+ > **For the redirect_uri value use**: ```https://localhost:44300/wdatpconnector``` + > +- Get the *wdatp-connector.properties* file from your Windows Defender ATP contact. This file is used to parse the information from Windows Defender ATP to HP ArcSight consumable format. +- Install the HP ArcSight REST FlexConnector package on a server that has access to the Internet. +- Contact the Windows Defender ATP team to get your refresh token or follow the steps in the section "Run restutil to Obtain a Refresh Token for Connector Appliance/ArcSight Management Center" in the ArcSight FlexConnector Developer's guide. + +## Configure HP ArcSight +The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin). + +1. Copy the *wdatp-connector.jsonparser.properties* file into the `
| Field | +Value | +
|---|---|
| Configuration File | +Type in the name of the client property file. It must match the client property file. | +Events URL | +`https://DataAccess-PRD.trafficmanager.net:444/api/alerts` | +
| Authentication Type | +OAuth 2 | +OAuth 2 Client Properties file | +Select *wdatp-connector.properties*. | +
| Refresh Token | +Paste the refresh token that your Windows Defender ATP contact provided, or run the `restutil` tool to get it. | +
Default value: 1 | Windows Defender ATP Sample sharing is enabled -> **Note** The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated. +> [!NOTE] +> The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated. ### Offboard and monitor endpoints For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. -> **Note** Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. +> [!NOTE] +> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): @@ -82,7 +85,8 @@ Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP -> **Note** The **Health Status for offboarded machines** policy uses read-only properties and can't be remediated. +> [!NOTE] +> The **Health Status for offboarded machines** policy uses read-only properties and can't be remediated. ## Related topics diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index 3f7fac27dc..1d009b3943 100644 --- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -12,52 +12,81 @@ author: mjcaparas # Configure endpoints using System Center Configuration Manager - **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] +- System Center 2012 Configuration Manager or later versions ## Configure endpoints using System Center Configuration Manager (current branch) version 1606 -System Center Configuration Manager (current branch) version 1606, currently in technical preview, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see the [Support for Windows Defender Advanced Threat Protection service](https://technet.microsoft.com/en-us/library/mt706220.aspx#BKMK_ATP) section. - -> **Note** If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later. +System Center Configuration Manager (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682). -## Configure endpoints using System Center Configuration Manager (current branch) version 1602 or earlier versions -You can use System Center Configuration Manager’s existing functionality to create a policy to configure your endpoints. This is supported in System Center Configuration Manager (current branch), version 1602 or earlier, including: System Center 2012 R2 Configuration Manager and System Center 2012 Configuration Manager. +## Configure endpoints using System Center Configuration Manager earlier versions +You can use System Center Configuration Manager’s existing functionality to create a policy to configure your endpoints. This is supported in the following System Center Configuration Manager versions: -### Onboard endpoints +- System Center 2012 Configuration Manager +- System Center 2012 R2 Configuration Manager +- System Center Configuration Manager (current branch), version 1511 +- System Center Configuration Manager (current branch), version 1602 + +### Onboard endpoints 1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): a. Click **Endpoint Management** on the **Navigation pane**. - b. Select **System Center Configuration Manager (current branch) version 1602 or earlier**, click **Download package**, and save the .zip file. + b. Select **System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file. -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file called *WindowsDefenderATPOnboardingScript.cmd*. +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*. 3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic. 4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic. a. Choose a predefined device collection to deploy the package to. - -### Offboard endpoints + +### Configure sample collection settings +For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis. + +You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on an endpoint. +This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted machines to make sure they’re complaint. + +The configuration is set through the following registry key entry: + +```text +Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection” +Name: "AllowSampleCollection" +Value: 0 or 1 +``` +Where:
+Key type is a D-WORD.
