deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-19 00:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into jamf

Browse Source
This commit is contained in:
Joey Caparas 2020-06-29 16:08:46 -07:00
commit 6c6489a50a
35 changed files with 557 additions and 149 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md
View File

@ -1,6 +1,6 @@
---
title: Only Allow Admins to Enable Connection Groups (Windows 10)
description: How to Allow Only Administrators to Enable Connection Groups
description: Configure the App-V client so that only administrators, not users, can enable or disable connection groups.
author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy

2
windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
View File

@ -1,6 +1,6 @@
---
title: How to Deploy the App-V Databases by Using SQL Scripts (Windows 10)
description: How to Deploy the App-V Databases by Using SQL Scripts
description: These instructions can be used to deploy App-V databases by using SQL scripts.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy

2
windows/application-management/app-v/appv-deploy-the-appv-server.md
View File

@ -1,6 +1,6 @@
---
title: How to Deploy the App-V Server (Windows 10)
description: How to Deploy the App-V Server in App-V for Windows 10
description: Use these instructions to deploy the App-V Server in App-V for Windows 10.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy

2
windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
View File

@ -1,6 +1,6 @@
---
title: Deploying Microsoft Office 2010 by Using App-V (Windows 10)
description: Deploying Microsoft Office 2010 by Using App-V
description: See the methods for creating Microsoft Office 2010 packages by Using App-V.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy

2
windows/application-management/app-v/appv-supported-configurations.md
View File

@ -1,6 +1,6 @@
---
title: App-V Supported Configurations (Windows 10)
description: App-V Supported Configurations
description: Learn the requirements to install and run App-V supported configurations in your Windows 10 environment.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy

2
windows/client-management/mdm/bootstrap-csp.md
View File

@ -1,6 +1,6 @@
---
title: BOOTSTRAP CSP
description: BOOTSTRAP CSP
description: Use the BOOTSTRAP configuration service provider sets the Trusted Provisioning Server (TPS) for the device.
ms.assetid: b8acbddc-347f-4543-a45b-ad2ffae3ffd0
ms.reviewer:
manager: dansimp

2
windows/client-management/mdm/enterpriseappmanagement-csp.md
View File

@ -1,6 +1,6 @@
---
title: EnterpriseAppManagement CSP
description: EnterpriseAppManagement CSP
description: Handle enterprise application management tasks using EnterpriseAppManagement configuration service provider (CSP).
ms.assetid: 698b8bf4-652e-474b-97e4-381031357623
ms.reviewer:
manager: dansimp

6
windows/client-management/mdm/enterpriseassignedaccess-csp.md
View File

@ -1,6 +1,6 @@
---
title: EnterpriseAssignedAccess CSP
description: EnterpriseAssignedAccess CSP
description: Use the EnterpriseAssignedAccess CSP to configure custom layouts on a device.
ms.assetid: 5F88E567-77AA-4822-A0BC-3B31100639AA
ms.reviewer:
manager: dansimp
@ -306,7 +306,7 @@ Starting in Windows 10, version 1511, you can specify the following quick acti
<p>Dependencies - none</p></li>
</ul>
Starting in Windows 10, version 1703, Quick action settings no longer require any dependencis from related group or page. Here is the list:
Starting in Windows 10, version 1703, Quick action settings no longer require any dependencies from related group or page. Here is the list:
- QuickActions_Launcher_AllSettings
- QuickActions_Launcher_DeviceDiscovery
- SystemSettings_BatterySaver_LandingPage_OverrideControl
@ -1600,7 +1600,7 @@ The following table lists the product ID and AUMID for each app that is included
<td>Microsoft.MSPodcast_8wekyb3d8bbwe!xc3215724yb279y4206y8c3ey61d1a9d63ed3x</td>
</tr>
<tr class="even">
<td>Powerpoint</td>
<td>PowerPoint</td>
<td>B50483C4-8046-4E1B-81BA-590B24935798</td>
<td>Microsoft.Office.PowerPoint_8wekyb3d8bbwe!microsoft.pptim</td>
</tr>

2
windows/client-management/mdm/enterpriseassignedaccess-ddf.md
View File

@ -1,6 +1,6 @@
---
title: EnterpriseAssignedAccess DDF
description: EnterpriseAssignedAccess DDF
description: Utilize the OMA DM device description framework (DDF) for the EnterpriseAssignedAccess configuration service provider.
ms.assetid: 8BD6FB05-E643-4695-99A2-633995884B37
ms.reviewer:
manager: dansimp

