deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 15:27:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into atp-server-onboarding

Browse Source
This commit is contained in:
Joey Caparas 2017-08-10 13:50:18 -07:00
commit 6ced30064d
6 changed files with 104 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
devices/surface-hub/prepare-your-environment-for-surface-hub.md
View File

@ -68,9 +68,8 @@ Surface Hub interacts with a few different products and services. Depending on t
A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, send email, and (optionally) to authenticate to Exchange. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details.
After you've created your device account, there are a couple of ways to verify that it's setup correctly.
- Run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide.
- Use the account with the [Lync Microsoft Store app](https://www.microsoft.com/en-us/store/p/lync/9wzdncrfhvhm). If Lync signs in successfully, then the device account will most likely work with Skype for Business on Surface Hub.
After you've created your device account, to verify that it's setup correctly, run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide.
## Prepare for first-run program

2
windows/application-management/TOC.md
View File

@ -100,5 +100,5 @@
#### [Viewing App-V Server Publishing Metadata](app-v/appv-viewing-appv-server-publishing-metadata.md)
#### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md)
## [Service Host process refactoring](svchost-service-refactoring.md)
## [Deploy app updgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md)
## [Deploy app upgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md)
## [Change history for Application management](change-history-for-application-management.md)

66
windows/client-management/mdm/applocker-csp.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/19/2017
ms.date: 08/10/2017
---
# AppLocker CSP
@ -791,8 +791,70 @@ The following list shows the apps that may be included in the inbox.
 
## Whitelist example
## Whitelist examples
The following example disables the calendar application.
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>&lt;AppPolicy Version="1" xmlns="http://schemas.microsoft.com/phone/2013/policy"&gt;&lt;Deny&gt;&lt;App ProductId="{a558feba-85d7-4665-b5d8-a2ff9c19799b}"/&gt;&lt;/Deny&gt;&lt;/AppPolicy&gt;
</Data>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
```
The following example blocks the usage of the map application.
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/AppLockerPhoneGroup0/StoreApps/Policy</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>
&lt;RuleCollection Type="Appx" EnforcementMode="Enabled"&gt;
&lt;FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed Appx packages" Description="Allows members of the Everyone group to run Appx packages that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"&gt;
&lt;Conditions&gt;
&lt;FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"&gt;
&lt;BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /&gt;
&lt;/FilePublisherCondition&gt;
&lt;/Conditions&gt;
&lt;/FilePublisherRule&gt;
&lt;FilePublisherRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="Deny Splash appmaps" Description="Deny members of the local Administrators group to run maps." UserOrGroupSid="S-1-1-0" Action="Deny"&gt;
&lt;Conditions&gt;
&lt;FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsMaps" BinaryName="*" /&gt;
&lt;/Conditions&gt;
&lt;/FilePublisherRule&gt;
&lt;/RuleCollection&gt;
</Data>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
```
The following example for Windows 10 Mobile denies all apps and allows the following apps:

6
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/04/2017
ms.date: 08/10/2017
---
# What's new in MDM enrollment and management
@ -1332,6 +1332,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li> 3 Hides overrides (encrypt, prompt but hide overrides, and audit).</li>
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[AppLocker CSP](applocker-csp.md)</td>
<td style="vertical-align:top"><p>Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in [Whitelist examples](applocker-csp.md#whitelist-examples).</p>
</td></tr>
<tr class="even">
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p>