+Possible values are: +- 0 - doesn't allow sample sharing from this endpoint +- 1 - allows sharing of all file types from this endpoint + +The default value in case the registry key doesn’t exist is 1. + +For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/en-us/library/gg681958.aspx). + + +### Offboard endpoints For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. -> **Note** Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. +> [!NOTE] +> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click **Endpoint Management** on the **Navigation pane**. - - b. Under **Endpoint offboarding** section, select **System Center Configuration Manager (current branch) version 1602 or earlier**, click **Download package**, and save the .zip file. - + a. Click **Endpoint Management** on the **Navigation pane**. + + b. Under **Endpoint offboarding** section, select **System Center Configuration Manager System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file. + 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. 3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic. @@ -65,7 +94,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days 4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic. a. Choose a predefined device collection to deploy the package to. - + ### Monitor endpoint configuration Monitoring with SCCM consists of two parts: @@ -83,12 +112,25 @@ Monitoring with SCCM consists of two parts: 4. Review the status indicators under **Completion Statistics** and **Content Status**. -If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the endpoints. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for more information. +If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the endpoints. For more information see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md).  +**Check that the endpoints are compliant with the Windows Defender ATP service:**
+You can set a compliance rule for configuration item in System Center Configuration Manager to monitor your deployment. + +This rule should be a *non-remediating* compliance rule configuration item that monitors the value of a registry key on targeted machines. + +Monitor the following registry key entry: +``` +Path: “HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status” +Name: “OnboardingState” +Value: “1” +``` +For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/en-us/library/gg681958.aspx). + ## Related topics - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) - [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) -- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) -- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) +- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md index 9d4a39eccc..1e740f14b3 100644 --- a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -11,9 +11,18 @@ author: mjcaparas --- # Configure endpoints using a local script + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network. - +## Onboard endpoints 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): a. Click **Endpoint Management** on the **Navigation pane**. @@ -21,11 +30,11 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You b. Select **Local Script**, click **Download package** and save the .zip file. -2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATPOnboardingScript.cmd*. +2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file named *WindowsDefenderATPOnboardingScript.cmd*. 3. Open an elevated command-line prompt on the endpoint and run the script: - a. Click **Start** and type **cmd**. + a. Go to **Start** and type **cmd**. b. Right-click **Command prompt** and select **Run as administrator**. @@ -35,24 +44,46 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You 5. Press the **Enter** key or click **OK**. -See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for details on how you can manually validate that the endpoint is compliant and correctly reports telemetry. +For for information on how you can manually validate that the endpoint is compliant and correctly reports telemetry see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md). -## Offboard endpoints using a local script +## Configure sample collection settings +For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis. + +You can manually configure the sample sharing setting on the endpoint by using *regedit* or creating and running a *.reg* file. + +The configuration is set through the following registry key entry: + +```text +Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection” +Name: "AllowSampleCollection" +Value: 0 or 1 +``` +Where:
+Name type is a D-WORD.
+Possible values are: +- 0 - doesn't allow sample sharing from this endpoint +- 1 - allows sharing of all file types from this endpoint + +The default value in case the registry key doesn’t exist is 1. + + +## Offboard endpoints For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. -> **Note** Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. +> [!NOTE] +> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): a. Click **Endpoint Management** on the **Navigation pane**. - + b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file. - + 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. 3. Open an elevated command-line prompt on the endpoint and run the script: - a. Click **Start** and type **cmd**. + a. Go to **Start** and type **cmd**. b. Right-click **Command prompt** and select **Run as administrator**. @@ -62,6 +93,18 @@ For security reasons, the package used to offboard endpoints will expire 30 days 5. Press the **Enter** key or click **OK**. +## Monitor endpoint configuration +You can follow the different verification steps in the [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) to verify that the script completed successfully and the agent is running. + +Monitoring can also be done directly on the portal, or by using the different deployment tools. + +### Monitor endpoints using the portal +1. Go to the Windows Defender ATP portal. + +2. Click **Machines view**. + +3. Verify that endpoints are appearing. + ## Related topics - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md index 0028b5478b..bd69be41b4 100644 --- a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Configure Windows Defender ATP endpoints -description: Use Group Policy or SCCM to deploy the configuration package or do manual registry changes on endpoints so that they are onboarded to the service. -keywords: configure endpoints, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, sccm, system center configuration manager +description: Configure endpoints so that they are onboarded to the service. +keywords: configure endpoints, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -14,11 +14,12 @@ author: mjcaparas **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - Endpoints in your organization must be configured so that the Windows Defender ATP service can get telemetry from them. There are various methods and deployment tools that you can use to configure the endpoints in your organization. Windows Defender ATP supports the following deployment tools and methods: diff --git a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md