Merge remote-tracking branch 'refs/remotes/origin/master' into vs-wip-junerelease

2025-05-14 06:17:22 +00:00 · 2017-06-07 10:26:12 -07:00 · 2017-06-07 10:26:12 -07:00 · 66d03bf60c
commit 66d03bf60c
parent 461f4dcd91 1f9a669e53
11 changed files with 1965 additions and 15 deletions
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@ -142,6 +142,7 @@
 #### [EnterpriseModernAppManagement XSD](enterprisemodernappmanagement-xsd.md)
 ### [FileSystem CSP](filesystem-csp.md)
 ### [Firewall CSP](firewall-csp.md)
+#### [Firewall DDF file](firewall-ddf-file.md)
 ### [HealthAttestation CSP](healthattestation-csp.md)
 #### [HealthAttestation DDF](healthattestation-ddf.md)
 ### [HotSpot CSP](hotspot-csp.md)
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@ -1148,6 +1148,34 @@ The following tables show the configuration service providers support in Windows
 <!--EndSKU-->
 <!--EndCSP-->

+<!--StartCSP-->
+[Firewall CSP](firewall-csp.md)  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--EndCSP-->
+
 <!--StartCSP-->
 [HealthAttestation CSP](healthattestation-csp.md)  

--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@ -217,6 +217,11 @@ The following diagram shows the Firewall configuration service provider in tree
 If not specified - a new rule is disabled by default.</p>
 <p style="margin-left: 20px">Boolean value. Supported operations are Add, Get, Replace, and Delete.</p>

+<a href="" id="profiles"></a>**FirewallRules_FirewallRuleName_/Profiles**
+<p style="margin-left: 20px">Specifies the profiles to which the rule belongs: Domain, Private, Public. .  See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.</p>
+
+<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
+
 <a href="" id="action"></a>**FirewallRules/_FirewallRuleName_/Action**
 <p style="margin-left: 20px">Specifies the action for the rule.</p>
 <p style="margin-left: 20px">Supported operation is Get.</p>
@ -229,14 +234,43 @@ If not specified - a new rule is disabled by default.</p>
 </ul>
 <p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>

+<a href="" id="direction"></a>**FirewallRules/_FirewallRuleName_/Direction**
+<p style="margin-left: 20px">Comma separated list. The rule is enabled based on the traffic direction as following. Supported values:</p>
+<ul>
+<li>IN - the rule applies to inbound traffic.</li>
+<li>OUT - the rule applies to outbound traffic.</li>
+<li>If not specified, the default is IN.</li>
+</ul>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+
+<a href="" id="interfacetypes"></a>**FirewallRules/FirewallRuleName/InterfaceTypes**
+<p style="margin-left: 20px">Comma separated list of interface types. Valid values:</p>
+<ul>
+<li>RemoteAccess</li>
+<li>Wireless</li>
+<li>MobileBroadband</li>
+<li>All</li>
+</ul>
+<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
+
 <a href="" id="icmptypesandcodes"></a>**FirewallRules/_FirewallRuleName_/IcmpTypesAndCodes**
 <p style="margin-left: 20px">List of ICMP types and codes separated by semicolon. "\*" indicates all ICMP types and codes.<</p>
 <p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>

+<a href="" id="edgetraversal"></a>**FirewallRules/_FirewallRuleName_/EdgeTraversal**
+<p style="margin-left: 20px">Indicates whether edge traversal is enabled or disabled for this rule.</p>
+<p style="margin-left: 20px">The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.</p>
+<p style="margin-left: 20px">New rules have the EdgeTraversal property disabled by default.</p>
+<p style="margin-left: 20px">Boolean value. Supported operations are Add, Get, Replace, and Delete.</p>
+
 <a href="" id="localuserauthorizedlist"></a>**FirewallRules/_FirewallRuleName_/LocalUserAuthorizedList**
 <p style="margin-left: 20px">Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format.</p>
 <p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>

+<a href="" id="status"></a>**FirewallRules/_FirewallRuleName_/Status**
+<p style="margin-left: 20px">Provides information about the specific verrsion of the rule in deployment for monitoring purposes.</p>
+<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
+
 <a href="" id="friendlyname"></a>**FirewallRules/_FirewallRuleName_/FriendlyName**
 <p style="margin-left: 20px">Specifies the friendly name of the rule. The string must not contain the "|" character.</p>
 <p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
--- a/windows/client-management/mdm/firewall-ddf-file.md
+++ b/windows/client-management/mdm/firewall-ddf-file.md
--- a/windows/client-management/mdm/images/provisioning-csp-firewall.png
+++ b/windows/client-management/mdm/images/provisioning-csp-firewall.png
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@ -850,6 +850,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <td style="vertical-align:top"><p>Added a section describing SyncML examples of various ADMX elements.</p>
 </td></tr>
 <tr class="odd">
+<td style="vertical-align:top">[Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md)</td>
+<td style="vertical-align:top">New topic.</td>
+</tr>
+<tr class="odd">
 <td style="vertical-align:top">[Deploy and configure App-V apps using MDM](appv-deploy-and-config.md)</td>
 <td style="vertical-align:top"><p>Added a new topic describing how to deploy and configure App-V apps using MDM.</p>
 </td></tr>
@ -1158,6 +1162,38 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware

 ## Change history in MDM documentation

+### June 2017
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="75%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th>New or updated topic</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td style="vertical-align:top">[Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md)</td>
+<td style="vertical-align:top">Added a list of registry locations that ingested policies are allowed to write to.</td>
+</tr>
+<tr class="odd">
+<td style="vertical-align:top">[Firewall CSP](firewall-csp.md)</td>
+<td style="vertical-align:top">Added the following nodes:
+<ul>
+<li>Profiles</li>
+<li>Direction</li>
+<li>InterfaceTypes</li>
+<li>EdgeTraversal</li>
+<li>Status</li>
+</ul>
+Also Added [Firewall DDF file](firewall-ddf-file.md).</td></tr>
+</tbody>
+</table>
+
 ### May 2017

 <table>
--- a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md
+++ b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md
@ -24,8 +24,27 @@ author: nickbrower

 Starting in Windows 10, version 1703, you can import ADMX files (also called ADMX ingestion) and set those ADMX-backed policies for Win32 and Desktop Bridge apps by using Windows 10 Mobile Device Management (MDM) on desktop SKUs. The ADMX files that define policy information can be ingested to your device by using the Policy CSP URI, `./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. The ingested ADMX file is then processed into MDM policies.

-When the ADMX policies are imported, the registry keys to which each policy is written are checked so that known system registry keys, or registry keys that are used by existing inbox policies or system components, are not overwritten. This precaution helps to avoid security concerns over opening the entire registry. Currently, the ingested policies are not allowed to write to locations within the **System**, **Software\Microsoft**, and **Software\Policies\Microsoft** keys.
+When the ADMX policies are imported, the registry keys to which each policy is written are checked so that known system registry keys, or registry keys that are used by existing inbox policies or system components, are not overwritten. This precaution helps to avoid security concerns over opening the entire registry. Currently, the ingested policies are not allowed to write to locations within the **System**, **Software\Microsoft**, and **Software\Policies\Microsoft** keys, except for the following locations:

+- Software\Policies\Microsoft\Office\
+- Software\Microsoft\Office\
+- Software\Microsoft\Windows\CurrentVersion\Explorer\
+- Software\Microsoft\Internet Explorer\
+- software\policies\microsoft\shared tools\proofing tools\
+- software\policies\microsoft\imejp\
+- software\policies\microsoft\ime\shared\
+- software\policies\microsoft\shared tools\graphics filters\
+- software\policies\microsoft\windows\currentversion\explorer\
+- software\policies\microsoft\softwareprotectionplatform\
+- software\policies\microsoft\officesoftwareprotectionplatform\
+- software\policies\microsoft\windows\windows search\preferences\
+- software\policies\microsoft\exchange\
+- software\microsoft\shared tools\proofing tools\
+- software\microsoft\shared tools\graphics filters\
+- software\microsoft\windows\windows search\preferences\
+- software\microsoft\exchange\
+- software\policies\microsoft\vba\security\
+- software\microsoft\onedrive 

 ## <a href="" id="ingesting-an-app-admx-file"></a>Ingesting an app ADMX file

--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@ -122,6 +122,9 @@ When you have the Start layout that you want your users to see, use the [Export-
    </tbody>
    </table>

+>[!IMPORTANT]
+>If the Start layout that you export contains tiles for desktop (Win32) apps or .url links, **Export-StartLayout** will use **DesktopApplicationLinkPath** in the resulting file. Use a text or XML editor to change **DesktopApplicationLinkPath** to **DesktopApplicationID**. See [Specify Start tiles](start-layout-xml-desktop.md#specify-start-tiles) for details on using the app ID in place of the link path. 
+
 ## Configure a partial Start layout


--- a/windows/configuration/start-layout-xml-desktop.md
+++ b/windows/configuration/start-layout-xml-desktop.md
@ -160,35 +160,40 @@ You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop ap

 - By using a path to a shortcut link (.lnk file) to a Windows desktop application.

-    To pin a Windows desktop application through this method, you must first add the .lnk file in the specified location when the device first boots. 
+  >[!NOTE]
+  >In Start layouts for Windows 10, version 1703, you should use **DesktopApplicationID** rather than **DesktopApplicationLinkPath** if you are using Group Policy or MDM to apply the start layout and the application was installed after the user's first sign-in.

-    The following example shows how to pin the Command Prompt:
+  To pin a Windows desktop application through this method, you must first add the .lnk file in the specified location when the device first boots. 

-    ```XML
-    <start:DesktopApplicationTile
+  The following example shows how to pin the Command Prompt:
+
+  ```XML
+  <start:DesktopApplicationTile
          DesktopApplicationLinkPath="%appdata%\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk"
          Size="2x2"
          Row="0"
          Column="4"/>
-    ```
+  ```
    
-    You must set the **DesktopApplicationLinkPath** attribute to the .lnk file that points to the Windows desktop application. The path also supports environment variables.
+  You must set the **DesktopApplicationLinkPath** attribute to the .lnk file that points to the Windows desktop application. The path also supports environment variables.