170
windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
View File

@ -1,6 +1,6 @@
---
title: MDM enrollment of Windows-based devices
description: MDM enrollment of Windows-based devices
title: MDM enrollment of Windows 10-based devices
description: MDM enrollment of Windows 10-based devices
MS-HAID:
- 'p\_phdevicemgmt.enrollment\_ui'
- 'p\_phDeviceMgmt.mdm\_enrollment\_of\_windows\_devices'
@ -15,35 +15,29 @@ author: manikadhiman
ms.date: 11/15/2017
---
# MDM enrollment of Windows-based devices
# MDM enrollment of Windows 10-based devices
In todays cloud-first world, enterprise IT departments increasingly want to let employees use their own devices, or even choose and purchase corporate-owned devices. Connecting your devices to work makes it easy for you to access your organizations resources, such as apps, the corporate network, and email.
This topic describes the user experience of enrolling Windows 10-based PCs and devices.
> [!NOTE]
> When you connect your device using mobile device management (MDM) enrollment, your organization may enforce certain policies on your device.
In todays cloud-first world, enterprise IT departments increasingly want to let employees bring their own devices, or even choose and purchase corporate-owned devices. Connecting your devices to work makes it easy for you to access your organizations resources (such as apps, the corporate network, and email).
## Connect corporate-owned Windows 10-based devices
> **Note**  When you connect your device using mobile device management (MDM) enrollment, your organization may enforce certain policies on your device.
## Connecting corporate-owned Windows 10-based devices
Corporate owned devices can be connected to work either by joining the device to an Active Directory domain or an Azure Active Directory (Azure AD) domain. Windows 10 does not require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain.
You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to an Azure Active Directory (Azure AD) domain. Windows 10 does not require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain.
![active directory azure ad signin](images/unifiedenrollment-rs1-1.png)
### Connecting your device to an Active Directory domain (Join a domain)
### Connect your device to an Active Directory domain (join a domain)
Devices running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education can be connected to an Active Directory domain. These devices can be connected using the Settings app.
Devices running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education can be connected to an Active Directory domain using the Settings app.
> **Note**  Mobile devices cannot be connected to an Active Directory domain.
> [!NOTE]
> Mobile devices cannot be connected to an Active Directory domain.
### Out-of-box-experience
### Out-of-box-experience (OOBE)
Because joining your device to an Active Directory domain during the OOBE is not supported, youll need to first create a local account and then connect the device using the Settings app.
Joining your device to an Active Directory domain during the out-of-box-experience (OOBE) is not supported. To join a domain:
1. On the **Who Owns this PC?** page, select **My work or school owns it**.
@ -53,11 +47,13 @@ Because joining your device to an Active Directory domain during the OOBE is not
![select domain or azure ad](images/unifiedenrollment-rs1-3.png)
3. You will next see a prompt to set up a local account on the device. Enter your local account details and then click **Next** to continue.
3. You'll see a prompt to set up a local account on the device. Enter your local account details, and then select **Next** to continue.
![create pc account](images/unifiedenrollment-rs1-4.png)
### Using the Settings app
### Use the Settings app
To create a local account and connect the device:
1. Launch the Settings app.
@ -71,42 +67,44 @@ Because joining your device to an Active Directory domain during the OOBE is not
![select access work or school](images/unifiedenrollment-rs1-7.png)
4. Click **Connect**.
4. Select **Connect**.
![connect to work or school](images/unifiedenrollment-rs1-8.png)
5. Under **Alternate actions**, click **Join this device to a local Active Directory domain**.
5. Under **Alternate actions**, select **Join this device to a local Active Directory domain**.
![join account to active directory domain](images/unifiedenrollment-rs1-9.png)
6. Type in your domain name, follow the instructions, and then click **Next** to continue. After you complete the flow and reboot your device, it should be connected to your Active Directory domain. You can now log into the device using your domain credentials.
6. Type in your domain name, follow the instructions, and then select **Next** to continue. After you complete the flow and restart your device, it should be connected to your Active Directory domain. You can now sign in to the device using your domain credentials.
![type in domain name](images/unifiedenrollment-rs1-10.png)
### Help with connecting to an Active Directory domain
There are a few instances where your device cannot be connected to an Active Directory domain:
There are a few instances where your device cannot be connected to an Active Directory domain.
| Connection issue | Explanation |
| Connection issue | Description |
|-----------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Your device is already connected to an Active Directory domain. | Your device can be connected to only a single Active Directory domain at a time. |
| Your device is already connected to an Active Directory domain. | Your device can only be connected to a single Active Directory domain at a time. |
| Your device is connected to an Azure AD domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You cannot connect to both simultaneously. |
| You are logged in as a standard user. | Your device can only be connected to an Azure AD domain if you are logged in as an administrative user. Youll need to switch to an administrator account to continue. |
| Your device is running Windows 10 Home. | This feature is not available on Windows 10 Home, so you will be unable to connect to an Active Directory domain. You will need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. |
### Connecting your device to an Azure AD domain (Join Azure AD)
### Connect your device to an Azure AD domain (join Azure AD)
All Windows devices can be connected to an Azure AD domain. These devices can be connected during OOBE. Additionally, desktop devices can be connected to an Azure AD domain using the Settings app.
### Out-of-box-experience (OOBE)
### Out-of-box-experience
1. Select **My work or school owns it**, then click **Next.**
To join a domain:
1. Select **My work or school owns it**, then select **Next.**
![oobe local account creation](images/unifiedenrollment-rs1-11.png)
2. Click **Join Azure AD**, then click **Next.**
2. Select **Join Azure AD**, and then select **Next.**
![select domain or azure ad](images/unifiedenrollment-rs1-12.png)
@ -118,7 +116,9 @@ All Windows devices can be connected to an Azure AD domain. These devices can be
![azure ad signin](images/unifiedenrollment-rs1-13.png)
### Using the Settings app
### Use the Settings app
To create a local account and connect the device:
1. Launch the Settings app.
@ -132,11 +132,11 @@ All Windows devices can be connected to an Azure AD domain. These devices can be
![select access work or school](images/unifiedenrollment-rs1-16.png)
4. Click **Connect**.
4. Select **Connect**.
![connect to work or school](images/unifiedenrollment-rs1-17.png)
5. Under **Alternate Actions**, click **Join this device to Azure Active Directory**.
5. Under **Alternate Actions**, selct **Join this device to Azure Active Directory**.
![join work or school account to azure ad](images/unifiedenrollment-rs1-18.png)
@ -144,7 +144,7 @@ All Windows devices can be connected to an Azure AD domain. These devices can be
![azure ad sign in](images/unifiedenrollment-rs1-19.png)
7. If the tenant is a cloud only, password hash sync, or pass-through authentication tenant, this page will change to show the organization's custom branding, and you will be able to enter your password directly on this page. If the tenant is part of a federated domain, you will be redirected to the organization's on-premises federation server, such as AD FS, for authentication.
7. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you can enter your password directly on this page. If the tenant is part of a federated domain, you are redirected to the organization's on-premises federation server, such as AD FS, for authentication.
Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
@ -156,9 +156,9 @@ All Windows devices can be connected to an Azure AD domain. These devices can be
### Help with connecting to an Azure AD domain
There are a few instances where your device cannot be connected to an Azure AD domain:
There are a few instances where your device cannot be connected to an Azure AD domain.
| Connection issue | Explanation |
| Connection issue | Description |
|-----------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Your device is connected to an Azure AD domain. | Your device can only be connected to a single Azure AD domain at a time. |
| Your device is already connected to an Active Directory domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You cannot connect to both simultaneously. |
@ -169,18 +169,20 @@ There are a few instances where your device cannot be connected to an Azure AD d
## Connecting personally-owned devices (Bring your own device)
## Connect personally-owned devices
Personally owned devices, also known as bring your own device or BYOD, can be connected to a work or school account or to MDM. Windows 10 does not require a personal Microsoft account on devices to connect to work or school.
Personally-owned devices, also known as bring your own device (BYOD), can be connected to a work or school account, or to MDM. Windows 10 does not require a personal Microsoft account on devices to connect to work or school.
### Connecting to a work or school account
### Connect to a work or school account
All Windows 10-based devices can be connected to a work or school account. You can connect to a work or school account either through the Settings app or through any of the numerous Universal Windows Platform (UWP) apps such as the universal Office apps.
All Windows 10-based devices can be connected to a work or school account. You can connect to a work or school account either through the Settings app or through any of the numerous Universal Windows Platform (UWP) apps, such as the universal Office apps.
### Using the Settings app
### Use the Settings app
1. Launch the Settings app and then click **Accounts**. Click **Start**, then the Settings icon, and then select **Accounts**
To create a local account and connect the device:
1. Launch the Settings app, and then select **Accounts** >**Start** > **Settings** > **Accounts**.
![windows settings page](images/unifiedenrollment-rs1-21-b.png)
@ -188,7 +190,7 @@ All Windows 10-based devices can be connected to a work or school account. You
![select access work or school](images/unifiedenrollment-rs1-23-b.png)
3. Click **Connect**.
3. Select **Connect**.
![connect to work or school](images/unifiedenrollment-rs1-24-b.png)
@ -196,7 +198,7 @@ All Windows 10-based devices can be connected to a work or school account. You
![join work or school account to azure ad](images/unifiedenrollment-rs1-25-b.png)
5. If the tenant is a cloud only, password hash sync, or pass-through authentication tenant, this page will change to show the organization's custom branding, and you will be able to enter your password directly into the page. If the tenant is part of a federated domain, you will be redirected to the organization's on-premises federation server, such as AD FS, for authentication.
5. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and can enter your password directly into the page. If the tenant is part of a federated domain, you are redirected to the organization's on-premises federation server, such as AD FS, for authentication.
Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
@ -210,11 +212,13 @@ All Windows 10-based devices can be connected to a work or school account. You
![account successfully added](images/unifiedenrollment-rs1-27.png)
### Connecting to MDM on a desktop (Enrolling in device management)
### Connect to MDM on a desktop (enrolling in device management)
All Windows 10-based devices can be connected to an MDM. You can connect to an MDM through the Settings app.
