deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 21:27:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into App-v-revision

Browse Source
This commit is contained in:
Heidi Lohr 2018-04-16 08:51:59 -07:00
commit 6487fb0eac
13 changed files with 90 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
browsers/edge/emie-to-improve-compatibility.md
View File

@ -1,14 +1,15 @@
---
description: If you're having problems with Microsoft Edge, this topic tells how to use the Enterprise Mode site list to automatically open sites using IE11.
ms.assetid: 89c75f7e-35ca-4ca8-96fa-b3b498b53bE4
author: eross-msft
author: shortpatti
ms.author: pashort
ms.prod: edge
ms.mktglfcycl: support
ms.sitesec: library
ms.pagetype: appcompat
title: Use Enterprise Mode to improve compatibility (Microsoft Edge for IT Pros)
ms.localizationpriority: high
ms.date: 07/27/2017
ms.date: 04/15/2018
---
# Use Enterprise Mode to improve compatibility
@ -19,8 +20,6 @@ If you have specific web sites and apps that you know have compatibility problem
Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11.
<!-- Will RS5 have the need for the following note? -->
[@Reviewer: will RS5 have the need for the following note?]
>[!NOTE]
>If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy]( https://go.microsoft.com/fwlink/p/?LinkId=620714).

42
browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
View File

@ -3,19 +3,20 @@ ms.localizationpriority: low
ms.mktglfcycl: deploy
ms.pagetype: security
description: Enable and disable add-ons using administrative templates and group policy
author: eross-msft
ms.author: pashort
author: shortpatti
ms.prod: ie11
ms.assetid: c6fe1cd3-0bfc-4d23-8016-c9601f674c0b
title: Enable and disable add-ons using administrative templates and group policy (Internet Explorer 11 for IT Pros)
ms.sitesec: library
ms.date: 07/27/2017
ms.date: 4/12/2018
---
# Enable and disable add-ons using administrative templates and group policy
Add-ons let your employees personalize Internet Explorer. You can manage IE add-ons using Group Policy and Group Policy templates.
There are 4 types of add-ons:
There are four types of add-ons:
- **Search Providers.** Type a term and see suggestions provided by your search provider.
@ -57,7 +58,7 @@ You can use the Local Group Policy Editor to change how add-ons work in your org
5. Close the Local Group Policy Editor when youre done.
## Using the CLSID and Administrative Templates to manage group policy objects
Because every add-on has a Class ID (CLSID), you can use it to enable and disable specific add-ons, using Group Policy and Administrative Templates.
Every add-on has a Class ID (CLSID) that you use to enable and disable specific add-ons, using Group Policy and Administrative Templates.
**To manage add-ons**
@ -65,22 +66,30 @@ Because every add-on has a Class ID (CLSID), you can use it to enable and disabl
1. Open IE, click **Tools**, and then click **Manage Add-ons**.
2. Pick the add-on you want to change, and then right-click **More Information**.
2. Double-click the add-on you want to change.
3. Click **Copy** and then close **Manage Add-ons** and IE.
3. In the More Information dialog, click **Copy** and then click **Close**.
4. Open Notepad and paste the information for the add-on.
5. On the Manage Add-ons windows, click **Close**.
6. On the Internet Options dialog, click **Close** and then close IE.
2. From the copied information, select and copy just the **Class ID** value.
3. Open the Group Policy Management Editor and go to `Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management`.
>[!NOTE]
>You want to copy the curly brackets as well as the CLSID: **{47833539-D0C5-4125-9FA8-0819E2EAAC93}**.
3. Open the Group Policy Management Editor and go to: Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management.
<br>**-OR-**<br>
Open the Local Group Policy Editor and go to `Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management`.
Open the Local Group Policy Editor and go to: User Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management.
4. Open the **Add-on List** Group Policy Object, pick **Enabled**, and then click **Show**.<br>
**Show Contents** box appears.
4. Open the **Add-on List** Group Policy Object, select **Enabled**, and then click **Show**.<br>The Show Contents dialog appears.
5. In **Value Name**, put your copied Class ID.
6. In **Value Name**, paste the Class ID for your add-on, for example, **{47833539-D0C5-4125-9FA8-0819E2EAAC93}**.
6. In **Value**, put:
6. In **Value**, enter one of the following:
- **0**. The add-on is disabled and your employees cant change it.
@ -88,11 +97,12 @@ Open the Local Group Policy Editor and go to `Computer Configuration\Administrat
- **2**. The add-on is enabled and your employees can change it.
7. Click **OK** and close the Group Policy editor.
7. Close the Show Contents dialog.
 