28
windows/client-management/mdm/policy-csp-appvirtualization.md
View File

@ -60,6 +60,7 @@ This policy setting allows you to enable or disable Microsoft Application Virtua
ADMX Info:
- GP english name: *Enable App-V Client*
- GP name: *EnableAppV*
- GP path: *Administrative Templates/System/App-V*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -105,6 +106,7 @@ Enables Dynamic Virtualization of supported shell extensions, browser helper obj
ADMX Info:
- GP english name: *Enable Dynamic Virtualization*
- GP name: *Virtualization_JITVEnable*
- GP path: *Administrative Templates/System/App-V/Virtualization*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -150,6 +152,7 @@ Enables automatic cleanup of appv packages that were added after Windows10 anniv
ADMX Info:
- GP english name: *Enable automatic cleanup of unused appv packages*
- GP name: *PackageManagement_AutoCleanupEnable*
- GP path: *Administrative Templates/System/App-V/PackageManagement*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -195,6 +198,7 @@ Enables scripts defined in the package manifest of configuration files that shou
ADMX Info:
- GP english name: *Enable Package Scripts*
- GP name: *Scripting_Enable_Package_Scripts*
- GP path: *Administrative Templates/System/App-V/Scripting*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -240,6 +244,7 @@ Enables a UX to display to the user when a publishing refresh is performed on th
ADMX Info:
- GP english name: *Enable Publishing Refresh UX*
- GP name: *Enable_Publishing_Refresh_UX*
- GP path: *Administrative Templates/System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -295,6 +300,7 @@ Data Block Size: This value specifies the maximum size in bytes to transmit to t
ADMX Info:
- GP english name: *Reporting Server*
- GP name: *Reporting_Server_Policy*
- GP path: *Administrative Templates/System/App-V/Reporting*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -340,6 +346,7 @@ Specifies the file paths relative to %userprofile% that do not roam with a user'
ADMX Info:
- GP english name: *Roaming File Exclusions*
- GP name: *Integration_Roaming_File_Exclusions*
- GP path: *Administrative Templates/System/App-V/Integration*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -385,6 +392,7 @@ Specifies the registry paths that do not roam with a user profile. Example usage
ADMX Info:
- GP english name: *Roaming Registry Exclusions*
- GP name: *Integration_Roaming_Registry_Exclusions*
- GP path: *Administrative Templates/System/App-V/Integration*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -430,6 +438,7 @@ Specifies how new packages should be loaded automatically by App-V on a specific
ADMX Info:
- GP english name: *Specify what to load in background (aka AutoLoad)*
- GP name: *Steaming_Autoload*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -475,6 +484,7 @@ Migration mode allows the App-V client to modify shortcuts and FTA's for package
ADMX Info:
- GP english name: *Enable Migration Mode*
- GP name: *Client_Coexistence_Enable_Migration_mode*
- GP path: *Administrative Templates/System/App-V/Client Coexistence*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -520,6 +530,7 @@ Specifies the location where symbolic links are created to the current version o
ADMX Info:
- GP english name: *Integration Root User*
- GP name: *Integration_Root_User*
- GP path: *Administrative Templates/System/App-V/Integration*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -565,6 +576,7 @@ Specifies the location where symbolic links are created to the current version o
ADMX Info:
- GP english name: *Integration Root Global*
- GP name: *Integration_Root_Global*
- GP path: *Administrative Templates/System/App-V/Integration*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -628,6 +640,7 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
ADMX Info:
- GP english name: *Publishing Server 1 Settings*
- GP name: *Publishing_Server1_Policy*
- GP path: *Administrative Templates/System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -691,6 +704,7 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
ADMX Info:
- GP english name: *Publishing Server 2 Settings*
- GP name: *Publishing_Server2_Policy*
- GP path: *Administrative Templates/System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -754,6 +768,7 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
ADMX Info:
- GP english name: *Publishing Server 3 Settings*
- GP name: *Publishing_Server3_Policy*
- GP path: *Administrative Templates/System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -817,6 +832,7 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
ADMX Info:
- GP english name: *Publishing Server 4 Settings*
- GP name: *Publishing_Server4_Policy*
- GP path: *Administrative Templates/System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -880,6 +896,7 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
ADMX Info:
- GP english name: *Publishing Server 5 Settings*
- GP name: *Publishing_Server5_Policy*
- GP path: *Administrative Templates/System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -925,6 +942,7 @@ Specifies the path to a valid certificate in the certificate store.
ADMX Info:
- GP english name: *Certificate Filter For Client SSL*
- GP name: *Streaming_Certificate_Filter_For_Client_SSL*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -970,6 +988,7 @@ This setting controls whether virtualized applications are launched on Windows 8
ADMX Info:
- GP english name: *Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection*
- GP name: *Streaming_Allow_High_Cost_Launch*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -1015,6 +1034,7 @@ Specifies the CLSID for a compatible implementation of the IAppvPackageLocationP
ADMX Info:
- GP english name: *Location Provider*
- GP name: *Streaming_Location_Provider*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -1060,6 +1080,7 @@ Specifies directory where all new applications and updates will be installed.
ADMX Info:
- GP english name: *Package Installation Root*
- GP name: *Streaming_Package_Installation_Root*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -1105,6 +1126,7 @@ Overrides source location for downloading package content.
ADMX Info:
- GP english name: *Package Source Root*
- GP name: *Streaming_Package_Source_Root*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -1150,6 +1172,7 @@ Specifies the number of seconds between attempts to reestablish a dropped sessio
ADMX Info:
- GP english name: *Reestablishment Interval*
- GP name: *Streaming_Reestablishment_Interval*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -1195,6 +1218,7 @@ Specifies the number of times to retry a dropped session.
ADMX Info:
- GP english name: *Reestablishment Retries*
- GP name: *Streaming_Reestablishment_Retries*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -1240,6 +1264,7 @@ Specifies that streamed package contents will be not be saved to the local hard
ADMX Info:
- GP english name: *Shared Content Store (SCS) mode*
- GP name: *Streaming_Shared_Content_Store_Mode*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -1285,6 +1310,7 @@ If enabled, the App-V client will support BrancheCache compatible HTTP streaming
ADMX Info:
- GP english name: *Enable Support for BranchCache*
- GP name: *Streaming_Support_Branch_Cache*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -1330,6 +1356,7 @@ Verifies Server certificate revocation status before streaming using HTTPS.
ADMX Info:
- GP english name: *Verify certificate revocation list*
- GP name: *Streaming_Verify_Certificate_Revocation_List*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -1375,6 +1402,7 @@ Specifies a list of process paths (may contain wildcards) which are candidates f
ADMX Info:
- GP english name: *Virtual Component Process Allow List*
- GP name: *Virtualization_JITVAllowList*
- GP path: *Administrative Templates/System/App-V/Virtualization*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->