All Windows 10-based devices can be connected to MDM. You can connect to an MDM through the Settings app.
### Using the Settings app
### Use the Settings app
To create a local account and connect the device:
1. Launch the Settings app.
@ -228,7 +232,7 @@ All Windows 10-based devices can be connected to an MDM. You can connect to an
![access work or school](images/unifiedenrollment-rs1-30.png)
4. Click the **Enroll only in device management** link (available in servicing build 14393.82, KB3176934). For older builds, use [Connecting your Windows 10-based device to work using a deep link](#connecting-your-windows-10-based-device-to-work-using-a-deep-link).
4. Select the **Enroll only in device management** link (available in servicing build 14393.82, KB3176934). For older builds, see [Connect your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link).
![connect to work or school](images/unifiedenrollment-rs1-31.png)
@ -245,17 +249,17 @@ All Windows 10-based devices can be connected to an MDM. You can connect to an
After you complete the flow, your device will be connected to your organizations MDM.
### Connecting to MDM on a phone (Enrolling in device management)
### Connect to MDM on a phone (enroll in device management)
1. Launch the **Settings** app and then click **Accounts**.
1. Launch the Settings app, and then select **Accounts**.
![phone settings](images/unifiedenrollment-rs1-38.png)
2. Click **Access work or school**.
2. Select **Access work or school**.
![phone settings](images/unifiedenrollment-rs1-39.png)
3. Click the **Enroll only in device management** link. This is only available in the servicing build 14393.82 (KB3176934). For older builds, use [Connecting your Windows 10-based device to work using a deep link](#connecting-your-windows-10-based-device-to-work-using-a-deep-link).
3. Select the **Enroll only in device management** link. This is only available in the servicing build 14393.82 (KB3176934). For older builds, see [Connect your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link).
![access work or school page](images/unifiedenrollment-rs1-40.png)
@ -273,7 +277,7 @@ All Windows 10-based devices can be connected to an MDM. You can connect to an
### Help with connecting personally-owned devices
There are a few instances where your device may not be able to connect to work, as described in the following table.
There are a few instances where your device may not be able to connect to work.
| Error Message | Description |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
@ -284,20 +288,20 @@ There are a few instances where your device may not be able to connect to work,
| We couldnt auto-discover a management endpoint matching the username entered. Please check your username and try again. If you know the URL to your management endpoint, please enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. |
## Connecting your Windows 10-based device to work using a deep link
## Connect your Windows 10-based device to work using a deep link
Windows 10-based devices may be connected to work using a deep link. Users will be able to click or open a link in a particular format from anywhere in Windows 10 and be directed to the new enrollment experience.
Windows 10-based devices may be connected to work using a deep link. Users will be able to select or open a link in a particular format from anywhere in Windows 10, and be directed to the new enrollment experience.
In Windows 10, version 1607, deep linking will only be supported for connecting devices to MDM. It will not support adding a work or school account, joining a device to Azure AD, and joining a device to Active Directory.
The deep link used for connecting your device to work will always use the following format:
The deep link used for connecting your device to work will always use the following format.
**ms-device-enrollment:?mode={mode\_name}**
| Parameter | Description | Supported Value for Windows 10|
|-----------|--------------------------------------------------------------|----------------------------------------------|
| mode | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| MDM (Mobile Device Management), AWA (Adding Work Account), and AADJ (Azure Active Directory Joined). |
| mode | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| Mobile Device Management (MDM), Adding Work Account (AWA), and Azure Active Directory Joined (AADJ). |
|username | Specifies the email address or UPN of the user who should be enrolled into MDM. Added in Windows 10, version 1703. | string |
| servername | Specifies the MDM server URL that will be used to enroll the device. Added in Windows 10, version 1703. | string|
| accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this can be used as a token to validate the enrollment request. Added in Windows 10, version 1703. | string |
@ -305,47 +309,44 @@ The deep link used for connecting your device to work will always use the follow
| tenantidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to identify which tenant the device or user belongs to. Added in Windows 10, version 1703. | GUID or string |
| ownership | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to determine whether the device is BYOD or Corp Owned. Added in Windows 10, version 1703. | 1, 2, or 3 |
> **Note** "awa" and "aadj" values for mode are only supported on Windows 10, version 1709 and later.
> [!NOTE]
> AWA and AADJ values for mode are only supported on Windows 10, version 1709 and later.
### Connecting to MDM using a deep link
### Connect to MDM using a deep link
> **Note** Deep links only work with Internet Explorer or Edge browsers.
When connecting to MDM using a deep link, the URI you should use is
> [!NOTE]
> Deep links only work with Internet Explorer or Microsoft Edge browsers. When connecting to MDM using a deep link, the URI you should use is:
> **ms-device-enrollment:?mode=mdm**
> **ms-device-enrollment:?mode=mdm&username=someone@example.com&servername=<https://example.server.com>**
**ms-device-enrollment:?mode=mdm**
**ms-device-enrollment:?mode=mdm&username=someone@example.com&servername=<https://example.server.com>**
To connect your devices to MDM using deep links:
The following procedure describes how users can connect their devices to MDM using deep links.
1. Starting with Windows 10, version 1607, create a link to launch the built-in enrollment app using the URI **ms-device-enrollment:?mode=mdm**, and user-friendly display text, such as **Click here to connect Windows to work**:
1. Starting with Windows 10, version 1607, you can create a link to launch the built-in enrollment app using the URI **ms-device-enrollment:?mode=mdm** and user-friendly display text, such as **Click here to connect Windows to work**:
> (Be aware that this will launch the flow equivalent to the Enroll into the device management option in Windows 10, version 1511.)
> **Note**  This will launch the flow equivalent to the Enroll into device management option in Windows 10, version 1511.
- IT admins can add this link to a welcome email that users can click on to enroll into MDM.
- IT admins can add this link to a welcome email that users can select to enroll into MDM.
![using enrollment deeplink in email](images/deeplinkenrollment1.png)
- IT admins can also add this link to an internal web page that users refer to enrollment instructions.
2. After clicking the link or running it, Windows 10 will launch the enrollment app in a special mode that only allows MDM enrollments (similar to the Enroll into device management option in Windows 10, version 1511).
2. After you select the link or run it, Windows 10 launches the enrollment app in a special mode that only allows MDM enrollments (similar to the Enroll into device management option in Windows 10, version 1511).
Type in your work email address.
![set up work or school account](images/deeplinkenrollment3.png)
3. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, youll be presented with a new window that will ask you for additional authentication information.
> **Note**  Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
3. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, youll be presented with a new window that will ask you for additional authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
After you complete the flow, your device will be connected to your organizations MDM.
![corporate sign in](images/deeplinkenrollment4.png)
## Managing connections
## Manage connections
Your work or school connections can be managed on the **Settings** &gt; **Accounts** &gt; **Access work or school** page. Your connections will show on this page and clicking on one will expand options for that connection.
To manage your work or school connections, select **Settings** > **Accounts** > **Access work or school**. Your connections will show on this page and selecting one will expand options for that connection.
![managing work or school account](images/unifiedenrollment-rs1-34-b.png)
@ -357,30 +358,31 @@ The **Info** button can be found on work or school connections involving MDM. Th
- Connecting your device to a work or school account that has auto-enroll into MDM configured.
- Connecting your device to MDM.
Clicking the **Info** button will open a new page in the Settings app that provides details about your MDM connection. Youll be able to view your organizations support information (if configured) on this page. Youll also be able to start a sync session which will force your device to communicate to the MDM server and fetch any updates to policies if needed.
Selecting the **Info** button will open a new page in the Settings app that provides details about your MDM connection. Youll be able to view your organizations support information (if configured) on this page. Youll also be able to start a sync session which forces your device to communicate to the MDM server and fetch any updates to policies if needed.
Starting in Windows 10, version 1709, clicking the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here is an example screenshot.
Starting in Windows 10, version 1709, selecting the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here is an example screenshot.
![work or school info](images/unifiedenrollment-rs1-35-b.png)
> [NOTE]
> [!NOTE]
> Starting in Windows 10, version 1709, the **Manage** button is no longer available.
### Disconnect
The **Disconnect** button can be found on all work connections. Generally, clicking the **Disconnect** button will remove the connection from the device. There are a few exceptions to this:
The **Disconnect** button can be found on all work connections. Generally, selecting the **Disconnect** button will remove the connection from the device. There are a few exceptions to this:
- Devices that enforce the AllowManualMDMUnenrollment policy will not allow users to remove MDM enrollments. These connections must be removed by a server-initiated unenroll command.
- On mobile devices, you cannot disconnect from Azure AD. These connections can only be removed by wiping the device.
> **Warning**  Disconnecting might result in the loss of data on the device.
> [!WARNING]  
> Disconnecting might result in the loss of data on the device.
## Collecting diagnostic logs
You can collect diagnostic logs around your work connections by going to **Settings** &gt; **Accounts** &gt; **Access work or school**, and clicking the **Export your management logs** link under **Related Settings**. After you click the link, click **Export** and follow the path displayed to retrieve your management log files.
You can collect diagnostic logs around your work connections by going to **Settings** > **Accounts** > **Access work or school**, and then selecting the **Export your management logs** link under **Related Settings**. Next, select **Export**, and follow the path displayed to retrieve your management log files.
Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** &gt; **Accounts** &gt; **Access work or school**, and clicking the **Info** button. At the bottom of the Settings page you will see the button to create a report. Here is an example screenshot.
Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and selecting the **Info** button. At the bottom of the Settings page, you will see the button to create a report, as shown here.
![collecting enrollment management log files](images/unifiedenrollment-rs1-37-c.png)

