Merged PR 10832: merge from master

windows/application-management/msix-app-packaging-tool.md

@@ -23,12 +23,21 @@ The MSIX Packaging Tool (Preview) is now available to install from the Microsoft
 - A valid MSA alias (to access the app from the Store) 
 
 ## What's new
-v1.2018.820.0
+v1.2018.821.0
 - Command Line Support
 - Ability to use existing local virtual machines for packaging environment.
 - Ability to cross check publisher information in the manifest with a signing certificate to avoid signing issues.
 - Minor updates to the UI for added clarity.
 
+v1.2018.807.0
+- Ability to add/edit/remove file and registry exclusion items is now supported in Settings menu.
+- Fixed an issue where signing with password protected certificates would fail in the tool.
+- Fixed an issue where the tool was crashing when editing an existing MSIX package.
+- Fixed an issue where the tool was injecting whitespaces programmatically to install location paths that was causing conversion failures.
+- Minor UI tweaks to add clarity.
+- Minor updates to the logs to add clarity.
+
+
 ## Installing the MSIX Packaging Tool
 
 1. Use the MSA login associated with your Windows Insider Program credentials in the [Microsoft Store](https://www.microsoft.com/store/r/9N5LW3JBCXKF). 
@@ -50,12 +59,13 @@ Here are the parameters that can be passed as command line arguments:
 |Parameter   |Description  |
 |---------|---------|
 |-? <br> --help     |   Show help information      |
+|--template     | [required] path to the conversion template XML file containing package information and settings for this conversion    |
 |--virtualMachinePassword     |    [optional] The password for the Virtual Machine to be used for the conversion environment. Notes: The template file must contain a VirtualMachine element and the Settings::AllowPromptForPassword attribute must not be set to true.     |
 
 Examples:
 
 - MsixPackagingTool.exe create-package --template c:\users\documents\ConversionTemplate.xml
-- MSIXPackagingTool.exe create-package --template c:\users\documents\ConversionTemplate.xml  --virtualMachinePassword 
+- MSIXPackagingTool.exe create-package --template c:\users\documents\ConversionTemplate.xml  --virtualMachinePassword pswd112893
 
 ## Conversion template file
 
@@ -71,16 +81,51 @@ Examples:
         AllowPromptForPassword="false" >
 
         <ExclusionItems>
+            <FileExclusion ExcludePath="[{CryptoKeys}]" />
+            <FileExclusion ExcludePath="[{Common AppData}]\Microsoft\Crypto" />
+            <FileExclusion ExcludePath="[{Common AppData}]\Microsoft\Search\Data" />
             <FileExclusion ExcludePath="[{Cookies}]" />
             <FileExclusion ExcludePath="[{History}]" />
             <FileExclusion ExcludePath="[{Cache}]" />
             <FileExclusion ExcludePath="[{Personal}]" />
+            <FileExclusion ExcludePath="[{Profile}]\Local Settings" />
+            <FileExclusion ExcludePath="[{Profile}]\NTUSER.DAT.LOG1" />
+            <FileExclusion ExcludePath="[{Profile}]\ NTUSER.DAT.LOG2" />
+            <FileExclusion ExcludePath="[{Recent}]" />
+            <FileExclusion ExcludePath="[{Windows}]\debug" />
+            <FileExclusion ExcludePath="[{Windows}]\Logs\CBS" />
+            <FileExclusion ExcludePath="[{Windows}]\Temp" />
+            <FileExclusion ExcludePath="[{Windows}]\WinSxS\ManifestCache" />
+            <FileExclusion ExcludePath="[{Windows}]\WindowsUpdate.log" />
+            <FileExclusion ExcludePath="[{AppVPackageDrive}]\$Recycle.Bin " />
+            <FileExclusion ExcludePath="[{AppVPackageDrive}]\System Volume Information" />
+            <FileExclusion ExcludePath="[{AppData}]\Microsoft\AppV" />
+            <FileExclusion ExcludePath="[{Common AppData}]\Microsoft\Microsoft Security Client" />
+            <FileExclusion ExcludePath="[{Common AppData}]\Microsoft\Microsoft Antimalware" />
+            <FileExclusion ExcludePath="[{Common AppData}]\Microsoft\Windows Defender" />
+            <FileExclusion ExcludePath="[{ProgramFiles}]\Microsoft Security Client" />
+            <FileExclusion ExcludePath="[{ProgramFiles}]\Windows Defender" />
+            <FileExclusion ExcludePath="[{Local AppData}]\Temp" />
+
             <RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography" />
             <RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography" />
             <RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware" />
+            <RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup" />
+            <RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Security Client" />
+            <RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware" />
+            <RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" />
+            <RegistryExclusion ExcludePath= "REGISTRY\USER\[{AppVCurrentUserSID}]\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU" />
+            <RegistryExclusion ExcludePath= "REGISTRY\USER\[{AppVCurrentUserSID}]\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU" />
+            <RegistryExclusion ExcludePath= "REGISTRY\USER\[{AppVCurrentUserSID}]\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams" />
+            <RegistryExclusion ExcludePath= "REGISTRY\USER\[{AppVCurrentUserSID}]\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Streams" />
+            <RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Microsoft\AppV" />
+            <RegistryExclusion ExcludePath= "REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\AppV" />
+            <RegistryExclusion ExcludePath= "REGISTRY\USER\[{AppVCurrentUserSID}]\Software\Microsoft\AppV" />
+            <RegistryExclusion ExcludePath= "REGISTRY\USER\[{AppVCurrentUserSID}]\Software\Wow6432Node\Microsoft\AppV" />
         </ExclusionItems>
     </Settings>
 