4
windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
View File

@ -46,6 +46,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
- mshta.exe
- ntsd.exe
- rcsi.exe
- SyncAppVPublishingServer.exe
- system.management.automation.dll
- windbg.exe
@ -64,6 +65,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
|Matt Nelson | @enigma0x3|
|Oddvar Moe |@Oddvarmoe|
|Alex Ionescu | @aionescu|
|Nick Landers | @monoxgas|
<br />
@ -116,6 +118,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
<Deny ID="ID_DENY_LXSS" FriendlyName="LxssManager.dll" FileName="LxssManager.dll" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_BASH" FriendlyName="bash.exe" FileName="bash.exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_FSI" FriendlyName="fsi.exe" FileName="fsi.exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_APPVPUBSRV" FriendlyName="SyncAppVPublishingServer.exe" FileName="SyncAppVPublishingServer.exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_FSI_ANYCPU" FriendlyName="fsiAnyCpu.exe" FileName="fsiAnyCpu.exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_MSHTA" FriendlyName="mshta.exe" FileName="mshta.exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_SMA" FriendlyName="System.Management.Automation.dll" FileName="System.Management.Automation.dll" MinimumFileVersion = "10.0.16215.999" />
@ -184,6 +187,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
<FileRuleRef RuleID="ID_DENY_BASH"/>
<FileRuleRef RuleID="ID_DENY_FSI"/>
<FileRuleRef RuleID="ID_DENY_FSI_ANYCPU"/>
<FileRuleRef RuleID="ID_DENY_APPVPUBSRV"/>
<FileRuleRef RuleID="ID_DENY_MSHTA"/>
<FileRuleRef RuleID="ID_DENY_SMA"/>
<FileRuleRef RuleID="ID_DENY_D_1" />