2
windows/client-management/mdm/messaging-csp.md
View File

@ -1,6 +1,6 @@
---
title: Messaging CSP
description: Messaging CSP
description: Use the Messaging CSP to configure the ability to get text messages audited on a mobile device.
ms.author: dansimp
ms.topic: article
ms.prod: w10

2
windows/client-management/mdm/messaging-ddf.md
View File

@ -1,6 +1,6 @@
---
title: Messaging DDF file
description: Messaging DDF file
description: Utilize the OMA DM device description framework (DDF) for the Messaging configuration service provider.
ms.author: dansimp
ms.topic: article
ms.prod: w10

6
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -727,7 +727,7 @@ Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelNam
<li>User knows what policies, profiles, apps MDM has configured</li>
<li>IT helpdesk can get detailed MDM diagnostic information using client tools</li>
</ul>
<p>For details, see <a href="mdm-enrollment-of-windows-devices.md#managing-connections" data-raw-source="[Managing connection](mdm-enrollment-of-windows-devices.md#managing-connections)">Managing connection</a> and <a href="mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs" data-raw-source="[Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)">Collecting diagnostic logs</a></p>
<p>For details, see <a href="mdm-enrollment-of-windows-devices.md#manage-connections" data-raw-source="[Manage connection](mdm-enrollment-of-windows-devices.md#manage-connections)">Managing connection</a> and <a href="mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs" data-raw-source="[Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)">Collecting diagnostic logs</a></p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top"><a href="enroll-a-windows-10-device-automatically-using-group-policy.md" data-raw-source="[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)">Enroll a Windows 10 device automatically using Group Policy</a></td>
@ -1226,7 +1226,7 @@ Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelNam
</ul>
</td></tr>
<tr class="even">
<td style="vertical-align:top"><a href="mdm-enrollment-of-windows-devices.md#connecting-your-windows-10-based-device-to-work-using-a-deep-link" data-raw-source="[Connecting your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connecting-your-windows-10-based-device-to-work-using-a-deep-link)">Connecting your Windows 10-based device to work using a deep link</a></td>
<td style="vertical-align:top"><a href="mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link" data-raw-source="[Connecting your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link)">Connect your Windows 10-based device to work using a deep link</a></td>
<td style="vertical-align:top"><p>Added following deep link parameters to the table:</p>
<ul>
<li>Username</li>
@ -2899,7 +2899,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o
<li>User knows what policies, profiles, apps MDM has configured</li>
<li>IT helpdesk can get detailed MDM diagnostic information using client tools</li>
</ul>
<p>For details, see <a href="mdm-enrollment-of-windows-devices.md#managing-connections" data-raw-source="[Managing connections](mdm-enrollment-of-windows-devices.md#managing-connections)">Managing connections</a> and <a href="mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs" data-raw-source="[Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)">Collecting diagnostic logs</a></p>
<p>For details, see <a href="mdm-enrollment-of-windows-devices.md#manage-connections" data-raw-source="[Manage connections](mdm-enrollment-of-windows-devices.md#manage-connections)">Managing connections</a> and <a href="mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs" data-raw-source="[Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)">Collecting diagnostic logs</a></p>
</td></tr>
</tbody>
</table>

2
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - LocalPoliciesSecurityOptions
description: Policy CSP - LocalPoliciesSecurityOptions
description: These settings prevents users from adding new Microsoft accounts on a specific computer using LocalPoliciesSecurityOptions.
ms.author: dansimp
ms.topic: article
ms.prod: w10

2
windows/client-management/mdm/policy-csp-printers.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - Printers
description: Policy CSP - Printers
description: Use this policy setting to control the client Point and Print behavior, including security prompts for Windows Vista computers.
ms.author: dansimp
ms.topic: article
ms.prod: w10

2
windows/client-management/mdm/policy-csp-start.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - Start
description: Policy CSP - Start
description: Use this policy CSP to control the visibility of the Documents shortcut on the Start menu.
ms.author: dansimp
ms.topic: article
ms.prod: w10

2
windows/client-management/mdm/policy-csp-update.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - Update
description: Policy CSP - Update
description: Manage a range of active hours for when update reboots are not scheduled.
ms.author: dansimp
ms.topic: article
ms.prod: w10

2
windows/deployment/update/update-compliance-monitor.md
View File

@ -30,7 +30,7 @@ Update Compliance enables organizations to:
* View a report of device and update issues related to compliance that need attention.
* Check bandwidth savings incurred across multiple content types by using [Delivery Optimization](waas-delivery-optimization.md).
Update Compliance is offered through the Azure portal, and is included as part of Windows 10 licenses listed in the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites).
Update Compliance is offered through the Azure portal, and is included as part of Windows 10 licenses listed in the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites). Azure Log Analytics ingestion and retention charges are not incurred on your Azure subscription for Update Compliance data.
Update Compliance uses Windows 10 diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, and Delivery Optimization usage data, and then sends this data to a customer-owned [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) workspace to power the experience.