-    If you are pointing to a third-party Windows desktop application, you must put the .lnk file in a legacy Start Menu directory before first boot; for example, "%APPDATA%\Microsoft\Windows\Start Menu\Programs\" or the all users profile "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\".
+  If you are pointing to a third-party Windows desktop application and the layout is being applied before the first boot, you must put the .lnk file in a legacy Start Menu directory before first boot; for example, "%APPDATA%\Microsoft\Windows\Start Menu\Programs\" or the all users profile "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\".

 - By using the application's application user model ID, if this is known. If the Windows desktop application doesn't have one, use the shortcut link option.

-    To pin a Windows desktop application through this method, you must set the **DesktopApplicationID** attribute to the application user model ID that's associated with the corresponding app. 
+  You can use the [Get-StartApps cmdlet](https://technet.microsoft.com/library/dn283402.aspx) on a PC that has the application pinned to Start to obtain the app ID.

-    The following example shows how to pin the Internet Explorer Windows desktop application:
+  To pin a Windows desktop application through this method, you must set the **DesktopApplicationID** attribute to the application user model ID that's associated with the corresponding app. 

-    ```XML
+  The following example shows how to pin the Internet Explorer Windows desktop application:
+
+  ```XML
    <start:DesktopApplicationTile
          DesktopApplicationID="Microsoft.Windows.Explorer"
          Size="2x2"
          Row="0"
          Column="2"/>
-    ```
+  ```
    

 You can also use the **start:DesktopApplicationTile** tag as one of the methods for pinning a Web link to Start. The other method is to use a Microsoft Edge secondary tile.
@ -205,6 +210,9 @@ The following example shows how to create a tile of the Web site's URL, which yo
          Column="2"/>
 ```

+>[!NOTE]
+>In Windows 10, version 1703, **Export-StartLayout** will use **DesktopApplicationLinkPath** for the .url shortcut. You must change **DesktopApplicationLinkPath** to **DesktopApplicationID** and provide the URL.
+
 #### start:SecondaryTile

 You can use the **start:SecondaryTile** tag to pin a Web link through a Microsoft Edge secondary tile. This method doesn't require any additional action compared to the method of using legacy .url shortcuts (through the start:DesktopApplicationTile tag).
@ -273,6 +281,9 @@ The following example shows how to modify your LayoutModification.xml file to ad

 You can use the **AppendOfficeSuite** tag to add the in-box installed Office suite of apps to Start.

+>[!NOTE]
+>The OEM must have installed Office for this tag to work.
+
 The following example shows how to add the **AppendOfficeSuite** tag to your LayoutModification.xml file to append the full Universal Office suite to Start:

 ```XML
@ -289,6 +300,9 @@ The following example shows how to add the **AppendOfficeSuite** tag to your Lay

 You can use the **AppendDownloadOfficeTile** tag to append the Office trial installer to Start. This tag adds the Download Office tile to Start and the download tile will appear at the bottom right-hand side of the second group.

+>[!NOTE]
+>The OEM must have installed the Office trial installer for this tag to work.
+
 The following example shows how to add the **AppendDownloadOfficeTile** tag to your LayoutModification.xml file:

 ```XML
--- a/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
@ -33,7 +33,7 @@ You'll also see additional links for:
 - Reporting on Windows Defender Antivirus protection

 > [!IMPORTANT]
-> In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product running and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will be functioning. If you re-enable or install third-part antivirus products, then Windows 10 will automatically disable Windows Defender Antivirus.
+> In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product running and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will be functioning. If you re-enable or install third-party antivirus products, then Windows 10 will automatically disable Windows Defender Antivirus. 


 Tool|Deployment options (<a href="#fn2" id="ref2">2</a>)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options  
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
@ -36,12 +36,12 @@ author: iaanw

 Windows Defender Antivirus is available on Windows Server 2016. In some instances it is referred to as Endpoint Protection - however, the protection engine is the same.

-See [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server) for more information on enabling the client interface and configuring roles and specific server features.
+See the [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server) for more information on enabling the client interface and configuring roles and specific server features.

 While the functionality, configuration, and management is largely the same for Windows Defender AV either on Windows 10 or Windows Server 2016, there are a few key differences:

 - In Windows Server 2016, [automatic exclusions](configure-server-exclusions-windows-defender-antivirus.md) are applied based on your defined Server Role.
- In Windows Server 2016, [Windows Defender AV will not disable itself if you are running another antivirus product](windows-defender-antivirus-on-windows-server-2016.md).
+- In Windows Server 2016, Windows Defender AV will not disable itself if you are running another antivirus product.


 ## Related topics