+
     <PrepareComputer
         DisableDefragService="true"
         DisableWindowsSearchService="true"
@@ -93,12 +138,12 @@ Examples:
     <Installer
         Path="C:\MyAppInstaller.msi"
         Arguments="/quiet"
-           InstallLocation="C:\Program Files\MyAppInstallationLocation" />
+        InstallLocation="C:\Program Files\MyAppInstallLocation" />
 
-       <VirtualMachine Name="vmname" Username="myusername" />
+    <VirtualMachine Name="vmname" Username="vmusername" />
 
     <PackageInformation
-           PackageName="MyAppPackageNAme"
+        PackageName="MyAppPackageName"
         PackageDisplayName="MyApp Display Name"
         PublisherName="CN=MyPublisher"
         PublisherDisplayName="MyPublisher Display Name"
@@ -107,14 +152,14 @@ Examples:
 
         <Applications>
             <Application
-                   Id="App1"
+                Id="MyApp1"
                 Description="MyApp"
                 DisplayName="My App"
                 ExecutableName="MyApp.exe"/>
-           <!-- You can specify multiple application parameters for different executables in your package -->
         </Applications>
 
         <Capabilities>
+            <Capability Name="runFullTrust" />
         </Capabilities>
 
     </PackageInformation>
@@ -169,13 +214,6 @@ To delete all the temporary package files, logs, and artifacts created by the to
 Example:
 - MsixPackagingTool.exe cleanup 
 
-
-## Unsupported features
-Features not supported in the tool are currently greyed out. Here are some of the highlighted missing features: 
-
-- Package Support Framework integration. For more detail on how you can use Package Support Framework today, check out the article posted on the [MSIX blog](https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMSIX-Blog%2FMSIX-Package-Support-Framework-is-now-available-on-GitHub%2Fba-p%2F214548&data=02%7C01%7Cpezan%40microsoft.com%7Cbe2761c174cd465136ce08d5f1252d8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636680064344941094&sdata=uW3oOOEYQxd0iVgsJkZXZTQwlvf%2FimVCaOdFUXcRoeY%3D&reserved=0). 
-- Conversion of App-V 4.x packages 
-
 ## How to file feedback
 
 Open Feedback Hub. Alternatively, launch the tool and select the **Settings** gear icon in the top right corner to open the Feedback tab. Here you can file feedback for suggestions, problems, and see other feedback items. 

windows/client-management/mdm/enterprisemodernappmanagement-csp.md

@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 07/24/2018
+ms.date: 08/21/2018
 ---
 
 # EnterpriseModernAppManagement CSP

windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md

@@ -1414,6 +1414,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <li>Experience/AllowClipboardHistory</li>
 <li>Experience/DoNotSyncBrowserSettings</li>
 <li>Experience/PreventUsersFromTurningOnBrowserSyncing</li>
+<li>Kerberos/UPNNameHints</li>
 <li>Privacy/AllowCrossDeviceClipboard</li>
 <li>Privacy/DisablePrivacyExperience</li>
 <li>Privacy/UploadUserActivities</li>
@@ -1478,6 +1479,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <td style="vertical-align:top">[TenantLockdown CSP](\tenantlockdown--csp.md)</td>
 <td style="vertical-align:top"><p>Added new CSP in Windows 10, next major version.</p>
 </td></tr>
+<tr>
+<td style="vertical-align:top">[Office CSP](office-csp.md)</td>
+<td style="vertical-align:top"><p>Added FinalStatus setting in Windows 10, next major version.</p>
+</td></tr>
 </tbody>
 </table>
 
@@ -1763,6 +1768,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 </thead>
 <tbody>
 <tr>
+<td style="vertical-align:top">[Office CSP](office-csp.md)</td>
+<td style="vertical-align:top"><p>Added FinalStatus setting in Windows 10, next major version.</p>
+</td></tr>
+<tr>
 <td style="vertical-align:top">[RemoteWipe CSP](remotewipe-csp.md)</td>
 <td style="vertical-align:top"><p>Added new settings in Windows 10, next major version.</p>
 </td></tr>
@@ -1801,12 +1810,14 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <li>Browser/UnlockHomeButton</li>
 <li>Experience/DoNotSyncBrowserSettings</li>
 <li>Experience/PreventUsersFromTurningOnBrowserSyncing</li>
+<li>Kerberos/UPNNameHints</li>
 <li>Privacy/AllowCrossDeviceClipboard</li>
 <li>Privacy/DisablePrivacyExperience</li>
 <li>Privacy/UploadUserActivities</li>
 <li>Update/UpdateNotificationLevel</li>
 </ul>
 <p>Start/DisableContextMenus - added in Windows 10, version 1803.</p>
+<p>RestrictedGroups/ConfigureGroupMembership - added new schema to apply and retrieve the policy.</p>
 </td></tr>
 </tbody>
 </table>

windows/security/information-protection/tpm/trusted-platform-module-overview.md

@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: brianlic-msft
-ms.date: 06/18/2018
+ms.date: 08/21/2018
 ---
 
 # Trusted Platform Module Technology Overview
@@ -68,15 +68,16 @@ Some things that you can check on the device are:
 -   Is SecureBoot supported and enabled?
 
 > [!NOTE]
-> The device must be running Windows 10 and it must support at least TPM 2.0 in order to utilize Device Health Attestation.
+>  Windows 10 and Windows Server 2016 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1).
 
 ## Supported versions
 
 | TPM version | Windows 10  | Windows Server 2016 |
-|-------------|------------|---------------------|
-| TPM 1.2     | X          | X                   |
+|-------------|-------------|---------------------|
+| TPM 1.2     | >= ver 1607 | >= ver 1607         |
 | TPM 2.0     | X           | X                   |
 
+
 ## Related topics
 
 - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)