2
windows/deployment/usmt/usmt-common-migration-scenarios.md
View File

@ -1,6 +1,6 @@
---
title: Common Migration Scenarios (Windows 10)
description: Common Migration Scenarios
description: See how the User State Migration Tool (USMT) 10.0 is used when planning hardware and/or operating system upgrades.
ms.assetid: 1d8170d5-e775-4963-b7a5-b55e8987c1e4
ms.reviewer:
manager: laurawi

2
windows/deployment/windows-10-deployment-tools.md
View File

@ -1,6 +1,6 @@
---
title: Windows 10 deployment tools
description: Browse through documentation describing Windows 10 deployment tools. Learn how to use these these tools to successfully deploy Windows 10 to your organization.
description: Learn how to use Windows 10 deployment tools to successfully deploy Windows 10 to your organization.
ms.assetid: 5C4B0AE3-B2D0-4628-9E73-606F3FAA17BB
ms.reviewer:
manager: laurawi

2
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
View File

@ -1,6 +1,6 @@
---
title: Hybrid Windows Hello for Business Prerequisites
description: Prerequisites for hybrid Windows Hello for Business deployments using certificate trust.
description: Learn these prerequisites for hybrid Windows Hello for Business deployments using certificate trust.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: w10
ms.mktglfcycl: deploy

276
windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
View File

@ -199,6 +199,279 @@ The following table describes how the wildcards can be used and provides some ex
<a id="review"></a>
### System environmental variables
The following table lists and describes the system account environmental variables.
<table border="0" cellspacing="0" cellpadding="20">
<thead>
<tr>
<th valign="top">System environment variables</th>
<th valign="top">Will redirect to:</th>
</tr>
</thead><tbody>
<tr>
<td valign="top">%APPDATA%</td>
<td valign="top">C:\Users\UserName.DomainName\AppData\Roaming</td>
</tr>
<tr>
<td valign="top">%APPDATA%\Microsoft\Internet Explorer\Quick Launch</td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch</td>
</tr>
<tr>
<td valign="top">%APPDATA%\Microsoft\Windows\Start Menu</td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu</td>
</tr>
<tr>
<td valign="top">%APPDATA%\Microsoft\Windows\Start Menu\Programs</td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs</td>
</tr>
<tr>
<td valign="top">%LOCALAPPDATA% </td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Local</td>
</tr>
<tr>
<td valign="top">%ProgramData%</td>
<td valign="top">C:\ProgramData</td>
</tr>
<tr>
<td valign="top">%ProgramFiles%</td>
<td valign="top">C:\Program Files</td>
</tr>
<tr>
<td valign="top">%ProgramFiles%\Common Files </td>
<td valign="top">C:\Program Files\Common Files</td>
</tr>
<tr>
<td valign="top">%ProgramFiles%\Windows Sidebar\Gadgets </td>
<td valign="top">C:\Program Files\Windows Sidebar\Gadgets</td>
</tr>
<tr>
<td valign="top">%ProgramFiles%\Common Files</td>
<td valign="top">C:\Program Files\Common Files</td>
</tr>
<tr>
<td valign="top">%ProgramFiles(x86)% </td>
<td valign="top">C:\Program Files (x86)</td>
</tr>
<tr>
<td valign="top">%ProgramFiles(x86)%\Common Files </td>
<td valign="top">C:\Program Files (x86)\Common Files</td>
</tr>
<tr>
<td valign="top">%SystemDrive%</td>
<td valign="top">C:</td>
</tr>
<tr>
<td valign="top">%SystemDrive%\Program Files</td>
<td valign="top">C:\Program Files</td>
</tr>
<tr>
<td valign="top">%SystemDrive%\Program Files (x86) </td>
<td valign="top">C:\Program Files (x86)</td>
</tr>
<tr>
<td valign="top">%SystemDrive%\Users </td>
<td valign="top">C:\Users</td>
</tr>
<tr>
<td valign="top">%SystemDrive%\Users\Public</td>
<td valign="top">C:\Users\Public</td>
</tr>
<tr>
<td valign="top">%SystemRoot%</td>
<td valign="top"> C:\Windows</td>
</tr>
<tr>
<td valign="top">%windir%</td>
<td valign="top">C:\Windows</td>
</tr>
<tr>
<td valign="top">%windir%\Fonts</td>
<td valign="top">C:\Windows\Fonts</td>
</tr>
<tr>
<td valign="top">%windir%\Resources </td>
<td valign="top">C:\Windows\Resources</td>
</tr>
<tr>
<td valign="top">%windir%\resources\0409</td>
<td valign="top">C:\Windows\resources\0409</td>
</tr>
<tr>
<td valign="top">%windir%\system32</td>
<td valign="top">C:\Windows\System32</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%</td>
<td valign="top">C:\ProgramData</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Application Data</td>
<td valign="top">C:\ProgramData\Application Data</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Documents</td>
<td valign="top">C:\ProgramData\Documents</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Documents\My Music\Sample Music</td>
<td valign="top">
<p>C:\ProgramData\Documents\My Music\Sample Music</p>
<p>.</p>
</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Documents\My Music </td>
<td valign="top">C:\ProgramData\Documents\My Music</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Documents\My Pictures </td>
<td valign="top">
<p>C:\ProgramData\Documents\My Pictures
</p>
</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Documents\My Pictures\Sample Pictures </td>
<td valign="top">C:\ProgramData\Documents\My Pictures\Sample Pictures</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Documents\My Videos </td>
<td valign="top">C:\ProgramData\Documents\My Videos</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\DeviceMetadataStore </td>
<td valign="top">C:\ProgramData\Microsoft\Windows\DeviceMetadataStore</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\GameExplorer </td>
<td valign="top">C:\ProgramData\Microsoft\Windows\GameExplorer</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\Ringtones </td>
<td valign="top">C:\ProgramData\Microsoft\Windows\Ringtones</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu </td>
<td valign="top">C:\ProgramData\Microsoft\Windows\Start Menu</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs </td>
<td valign="top">C:\ProgramData\Microsoft\Windows\Start Menu\Programs </td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative Tools</td>
<td valign="top">C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp </td>
<td valign="top">C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\Templates </td>
<td valign="top">C:\ProgramData\Microsoft\Windows\Templates</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Start Menu </td>
<td valign="top">C:\ProgramData\Start Menu</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Start Menu\Programs </td>
<td valign="top">C:\ProgramData\Start Menu\Programs</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Start Menu\Programs\Administrative Tools </td>
<td valign="top">C:\ProgramData\Start Menu\Programs\Administrative Tools</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Templates </td>
<td valign="top">C:\ProgramData\Templates</td>
</tr>
<tr>
<td valign="top">%LOCALAPPDATA%\Microsoft\Windows\ConnectedSearch\Templates </td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\ConnectedSearch\Templates</td>
</tr>
<tr>
<td valign="top">%LOCALAPPDATA%\Microsoft\Windows\History </td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History</td>
</tr>
<tr>
<td valign="top">
<p>
%PUBLIC% </p>
</td>
<td valign="top">C:\Users\Public</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\AccountPictures </td>
<td valign="top">C:\Users\Public\AccountPictures</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Desktop </td>
<td valign="top">C:\Users\Public\Desktop</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Documents </td>
<td valign="top">C:\Users\Public\Documents</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Downloads </td>
<td valign="top">C:\Users\Public\Downloads</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Music\Sample Music </td>
<td valign="top">
<p>C:\Users\Public\Music\Sample Music</p>
<p>.</p>
</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Music\Sample Playlists </td>
<td valign="top">
<p>C:\Users\Public\Music\Sample Playlists</p>
<p>.</p>
</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Pictures\Sample Pictures </td>
<td valign="top">C:\Users\Public\Pictures\Sample Pictures</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\RecordedTV.library-ms</td>
<td valign="top">C:\Users\Public\RecordedTV.library-ms</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Videos</td>
<td valign="top">C:\Users\Public\Videos</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Videos\Sample Videos</td>
<td valign="top">
<p>C:\Users\Public\Videos\Sample Videos</p>
<p>.</p>
</td>
</tr>
<tr>
<td valign="top">%USERPROFILE% </td>
<td valign="top">C:\Windows\System32\config\systemprofile</td>
</tr>
<tr>
<td valign="top">%USERPROFILE%\AppData\Local </td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Local</td>
</tr>
<tr>
<td valign="top">%USERPROFILE%\AppData\LocalLow </td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\LocalLow</td>
</tr>
<tr>
<td valign="top">%USERPROFILE%\AppData\Roaming </td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Roaming</td>
</tr>
</tbody>
</table>
## Review the list of exclusions
You can retrieve the items in the exclusion list using one of the following methods:
@ -223,6 +496,9 @@ If you use PowerShell, you can retrieve the list in two ways:
To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
```DOS
Start, CMD (Run as admin)
cd "%programdata%\microsoft\windows defender\platform"
cd 4.18.1812.3 (Where 4.18.1812.3 is this month's MDAV "Platform Update".)
MpCmdRun.exe -CheckExclusion -path <path>
```