 
7. In the Group Policy editor, go to: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer.
8. Double-click **Automatically activate/enable newly installed add-ons** and select **Enabled**.<br><br>Enabling turns off the message prompting you to Enable or Don't enable the add-on.
7. Click **OK** twice to close the Group Policy editor.
<!-- do they need to run the gpudate /force command? -->

7
devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
ms.author: jdecker
ms.date: 07/27/2017
ms.date: 04/13/2018
ms.localizationpriority: medium
---
@ -101,13 +101,12 @@ If you have a single-forest on-premises deployment with Microsoft Exchange 2013
8. OPTIONAL: You can also allow your Surface Hub to make and receive public switched telephone network (PSTN) phone calls by enabling Enterprise Voice for your account. Enterprise Voice isn't a requirement for Surface Hub, but if you want PSTN dialing functionality for the Surface Hub client, here's how to enable it:
```PowerShell
Set-CsMeetingRoom HUB01 -DomainController DC-ND-001.contoso.com
-LineURItel: +14255550555;ext=50555" Set-CsMeetingRoom -DomainController DC-ND-001.contoso.com
-Identity HUB01 -EnterpriseVoiceEnabled $true
Set-CsMeetingRoom -Identity HUB01 -DomainController DC-ND-001.contoso.com -LineURI “tel:+14255550555;ext=50555" -EnterpriseVoiceEnabled $true
```
Again, you'll need to replace the provided domain controller and phone number examples with your own information. The parameter value `$true` stays the same.
 
 

2
education/trial-in-a-box/index.md
View File

@ -28,7 +28,7 @@ Welcome to Microsoft Education Trial in a Box. We built this trial to make it ea
</br>
| ![Get started for Educators](images/teacher_rotated_resized.png) | ![Get started for IT Admins](images/itadmin_rotated_resized.png) |
| [![Get started for Educators](images/teacher_rotated_resized.png)](educator-tib-get-started.md) | [![Get started for IT Admins](images/itadmin_rotated_resized.png)](itadmin-tib-get-started.md) |
| :---: | :---: |
| <span style="font-size: 1.5em">**Educator**</span></br>Enhance students of all abilities by unleashing their creativity, collaboration, and improving problem-solving skills. </br>[Get started](educator-tib-get-started.md) | <span style="font-size: 1.5em">**IT Admin**</span></br>Quickly implement and deploy a full cloud infrastructure that's secure and easy to manage. </br> [Get started](itadmin-tib-get-started.md) |

2
mdop/mbam-v25/upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md
View File

@ -130,7 +130,7 @@ Use the steps in the following sections to upgrade MBAM for the Stand-alone topo
6. Install and configure the MBAM 2.5 or 2.5 SP1 databases, reports, web applications, and Configuration Manager integration, in that order. The databases and Configuration Manager objects are upgraded in place.
7. Optionally, update the Group Policy Objects (GPOs), and edit the settings if you want to implement new features in MBAM, such as enforced encryption. If you do not update the GPOs, MBAM will continue to report against your current GPOs. See [How to Get MDOP Group Policy (.admx) Templates](http://www.microsoft.com/download/details.aspx?id=41183) to download the latest ADMX templates.
7. Optionally, update the Group Policy Objects (GPOs), and edit the settings if you want to implement new features in MBAM, such as enforced encryption. If you do not update the GPOs, MBAM will continue to report against your current GPOs. See [How to Get MDOP Group Policy (.admx) Templates](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates) to download the latest ADMX templates.
After you upgrade the MBAM Server infrastructure, the existing client computers continue to successfully report to the MBAM 2.5 or 2.5 SP1 Server, and recovery data continues to be stored.

3
windows/configuration/change-history-for-configure-windows-10.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: jdeckerms
ms.date: 04/04/2018
ms.date: 04/13/2018
---
# Change history for Configure Windows 10
@ -20,6 +20,7 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md)
New or changed topic | Description
--- | ---
[Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | Updated endpoints.
[Configure cellular settings for tablets and PCs](provisioning-apn.md) | Added instructions for confirming that the settings were applied.
## March 2018

