From 811657802efbe92e1cd0bf16363cfed6de9f9931 Mon Sep 17 00:00:00 2001 From: Nick Landers Date: Wed, 9 Aug 2017 10:22:55 -0600 Subject: [PATCH 1/5] Update to include SyncAppVPublishingServer --- .../device-guard/deploy-code-integrity-policies-steps.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md index 6b3f009321..390575abd4 100644 --- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md +++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md @@ -46,6 +46,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you - mshta.exe - ntsd.exe - rcsi.exe +- SyncAppVPublishingServer.exe - system.management.automation.dll - windbg.exe @@ -64,6 +65,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you |Matt Nelson | @enigma0x3| |Oddvar Moe |@Oddvarmoe| |Alex Ionescu | @aionescu| +|Nick Landers | @monoxgas|
@@ -116,6 +118,7 @@ Microsoft recommends that you block the following Microsoft-signed applications + @@ -184,6 +187,7 @@ Microsoft recommends that you block the following Microsoft-signed applications + From 9813a135d6e662f0f1718fde4a22a4982ea96f35 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 9 Aug 2017 20:59:39 +0000 Subject: [PATCH 2/5] Merged PR 2645: Fixed account test instructions --- .../surface-hub/prepare-your-environment-for-surface-hub.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index 892a1a31a4..7346763936 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -68,9 +68,8 @@ Surface Hub interacts with a few different products and services. Depending on t A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, send email, and (optionally) to authenticate to Exchange. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details. -After you've created your device account, there are a couple of ways to verify that it's setup correctly. -- Run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide. -- Use the account with the [Lync Microsoft Store app](https://www.microsoft.com/en-us/store/p/lync/9wzdncrfhvhm). If Lync signs in successfully, then the device account will most likely work with Skype for Business on Surface Hub. +After you've created your device account, to verify that it's setup correctly, run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide. + ## Prepare for first-run program From c8495ea5b4c047076386effceb09835a7f3b8640 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Thu, 10 Aug 2017 17:03:42 +0000 Subject: [PATCH 3/5] Merged PR 2653: AppLocker CSP - added two new SyncML whitelist examples --- .../client-management/mdm/applocker-csp.md | 66 ++++++++++++++++++- ...ew-in-windows-mdm-enrollment-management.md | 6 +- 2 files changed, 69 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 8f7f3dd2f0..7564c89e41 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/19/2017 +ms.date: 08/10/2017 --- # AppLocker CSP @@ -791,8 +791,70 @@ The following list shows the apps that may be included in the inbox.   -## Whitelist example +## Whitelist examples +The following example disables the calendar application. + +``` syntax + + + + $CmdID$ + + + ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions + + + chr + text/plain + + <AppPolicy Version="1" xmlns="http://schemas.microsoft.com/phone/2013/policy"><Deny><App ProductId="{a558feba-85d7-4665-b5d8-a2ff9c19799b}"/></Deny></AppPolicy> + + + + + + +``` + +The following example blocks the usage of the map application. + +``` syntax + + + + $CmdID$ + + + ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/AppLockerPhoneGroup0/StoreApps/Policy + + + chr + + + <RuleCollection Type="Appx" EnforcementMode="Enabled"> + <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed Appx packages" Description="Allows members of the Everyone group to run Appx packages that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> + <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="Deny Splash appmaps" Description="Deny members of the local Administrators group to run maps." UserOrGroupSid="S-1-1-0" Action="Deny"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsMaps" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + </RuleCollection> + + + + + + +``` The following example for Windows 10 Mobile denies all apps and allows the following apps: diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 2fe500388f..4c92784d4b 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -10,7 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/04/2017 +ms.date: 08/10/2017 --- # What's new in MDM enrollment and management @@ -1332,6 +1332,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
  • 3 – Hides overrides (encrypt, prompt but hide overrides, and audit).
    • + +[AppLocker CSP](applocker-csp.md) +

    Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in [Whitelist examples](applocker-csp.md#whitelist-examples).