2
windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
View File

@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 10/08/2018
ms.date: 06/25/2020
ms.reviewer:
manager: dansimp
---

5
windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
View File

@ -13,7 +13,7 @@ author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
audience: ITPro
ms.date: 02/12/2020
ms.date:
ms.reviewer:
manager: dansimp
---
@ -25,6 +25,9 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge)
> [!NOTE]
> Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might not be be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices.
Potentially unwanted applications (PUA) are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior.
For example:

101
windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md
View File

@ -52,7 +52,7 @@ There are five locations where you can specify where an endpoint should obtain u
- [Microsoft Update](https://support.microsoft.com/help/12373/windows-update-faq)
- [Windows Server Update Service](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus)
- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
- [Network file share](https://docs.microsoft.com/windows-server/storage/nfs/nfs-overview)
- [Network file share](#unc-share)
- [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates) (Your policy and registry might have this listed as Microsoft Malware Protection Center (MMPC) security intelligence, its former name.)
To ensure the best level of protection, Microsoft Update allows for rapid releases, which means smaller downloads on a frequent basis. The Windows Server Update Service, Microsoft Endpoint Configuration Manager, and Microsoft security intelligence updates sources deliver less frequent updates. Thus, the delta can be larger, resulting in larger downloads.
@ -151,6 +151,105 @@ For example, suppose that Contoso has hired Fabrikam to manage their security so
> [!NOTE]
> Microsoft does not test third-party solutions for managing Microsoft Defender Antivirus.
<a id="unc-share"></a>
## Create a UNC share for security intelligence updates
Set up a network file share (UNC/mapped drive) to download security intelligence updates from the MMPC site by using a scheduled task.
1. On the system on which you want to provision the share and download the updates, create a folder to which you will save the script.
```DOS
Start, CMD (Run as admin)
MD C:\Tool\PS-Scripts\
```
2. Create the folder to which you will save the signature updates.
```DOS
MD C:\Temp\TempSigs\x64
MD C:\Temp\TempSigs\x86
```
3. Download the Powershell script from [www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4).
4. Click **Manual Download**.
5. Click **Download the raw nupkg file**.
6. Extract the file.
7. Copy the file SignatureDownloadCustomTask.ps1 to the folder you previously created, C:\Tool\PS-Scripts\ .
8. Use the command line to set up the scheduled task.
> [!NOTE]
> There are two types of updates: full and delta.
- For x64 delta:
```DOS
Powershell (Run as admin)
C:\Tool\PS-Scripts\
“.\SignatureDownloadCustomTask.ps1 -action create -arch x64 -isDelta $true -destDir C:\Temp\TempSigs\x64 -scriptPath C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1 -daysInterval 1”
```
- For x64 full:
```DOS
Powershell (Run as admin)
C:\Tool\PS-Scripts\
“.\SignatureDownloadCustomTask.ps1 -action create -arch x64 -isDelta $false -destDir C:\Temp\TempSigs\x64 -scriptPath C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1 -daysInterval 1”
```
- For x86 delta:
```DOS
Powershell (Run as admin)
C:\Tool\PS-Scripts\
“.\SignatureDownloadCustomTask.ps1 -action create -arch x86 -isDelta $true -destDir C:\Temp\TempSigs\x86 -scriptPath C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1 -daysInterval 1”
```
- For x86 full:
```DOS
Powershell (Run as admin)
C:\Tool\PS-Scripts\
“.\SignatureDownloadCustomTask.ps1 -action create -arch x86 -isDelta $false -destDir C:\Temp\TempSigs\x86 -scriptPath C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1 -daysInterval 1”
```
> [!NOTE]
> When the scheduled tasks are created, you can find these in the Task Scheduler under Microsoft\Windows\Windows Defender
9. Run each task manually and verify that you have data (mpam-d.exe, mpam-fe.exe, and nis_full.exe) in the following folders (you might have chosen different locations):
- C:\Temp\TempSigs\x86
- C:\Temp\TempSigs\x64
If the scheduled task fails, run the following commands:
```DOS
C:\windows\system32\windowspowershell\v1.0\powershell.exe -NoProfile -executionpolicy allsigned -command “&\”C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1\” -action run -arch x64 -isDelta $False -destDir C:\Temp\TempSigs\x64″
C:\windows\system32\windowspowershell\v1.0\powershell.exe -NoProfile -executionpolicy allsigned -command “&\”C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1\” -action run -arch x64 -isDelta $True -destDir C:\Temp\TempSigs\x64″
C:\windows\system32\windowspowershell\v1.0\powershell.exe -NoProfile -executionpolicy allsigned -command “&\”C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1\” -action run -arch x86 -isDelta $False -destDir C:\Temp\TempSigs\x86″
C:\windows\system32\windowspowershell\v1.0\powershell.exe -NoProfile -executionpolicy allsigned -command “&\”C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1\” -action run -arch x86 -isDelta $True -destDir C:\Temp\TempSigs\x86″
```
> [!NOTE]
> Issues could also be due to execution policy.
10. Create a share pointing to C:\Temp\TempSigs (e.g. \\server\updates).
> [!NOTE]
> At a minimum, authenticated users must have “Read” access.
11. Set the share location in the policy to the share.
> [!NOTE]
> Do not add the x64 (or x86) folder in the path. The mpcmdrun.exe process adds it automatically.
## Related articles
- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)