9
windows/configuration/guidelines-for-assigned-access-app.md
View File

@ -65,16 +65,17 @@ If you use a web browser as your assigned access app, consider the following tip
## Secure your information
Avoid selecting Windows apps that may expose the information you dont want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting this type of apps if they provide unnecessary data access.
Avoid selecting Windows apps that may expose the information you dont want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access.
## App configuration
Some apps may require additional configurations before they can be used appropriately in assigned access. For example, Microsoft OneNote requires you to set up a Microsoft account for the assigned access user account before OneNote will open in assigned access.
Check the guidelines published by your selected app and do the setup accordingly.
Check the guidelines published by your selected app and set up accordingly.
## Develop your kiosk app
Assigned access in Windows 10 leverages the new lock framework. When an assigned access user signs in, the selected kiosk app is launched above lock . The kiosk app is actually running as an above lock screen app.
Assigned access in Windows 10 leverages the new lock framework. When an assigned access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an above lock screen app.
Follow the [best practices guidance for developing a kiosk app for assigned access](https://msdn.microsoft.com/library/windows/hardware/mt633799%28v=vs.85%29.aspx).
@ -82,7 +83,7 @@ Follow the [best practices guidance for developing a kiosk app for assigned acce
The above guidelines may help you select or develop an appropriate Windows app for your assigned access experience. Once you have selected your app, we recommend that you thoroughly test the assigned access experience to ensure that your device provides a good customer experience.
 ## Learn more
## Learn more
[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)

2
windows/configuration/lock-down-windows-10-to-specific-apps.md
View File

@ -18,7 +18,7 @@ ms.author: jdecker
**Applies to**
- Windows 10
- Windows 10 Pro, Enterprise, and Education
A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) has been expanded to make it easy for administrators to create kiosks that run more than one app.

36
windows/configuration/provisioning-apn.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: high
ms.date: 07/27/2017
ms.date: 04/13/2018
---
# Configure cellular settings for tablets and PCs
@ -76,5 +76,39 @@ For users who work in different locations, you can configure one APN to connect
9. [Apply the package to devices.](provisioning-packages/provisioning-apply-package.md)
## Confirm the settings
After you apply the provisioning package, you can confirm that the settings have been applied.
1. On the configured device, open a command prompt as an administrator.
2. Run the following command:
```
netsh mbn show profiles
```
3. The command will list the mobile broadband profiles. Using the "Name" for the listed mobile broadband profile, run:
```
netsh mbn show profiles name="name"
```
This command will list details for that profile, including Access Point Name.
Alternatively, you can also use the command:
```
netsh mbn show interface
```
From the results of that command, get the name of the cellular/mobile broadband interface and run:
```
netsh mbn show connection interface="name"
```
The result of that command will show details for the cellular interface, including Access Point Name.

2
windows/configuration/setup-kiosk-digital-signage.md
View File

@ -16,7 +16,7 @@ ms.date: 03/30/2018
**Applies to**
- Windows 10
- Windows 10 Pro, Enterprise, and Education

2
windows/security/threat-protection/applocker/requirements-to-use-applocker.md
View File

@ -35,7 +35,7 @@ The following table show the on which operating systems AppLocker features are s
| Version | Can be configured | Can be enforced | Available rules | Notes |
| - | - | - | - | - |
| Windows 10| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| You can use the [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016. |
| Windows 10| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| You can use the [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10 supported by Mobile Device Management (MDM). You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016. |
| Windows Server 2016<br/>Windows Server 2012 R2<br/>Windows Server 2012| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| |
| Windows 8.1 Pro| Yes| No| N/A||
| Windows 8.1 Enterprise| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| |

17
windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
View File

@ -15,18 +15,7 @@ ms.date: 04/19/2017
**Applies to**
- Windows 10
This reference topic for the IT professional describes which versions of the Windows operating systems support advanced security auditing policies.
Advanced audit policy configuration is supported on all versions of Windows since it was introduced in Windows Vista.
There is no difference in security auditing support between 32-bit and 64-bit versions.
Windows editions that cannot join a domain, such as Windows 10 Home edition, do not have access to these features.
Versions of the Windows operating system that cannot join a domain do not have access to these features. There is no difference in security auditing support between 32-bit and 64-bit versions.
## Are there any special considerations?
In addition, the following special considerations apply to the various tasks associated with advanced security auditing enhancements:
- **Creating an audit policy.** To create an advanced security auditing policy, you must use a computer running any supported version of Windows. You can use the Group Policy Management Console (GPMC) on a computer running a supported version of the Windows client operating system after installing the Remote Server Administration Tools.
- **Applying audit policy settings.** If you are using Group Policy to apply the advanced audit policy settings and global object access settings, client computers must be running any supported version of the Windows server operating system or Windows client operating system. In addition, only computers running any of these supported operating systems can provide "reason for access" reporting data.
- **Developing an audit policy model.** To plan advanced security audit settings and global object access settings, you must use the GPMC that targets a domain controller running a supported version of the Windows server operating system.
- **Distributing the audit policy.** After a Group Policy Object (GPO) that includes advanced security auditing settings is developed, it can be distributed by using domain controllers running any Windows Server operating system.
However, if you cannot put client computers running a supported version of the Windows client operating system into a separate organizational unit (OU), you should use Windows Management Instrumentation (WMI) filtering to ensure that the advanced security auditing policy settings are applied only to client computers running a supported version of the Windows client operating system.
>**Important:**  Using both the basic auditing policy settings under **Local Policies\\Audit Policy** and the advanced auditing policy settings under **Advanced Audit Policy Configuration** can cause unexpected results in audit reporting. Therefore, the two sets of audit policy settings should not be combined. If you use advanced audit policy configuration settings, you should enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.  

