboard.png)
2. Click **Create dashboard**. You'll see a notification that things are being loaded.
![Image of loading](images/atp-loading.png)
3. Specify the following details:
- **extensionDataSourceKind**: WDATPConnector
- **extensionDataSourcePath**: WDATPConnector
- **Authentication method**: OAuth2
![Image of Power BI authentication method](images/atp-powerbi-extension.png)
4. Click **Sign in**. If this is the first time youre using Power BI with Windows Defender ATP, youll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, youre allowing Windows Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh.
![Consent image](images/atp-powerbi-accept.png)
5. Click **Accept**. Power BI service will start downloading your Windows Defender ATP data from Microsoft Graph. After a successful login, you'll see a notification that data is being imported:
![Image of importing data](images/atp-powerbi-importing.png)
>[!NOTE]
>Loading your data in the Power BI service can take a few minutes.
>Depending on the number of onboarded machines, loading your data in the Power BI service can take several minutes. A larger number of machines might take longer to load.
3. If this is the first time youre using Power BI with Windows Defender ATP, youll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, youre allowing Windows Defender ATP Power BI to sign in and read your profile, and access your data.
When importing data is completed and the dataset is ready, youll the following notification:
![Consent image](images/atp-powerbi-consent.png)
![Image of dataset is ready](images/atp-data-ready.png)
4. Click **Accept**. Power BI service will start downloading your Windows Defender ATP data from Microsoft Graph.
6. Click **View dataset** to explore your data.
When the dashboard is ready, youll get a notification within the Power BI website. Use the link in the portal to the Power BI console after creating the dashboard.
For more information, see [Create a Power BI dashboard from a report](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-create-a-dashboard/).
## Create a Power BI dashboard from the Power BI portal
1. Login to [Power BI](https://powerbi.microsoft.com/).
2. Click **Get Data**.
3. Select **Microsoft AppSource** > **My Organization** > **Get**.
![Image of Microsoft AppSource to get data](images/atp-get-data.png)
4. In the AppSource window, select **Apps** and search for Windows Defender Advanced Threat Protection.
![Image of AppSource to get Windows Defender ATP](images/atp-appsource.png)
5. Click **Get it now**.
6. Specify the following details:
- **extensionDataSourceKind**: WDATPConnector
- **extensionDataSourcePath**: WDATPConnector
- **Authentication method**: OAuth2
![Image of Power BI authentication method](images/atp-powerbi-extension.png)
7. Click **Sign in**. If this is the first time youre using Power BI with Windows Defender ATP, youll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, youre allowing Windows Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh.
![Consent image](images/atp-powerbi-accept.png)
8. Click **Accept**. Power BI service will start downloading your Windows Defender ATP data from Microsoft Graph. After a successful login, you'll see a notification that data is being imported:
![Image of importing data](images/atp-powerbi-importing.png)
>[!NOTE]
>Depending on the number of onboarded machines, loading your data in the Power BI service can take several minutes. A larger number of machines might take longer to load.
When importing data is completed and the dataset is ready, youll the following notification:
![Image of dataset is ready](images/atp-data-ready.png)
9. Click **View dataset** to explore your data.
## Build a custom Windows Defender ATP dashboard in Power BI Desktop
You can create a custom dashboard in Power BI Desktop to create visualizations that cater to the specific views that your organization requires.
@ -93,9 +154,9 @@ After completing the steps in the Before you begin section, you can proceed with
1. Open WDATPPowerBI.pbit from the zip with Power BI Desktop.
2. If this is the first time youre using Power BI with Windows Defender ATP, youll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, youre allowing Windows Defender ATP Power BI to sign in and read your profile, and access your data.
2. If this is the first time youre using Power BI with Windows Defender ATP, youll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, youre allowing Windows Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh.
![Consent image](images/atp-powerbi-consent.png)
![Consent image](images/atp-powerbi-accept.png)
3. Click **Accept**. Power BI Desktop will start downloading your Windows Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.
@ -112,9 +173,9 @@ You can use Power BI Desktop to analyse data from Windows Defender ATP and mash
![Power BI preview connector](images/atp-powerbi-preview.png)
4. If this is the first time youre using Power BI with Windows Defender ATP, youll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, youre allowing Windows Defender ATP Power BI to sign in and read your profile, and access your data.
4. If this is the first time youre using Power BI with Windows Defender ATP, youll need to sign in and give consent to Windows Defender ATP Power BI app. By providing consent, youre allowing Windows Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh.
![Consent image](images/atp-powerbi-consent.png)
![Consent image](images/atp-powerbi-accept.png)
5. Click **Accept**. Power BI Desktop will start downloading your Windows Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.