    + [Policy CSP](policy-configuration-service-provider.md)

    Added the following new policies for Windows 10, version 1709:

    From 4b867ff7f0b0c73b40498030687261e439f013ce Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Thu, 10 Aug 2017 17:44:41 +0000 Subject: [PATCH 4/5] Merged PR 2656: Fix typo in TOC --- windows/application-management/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/TOC.md b/windows/application-management/TOC.md index 1a3cdacf44..5c764b532e 100644 --- a/windows/application-management/TOC.md +++ b/windows/application-management/TOC.md @@ -100,5 +100,5 @@ #### [Viewing App-V Server Publishing Metadata](app-v/appv-viewing-appv-server-publishing-metadata.md) #### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md) ## [Service Host process refactoring](svchost-service-refactoring.md) -## [Deploy app updgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) +## [Deploy app upgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) ## [Change history for Application management](change-history-for-application-management.md) From 3c976eaa2366d40c778826cfd2ab855f55638928 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Thu, 10 Aug 2017 18:00:57 +0000 Subject: [PATCH 5/5] Merged PR 2657: Policy CSP - added GP path to all AppVirtualization policies added GP path to all AppVirtualization policies --- .../mdm/policy-csp-appvirtualization.md | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md index f3da2fb6fe..4720adffc1 100644 --- a/windows/client-management/mdm/policy-csp-appvirtualization.md +++ b/windows/client-management/mdm/policy-csp-appvirtualization.md @@ -60,6 +60,7 @@ This policy setting allows you to enable or disable Microsoft Application Virtua ADMX Info: - GP english name: *Enable App-V Client* - GP name: *EnableAppV* +- GP path: *Administrative Templates/System/App-V* - GP ADMX file name: *appv.admx* @@ -105,6 +106,7 @@ Enables Dynamic Virtualization of supported shell extensions, browser helper obj ADMX Info: - GP english name: *Enable Dynamic Virtualization* - GP name: *Virtualization_JITVEnable* +- GP path: *Administrative Templates/System/App-V/Virtualization* - GP ADMX file name: *appv.admx* @@ -150,6 +152,7 @@ Enables automatic cleanup of appv packages that were added after Windows10 anniv ADMX Info: - GP english name: *Enable automatic cleanup of unused appv packages* - GP name: *PackageManagement_AutoCleanupEnable* +- GP path: *Administrative Templates/System/App-V/PackageManagement* - GP ADMX file name: *appv.admx* @@ -195,6 +198,7 @@ Enables scripts defined in the package manifest of configuration files that shou ADMX Info: - GP english name: *Enable Package Scripts* - GP name: *Scripting_Enable_Package_Scripts* +- GP path: *Administrative Templates/System/App-V/Scripting* - GP ADMX file name: *appv.admx* @@ -240,6 +244,7 @@ Enables a UX to display to the user when a publishing refresh is performed on th ADMX Info: - GP english name: *Enable Publishing Refresh UX* - GP name: *Enable_Publishing_Refresh_UX* +- GP path: *Administrative Templates/System/App-V/Publishing* - GP ADMX file name: *appv.admx* @@ -295,6 +300,7 @@ Data Block Size: This value specifies the maximum size in bytes to transmit to t ADMX Info: - GP english name: *Reporting Server* - GP name: *Reporting_Server_Policy* +- GP path: *Administrative Templates/System/App-V/Reporting* - GP ADMX file name: *appv.admx* @@ -340,6 +346,7 @@ Specifies the file paths relative to %userprofile% that do not roam with a user' ADMX Info: - GP english name: *Roaming File Exclusions* - GP name: *Integration_Roaming_File_Exclusions* +- GP path: *Administrative Templates/System/App-V/Integration* - GP ADMX file name: *appv.admx* @@ -385,6 +392,7 @@ Specifies the registry paths that do not roam with a user profile. Example usage ADMX Info: - GP english name: *Roaming Registry Exclusions* - GP name: *Integration_Roaming_Registry_Exclusions* +- GP path: *Administrative Templates/System/App-V/Integration* - GP ADMX file name: *appv.admx* @@ -430,6 +438,7 @@ Specifies how new packages should be loaded automatically by App-V on a specific ADMX Info: - GP english name: *Specify what to load in background (aka AutoLoad)* - GP name: *Steaming_Autoload* +- GP path: *Administrative Templates/System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -475,6 +484,7 @@ Migration mode allows the App-V client to modify shortcuts and FTA's for package ADMX Info: - GP english name: *Enable Migration Mode* - GP name: *Client_Coexistence_Enable_Migration_mode* +- GP path: *Administrative Templates/System/App-V/Client Coexistence* - GP ADMX file name: *appv.admx* @@ -520,6 +530,7 @@ Specifies the location where symbolic links are created to the current version o ADMX Info: - GP english name: *Integration Root User* - GP name: *Integration_Root_User* +- GP path: *Administrative Templates/System/App-V/Integration* - GP ADMX file name: *appv.admx* @@ -565,6 +576,7 @@ Specifies the location where symbolic links are created to the current version o ADMX Info: - GP english name: *Integration Root Global* - GP name: *Integration_Root_Global* +- GP path: *Administrative Templates/System/App-V/Integration* - GP ADMX file name: *appv.admx* @@ -628,6 +640,7 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D ADMX Info: - GP english name: *Publishing Server 1 Settings* - GP name: *Publishing_Server1_Policy* +- GP path: *Administrative Templates/System/App-V/Publishing* - GP ADMX file name: *appv.admx* @@ -691,6 +704,7 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D ADMX Info: - GP english name: *Publishing Server 2 Settings* - GP name: *Publishing_Server2_Policy* +- GP path: *Administrative Templates/System/App-V/Publishing* - GP ADMX file name: *appv.admx* @@ -754,6 +768,7 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D ADMX Info: - GP english name: *Publishing Server 3 Settings* - GP name: *Publishing_Server3_Policy* +- GP path: *Administrative Templates/System/App-V/Publishing* - GP ADMX file name: *appv.admx* @@ -817,6 +832,7 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D ADMX Info: - GP english name: *Publishing Server 4 Settings* - GP name: *Publishing_Server4_Policy* +- GP path: *Administrative Templates/System/App-V/Publishing* - GP ADMX file name: *appv.admx* @@ -880,6 +896,7 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D ADMX Info: - GP english name: *Publishing Server 5 Settings* - GP name: *Publishing_Server5_Policy* +- GP path: *Administrative Templates/System/App-V/Publishing* - GP ADMX file name: *appv.admx* @@ -925,6 +942,7 @@ Specifies the path to a valid certificate in the certificate store. ADMX Info: - GP english name: *Certificate Filter For Client SSL* - GP name: *Streaming_Certificate_Filter_For_Client_SSL* +- GP path: *Administrative Templates/System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -970,6 +988,7 @@ This setting controls whether virtualized applications are launched on Windows 8 ADMX Info: - GP english name: *Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection* - GP name: *Streaming_Allow_High_Cost_Launch* +- GP path: *Administrative Templates/System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -1015,6 +1034,7 @@ Specifies the CLSID for a compatible implementation of the IAppvPackageLocationP ADMX Info: - GP english name: *Location Provider* - GP name: *Streaming_Location_Provider* +- GP path: *Administrative Templates/System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -1060,6 +1080,7 @@ Specifies directory where all new applications and updates will be installed. ADMX Info: - GP english name: *Package Installation Root* - GP name: *Streaming_Package_Installation_Root* +- GP path: *Administrative Templates/System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -1105,6 +1126,7 @@ Overrides source location for downloading package content. ADMX Info: - GP english name: *Package Source Root* - GP name: *Streaming_Package_Source_Root* +- GP path: *Administrative Templates/System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -1150,6 +1172,7 @@ Specifies the number of seconds between attempts to reestablish a dropped sessio ADMX Info: - GP english name: *Reestablishment Interval* - GP name: *Streaming_Reestablishment_Interval* +- GP path: *Administrative Templates/System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -1195,6 +1218,7 @@ Specifies the number of times to retry a dropped session. ADMX Info: - GP english name: *Reestablishment Retries* - GP name: *Streaming_Reestablishment_Retries* +- GP path: *Administrative Templates/System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -1240,6 +1264,7 @@ Specifies that streamed package contents will be not be saved to the local hard ADMX Info: - GP english name: *Shared Content Store (SCS) mode* - GP name: *Streaming_Shared_Content_Store_Mode* +- GP path: *Administrative Templates/System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -1285,6 +1310,7 @@ If enabled, the App-V client will support BrancheCache compatible HTTP streaming ADMX Info: - GP english name: *Enable Support for BranchCache* - GP name: *Streaming_Support_Branch_Cache* +- GP path: *Administrative Templates/System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -1330,6 +1356,7 @@ Verifies Server certificate revocation status before streaming using HTTPS. ADMX Info: - GP english name: *Verify certificate revocation list* - GP name: *Streaming_Verify_Certificate_Revocation_List* +- GP path: *Administrative Templates/System/App-V/Streaming* - GP ADMX file name: *appv.admx* @@ -1375,6 +1402,7 @@ Specifies a list of process paths (may contain wildcards) which are candidates f ADMX Info: - GP english name: *Virtual Component Process Allow List* - GP name: *Virtualization_JITVAllowList* +- GP path: *Administrative Templates/System/App-V/Virtualization* - GP ADMX file name: *appv.admx*