35
windows/security/threat-protection/device-guard/deploy-device-guard-enable-virtualization-based-security.md
View File

@ -22,30 +22,9 @@ Virtualization-based protection of code integrity (herein referred to as Hypervi
Use the following procedure to enable virtualization-based protection of code integrity:
1. **Decide whether to use the procedures in this topic, or to use the Windows Defender Device Guard readiness tool**. To enable HVCI, you can use [the Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337) or follow the procedures in this topic.
1. Decide whether to use the procedures in this topic, or to use [the Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337).
2. **Verify that hardware and firmware requirements are met**. Verify that your client computers have the hardware and firmware to run HVCI. For a list of requirements, see [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard).
3. **Enable the necessary Windows features**. You can use the [hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337) or see [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-protection-of-code-integrity).
4. **Enable additional features as desired**. You can use the [hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337) or see [Enable virtualization-based protection of code integrity](#enable-virtualization-based-protection-of-code-integrity).
## Windows feature requirements for virtualization-based protection of code integrity
Make sure these operating system features are enabled before you can enable HVCI:
- Beginning with Windows 10, version 1607 or Windows Server 2016:<br>
Hyper-V Hypervisor, which is enabled automatically. No further action is needed.
- With an earlier version of Windows 10:<br>
Hyper-V Hypervisor and Isolated User Mode (shown in Figure 1).
 
![Turn Windows features on or off](images/dg-fig1-enableos.png)
**Figure 1. Enable operating system features for HVCI, Windows 10, version 1511**
> [!NOTE]
> You can configure these features by using Group Policy or Dism.exe, or manually by using Windows PowerShell or the Windows Features dialog box.
2. Verify that [hardware and firmware requirements](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard) are met.
## Enable virtualization-based protection of code integrity
@ -57,16 +36,12 @@ If you don't want to use the [hardware readiness tool](https://www.microsoft.com
![Group Policy Management, create a GPO](images/dg-fig2-createou.png)
Figure 2. Create a new OU-linked GPO
2. Give the new GPO a name, then right-click the new GPO, and click **Edit**.
4. Within the selected GPO, navigate to Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**.
![Edit the group policy for Virtualization Based Security](images/dg-fig3-enablevbs.png)
Figure 3. Enable virtualization-based security (VBS)
5. Select the **Enabled** button. For **Select Platform Security Level**:
- **Secure Boot** provides as much protection as a computers hardware can support. If the computer does not have input/output memory management units (IOMMUs), enable **Secure Boot**.
@ -80,8 +55,6 @@ If you don't want to use the [hardware readiness tool](https://www.microsoft.com
![Group Policy, Turn On Virtualization Based Security](images/dg-fig7-enablevbsofkmci.png)
Figure 5. Configure HVCI, Lock setting (in Windows 10, version 1607)
7. Close the Group Policy Management Editor, and then restart the Windows 10 test computer. The settings will take effect upon restart.
8. Check Device Guard logs in Event Viewer at **Applications and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational** for Event ID 7000, which contains the selected settings within a GPO that has been successfully processed. This event is logged only when Group Policy is used.
@ -281,12 +254,10 @@ This field indicates whether VBS is enabled and running.
This field lists the computer name. All valid values for computer name.
Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the **System Summary** section, as shown in Figure 6.
Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the **System Summary** section.
![Windows Defender Device Guard properties in the System Summary](images/dg-fig11-dgproperties.png)
Figure 6. Windows Defender Device Guard properties in the System Summary
## Related topics
- [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)