2
windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
View File

@ -1,7 +1,7 @@
---
title: Advanced Hunting with Powershell API Guide
ms.reviewer:
description: Walk through a practice scenario, complete with code samples, querying several Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) APIs.
description: Use these code samples, querying several Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) APIs.
keywords: apis, supported apis, advanced hunting, query
search.product: eADQiWindows 10XVcnh
ms.prod: w10

BIN
windows/security/threat-protection/microsoft-defender-atp/images/appconfig3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 152 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/live-response-error.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 36 KiB

27
windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
View File

@ -69,15 +69,28 @@ There are several ways to uninstall Microsoft Defender ATP for Linux. If you are
## Configure from the command line
Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line:
Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line.
### Global options
By default, the command-line tool outputs the result in human-readable format. In addition to this, the tool also supports outputting the result as JSON, which is useful for automation scenarios. To change the output to JSON, pass `--output json` to any of the below commands.
### Supported commands
The following table lists commands for some of the most common scenarios. Run `mdatp help` from the Terminal to view the full list of supported commands.
|Group |Scenario |Command |
|-------------|-------------------------------------------|-----------------------------------------------------------------------|
|Configuration|Turn on/off real-time protection |`mdatp config real_time_protection --value [enabled|disabled]` |
|----------------------|--------------------------------------------------------|-----------------------------------------------------------------------|
|Configuration |Turn on/off real-time protection |`mdatp config real-time-protection --value [enabled|disabled]` |
|Configuration |Turn on/off cloud protection |`mdatp config cloud --value [enabled|disabled]` |
|Configuration |Turn on/off product diagnostics |`mdatp config cloud-diagnostic --value [enabled|disabled]` |
|Configuration |Turn on/off automatic sample submission |`mdatp config cloud-automatic-sample-submission [enabled|disabled]` |
|Configuration |Turn on/off AV passive mode |`mdatp config passive-mode [enabled|disabled]` |
|Configuration |Add/remove an antivirus exclusion for a file extension |`mdatp exclusion extension [add|remove] --name <extension>` |
|Configuration |Add/remove an antivirus exclusion for a file |`mdatp exclusion file [add|remove] --path <path-to-file>` |
|Configuration |Add/remove an antivirus exclusion for a directory |`mdatp exclusion folder [add|remove] --path <path-to-directory>` |
|Configuration |Add/remove an antivirus exclusion for a process |`mdatp exclusion process [add|remove] --path <path-to-process>`<br/>`mdatp exclusion process [add|remove] --name <process-name>` |
|Configuration |List all antivirus exclusions |`mdatp exclusion list` |
|Configuration |Turn on PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action block` |
|Configuration |Turn off PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action off` |
|Configuration |Turn on audit mode for PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action audit` |
@ -89,6 +102,13 @@ Important tasks, such as controlling product settings and triggering on-demand s
|Protection |Do a full scan |`mdatp scan full` |
|Protection |Cancel an ongoing on-demand scan |`mdatp scan cancel` |
|Protection |Request a security intelligence update |`mdatp definitions update` |
|Protection history |Print the full protection history |`mdatp threat list` |
|Protection history |Get threat details |`mdatp threat get --id <threat-id>` |
|Quarantine management |List all quarantined files |`mdatp threat quarantine list` |
|Quarantine management |Remove all files from the quarantine |`mdatp threat quarantine remove-all` |
|Quarantine management |Add a file detected as a threat to the quarantine |`mdatp threat quarantine add --id <threat-id>` |
|Quarantine management |Remove a file detected as a threat from the quarantine |`mdatp threat quarantine add --id <threat-id>` |
|Quarantine management |Restore a file from the quarantine |`mdatp threat quarantine add --id <threat-id>` |
## Microsoft Defender ATP portal information
@ -113,6 +133,7 @@ In the Microsoft Defender ATP portal, you'll see two categories of information:
### Known issues
- You might see "No sensor data, impaired communications" in the machine information page of the Microsoft Defender Security Center portal, even though the product is working as expected. We are working on addressing this issue.
- Logged on users do not appear in the Microsoft Defender Security Center portal.
- In SUSE distributions, if the installation of *libatomic1* fails, you should validate that your OS is registered:

4
windows/security/threat-protection/microsoft-defender-atp/live-response.md
View File

@ -63,6 +63,10 @@ You'll need to enable the live response capability in the [Advanced features set
- **Ensure that the device has an Automation Remediation level assigned to it**.<br>
You'll need to enable, at least, the minimum Remediation Level for a given Device Group. Otherwise you won't be able to establish a Live Response session to a member of that group.
You'll receive the following error:
![Image of error message](images/live-response-error.png)
- **Enable live response unsigned script execution** (optional). <br>
>[!WARNING]

4
windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
View File

@ -51,7 +51,7 @@ The following table summarizes the steps you would need to take to deploy and ma
| [Grant full disk access to Microsoft Defender ATP](#create-system-configuration-profiles-step-8) | MDATP_tcc_Catalina_or_newer.xml | com.microsoft.wdav.tcc |
| [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#intune) | MDATP_Microsoft_AutoUpdate.xml | com.microsoft.autoupdate2 |
| [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1)<br/><br/> **Note:** If you are planning to run a 3rd party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav |
| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-9) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdavtray |
| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-9) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdav.tray |
## Download installation and onboarding packages
@ -245,7 +245,7 @@ You may now enroll more devices. You can also enroll them later, after you have
<key>BadgesEnabled</key>
<true/>
<key>BundleIdentifier</key>
<string>com.microsoft.wdavtray</string>
<string>com.microsoft.wdav.tray</string>
<key>CriticalAlertEnabled</key>
<false/>
<key>GroupingType</key>

4
windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
View File

@ -46,7 +46,7 @@ The following table summarizes the steps you would need to take to deploy and ma
|-|-|-|
| [Download installation and onboarding packages](#download-installation-and-onboarding-packages) | WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml | com.microsoft.wdav.atp |
| [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#property-list-for-jamf-configuration-profile-1)<br/><br/> **Note:** If you are planning to run a 3rd party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.plist | com.microsoft.wdav |
| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#notification-settings) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.wdavtray |
| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#notification-settings) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.wdav.tray |
| [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#jamf) | MDATP_Microsoft_AutoUpdate.mobileconfig | com.microsoft.autoupdate2 |
| [Grant Full Disk Access to Microsoft Defender ATP](#privacy-preferences-policy-control) | Note: If there was one, MDATP_tcc_Catalina_or_newer.plist | com.microsoft.wdav.tcc |
| [Approve Kernel Extension for Microsoft Defender ATP](#approved-kernel-extension) | Note: If there was one, MDATP_KExt.plist | N/A |
@ -142,7 +142,7 @@ Starting in macOS 10.15 (Catalina) a user must manually allow to display notific
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0"><dict><key>PayloadContent</key><array><dict><key>NotificationSettings</key><array><dict><key>AlertType</key><integer>2</integer><key>BadgesEnabled</key><true/><key>BundleIdentifier</key><string>com.microsoft.autoupdate2</string><key>CriticalAlertEnabled</key><false/><key>GroupingType</key><integer>0</integer><key>NotificationsEnabled</key><true/><key>ShowInLockScreen</key><false/><key>ShowInNotificationCenter</key><true/><key>SoundsEnabled</key><true/></dict><dict><key>AlertType</key><integer>2</integer><key>BadgesEnabled</key><true/><key>BundleIdentifier</key><string>com.microsoft.wdavtray</string><key>CriticalAlertEnabled</key><false/><key>GroupingType</key><integer>0</integer><key>NotificationsEnabled</key><true/><key>ShowInLockScreen</key><false/><key>ShowInNotificationCenter</key><true/><key>SoundsEnabled</key><true/></dict></array><key>PayloadDescription</key><string/><key>PayloadDisplayName</key><string>notifications</string><key>PayloadEnabled</key><true/><key>PayloadIdentifier</key><string>BB977315-E4CB-4915-90C7-8334C75A7C64</string><key>PayloadOrganization</key><string>Microsoft</string><key>PayloadType</key><string>com.apple.notificationsettings</string><key>PayloadUUID</key><string>BB977315-E4CB-4915-90C7-8334C75A7C64</string><key>PayloadVersion</key><integer>1</integer></dict></array><key>PayloadDescription</key><string/><key>PayloadDisplayName</key><string>mdatp - allow notifications</string><key>PayloadEnabled</key><true/><key>PayloadIdentifier</key><string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string><key>PayloadOrganization</key><string>Microsoft</string><key>PayloadRemovalDisallowed</key><false/><key>PayloadScope</key><string>System</string><key>PayloadType</key><string>Configuration</string><key>PayloadUUID</key><string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string><key>PayloadVersion</key><integer>1</integer></dict></plist>
<plist version="1.0"><dict><key>PayloadContent</key><array><dict><key>NotificationSettings</key><array><dict><key>AlertType</key><integer>2</integer><key>BadgesEnabled</key><true/><key>BundleIdentifier</key><string>com.microsoft.autoupdate2</string><key>CriticalAlertEnabled</key><false/><key>GroupingType</key><integer>0</integer><key>NotificationsEnabled</key><true/><key>ShowInLockScreen</key><false/><key>ShowInNotificationCenter</key><true/><key>SoundsEnabled</key><true/></dict><dict><key>AlertType</key><integer>2</integer><key>BadgesEnabled</key><true/><key>BundleIdentifier</key><string>com.microsoft.wdav.tray</string><key>CriticalAlertEnabled</key><false/><key>GroupingType</key><integer>0</integer><key>NotificationsEnabled</key><true/><key>ShowInLockScreen</key><false/><key>ShowInNotificationCenter</key><true/><key>SoundsEnabled</key><true/></dict></array><key>PayloadDescription</key><string/><key>PayloadDisplayName</key><string>notifications</string><key>PayloadEnabled</key><true/><key>PayloadIdentifier</key><string>BB977315-E4CB-4915-90C7-8334C75A7C64</string><key>PayloadOrganization</key><string>Microsoft</string><key>PayloadType</key><string>com.apple.notificationsettings</string><key>PayloadUUID</key><string>BB977315-E4CB-4915-90C7-8334C75A7C64</string><key>PayloadVersion</key><integer>1</integer></dict></array><key>PayloadDescription</key><string/><key>PayloadDisplayName</key><string>mdatp - allow notifications</string><key>PayloadEnabled</key><true/><key>PayloadIdentifier</key><string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string><key>PayloadOrganization</key><string>Microsoft</string><key>PayloadRemovalDisallowed</key><false/><key>PayloadScope</key><string>System</string><key>PayloadType</key><string>Configuration</string><key>PayloadUUID</key><string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string><key>PayloadVersion</key><integer>1</integer></dict></plist>
```
### Package

12
windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md
View File

@ -25,9 +25,9 @@ ms.topic: conceptual
## Installation failed
For manual installation, it is Summary page of the installation wizard that says "An error occurred during installation. The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance". For MDM deployments it would be exposed as a generic installation failure as well.
For manual installation, the Summary page of the installation wizard says, "An error occurred during installation. The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance." For MDM deployments, it displays as a generic installation failure as well.
While we do not expose exact error to the end user, we keep a log file with installation progress in `/Library/Logs/Microsoft/mdatp/install.log`. Each installation session appends to this log file, you can use `sed` to output the last installation session only:
While we do not display an exact error to the end user, we keep a log file with installation progress in `/Library/Logs/Microsoft/mdatp/install.log`. Each installation session appends to this log file. You can use `sed` to output the last installation session only:
```bash
$ sed -n 'H; /^preinstall com.microsoft.wdav begin/h; ${g;p;}' /Library/Logs/Microsoft/mdatp/install.log
@ -39,13 +39,13 @@ correlation id=CB509765-70FC-4679-866D-8A14AD3F13CC
preinstall com.microsoft.wdav end [2020-03-11 13:08:49 -0700] 804 => 1
```
In the example above the actual reason is prefixed with `[ERROR]`.
In this example, the actual reason is prefixed with `[ERROR]`.
The installation failed because a downgrade between these versions is not supported.
## No MDATP's install log
## MDATP install log missing or not updated
In rare cases installation leaves no trace in MDATP's /Library/Logs/Microsoft/mdatp/install.log file.
You can verify that installation happened and analyze possible errors by querying macOS logs (this can be helpful in case of MDM deployment, when there is no client UI). It is recommended to have a narrow time window to query and filter by the logging process name, as there will be huge amount of information;
In rare cases, installation leaves no trace in MDATP's /Library/Logs/Microsoft/mdatp/install.log file.
You can verify that an installation happened and analyze possible errors by querying macOS logs (this is helpful in case of MDM deployment, when there is no client UI). We recommend that you use a narrow time window to run a query, and that you filter by the logging process name, as there will be a huge amount of information.
```bash
grep '^2020-03-11 13:08' /var/log/install.log

2
windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md
View File

@ -1,6 +1,6 @@
---
title: Enable Predefined Inbound Rules (Windows 10)
description: Enable Predefined Inbound Rules
description: Learn the rules for Windows Defender Firewall with Advanced Security for common networking roles and functions.
ms.assetid: a4fff086-ae81-4c09-b828-18c6c9a937a7
ms.reviewer:
ms.author: dansimp

7
windows/whats-new/index.md
View File

@ -28,8 +28,11 @@ Windows 10 provides IT professionals with advanced protection against modern sec
## Learn more
- [Windows 10 release information](https://technet.microsoft.com/windows/release-info)
- [Windows 10 update history](https://support.microsoft.com/help/12387/windows-10-update-history)
- [Windows 10 content from Microsoft Ignite](https://go.microsoft.com/fwlink/p/?LinkId=613210)
- [Windows 10 release health dashboard](https://docs.microsoft.com/windows/release-information/status-windows-10-2004)
- [Windows 10 update history](https://support.microsoft.com/help/4555932/windows-10-update-history)
- [Whats new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new)
- [Windows 10 features were no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features)
- [Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features)
- [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkId=690485)
## See also