index 27177d0829..bc045d449a 100644 --- a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Configure Windows Defender ATP endpoint proxy and Internet connection settings description: Configure the Windows Defender ATP proxy and internet settings to enable communication with the cloud service. -keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, web proxy auto detect, wpad, netsh, winhttp, proxy server +keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -15,168 +15,91 @@ author: mjcaparas **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report telemetry and communicate with the Windows Defender ATP service. The embedded Windows Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Windows Defender ATP cloud service. The WinHTTP configuration setting is independent of the Windows Internet (WinINet) internet browsing proxy settings and can only discover a proxy server by using the following discovery methods: -- Configure Web Proxy Auto Detect (WPAD) settings and configure Windows to automatically detect the proxy server +- Configure the proxy server manually using a static proxy -- Configure the proxy server manually using Netsh +## Configure the proxy server manually using a static proxy +Configure a static proxy to allow only Windows Defender ATP sensor to report telemetry and communicate with Windows Defender ATP services if a computer is not be permitted to connect to the Internet. -## Configure Web Proxy Auto Detect (WPAD) settings and proxy server +The static proxy is configurable through Group Policy (GP). The group policy can be found under: **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**. -Configure WPAD in the environment and configure Windows to automatically detect the proxy server through Policy or the local Windows settings. - -Enable the **Automatically detect settings** option in the Windows Proxy settings so that WinHTTP can use the WPAD feature to locate a proxy server. - -1. Click **Start** and select **Settings**. - -2. Click **Network & Internet**. - -3. Select **Proxy**. - -4. Verify that the **Automatically detect settings** option is set to On. - -  - -5. If the **Use setup script** or **Manual proxy setup** options are enabled then you will need to [configure proxy settings manually by using Netsh](#configure-proxy-server-manually-using-netsh) method for WinHTTP to discover the appropriate proxy settings and connect. - -## Configure the proxy server manually using Netsh - -If **Use setup script** or **Manual proxy setup** settings are configured in the Windows Proxy setting, then endpoints will not be discovered by WinHTTP. -Use Netsh to configure the proxy settings to enable connectivity. - -You can configure the endpoint by using any of these methods: - -- Importing the configured proxy settings to WinHTTP -- Configuring the proxy settings manually to WinHTTP - -After configuring the endpoints, you'll need to verify that the correct proxy settings were applied. - -**Import the configured proxy settings to WinHTTP** - -1. Open an elevated command-line prompt on the endpoint: - - a. Click **Start** and type **cmd**. - - b. Right-click **Command prompt** and select **Run as administrator**. - -2. Enter the following command and press **Enter**: - - ```text - netsh winhttp import proxy source=ie - ``` - An output showing the applied WinHTTP proxy settings is displayed. - - - **Configure the proxy settings manually to WinHTTP** - - 1. Open an elevated command-line prompt on the endpoint: - - a. Click **Start** and type **cmd**. - - b. Right-click **Command prompt** and select **Run as administrator**. - - 2. Enter the following command and press **Enter**: - - ```text - proxy [proxy-server=] ProxyServerName:PortNumber - ``` - Replace *ProxyServerName* with the fully qualified domain name of the proxy server. - - Replace *PortNumber* with the port number that you want to configure the proxy server with. - - An output showing the applied WinHTTP proxy settings is displayed. - - -**Verify that the correct proxy settings were applied** - -1. Open an elevated command-line prompt on the endpoint: - - a. Click **Start** and type **cmd**. - - b. Right-click **Command prompt** and select **Run as administrator**. - -2. Enter the following command and press **Enter**: +The registry key that this policy sets can be found at: +```HKLM\Software\Policies\Microsoft\Windows\DataCollection TelemetryProxyServer``` +The policy and the registry key takes the following string format: +```text +
us.vortex-win.data.microsoft.com
crl.microsoft.com
*.blob.core.windows.net + East US (2)| winatp-gw-eus.microsoft.com
us.vortex-win.data.microsoft.com
crl.microsoft.com
*.blob.core.windows.net + West Europe | winatp-gw-weu.microsoft.com
eu.vortex-win.data.microsoft.com
crl.microsoft.com
*.blob.core.windows.net + North Europe | winatp-gw-neu.microsoft.com
eu.vortex-win.data.microsoft.com
crl.microsoft.com
*.blob.core.windows.net +
+ If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs. -If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted to the above listed URLs. ## Verify client connectivity to Windows Defender ATP service URLs Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs. -1. Download the connectivity verification tools to the PC where Windows Defender ATP sensor is running on: +1. Download the [connectivity verification tool](https://go.microsoft.com/fwlink/p/?linkid=823683) to the PC where Windows Defender ATP sensor is running on. - - [Download PsTools Suite](https://technet.microsoft.com/en-us/sysinternals/bb896649) - - [Download PortQry Command Line Port Scanner Version 2.0 utility](https://www.microsoft.com/en-us/download/details.aspx?id=17148) +2. Extract the contents of WDATPConnectivityAnalyzer on the endpoint. -2. Extract the contents of **PsTools** and **PortQry** to a directory on the computer hard drive. +3. Open an elevated command-line: -3. Open an elevated command-line: - - a. Click **Start** and type **cmd**. + a. Go to **Start** and type **cmd**. b. Right-click **Command prompt** and select **Run as administrator**. 4. Enter the following command and press **Enter**: ``` - HardDrivePath\PsExec.exe -s cmd.exe + HardDrivePath\WDATPConnectivityAnalyzer.cmd ``` - Replace *HardDrivePath* with the path where the PsTools Suite was extracted to: -  - -5. Enter the following command and press **Enter**: - + Replace *HardDrivePath* with the path where the WDATPConnectivityAnalyzer tool was downloaded to, for example + ```text + C:\Work\tools\WDATPConnectivityAnalyzer\WDATPConnectivityAnalyzer.cmd ``` - HardDrivePath\portqry.exe -n us.vortex-win.data.microsoft.com -e 443 -p tcp - ``` - Replace *HardDrivePath* with the path where the PortQry utility was extracted to: -  -6. Verify that the output shows that the name is **resolved** and connection status is **listening**. +5. Extract the *WDATPConnectivityAnalyzerResult.zip* file created by tool in the folder used in the *HardDrivePath*. -7. Repeat the same steps for the remaining URLs with the following arguments: +6. Open *WDATPConnectivityAnalyzer.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.
+The tool checks the connectivity of Windows Defender ATP service URLs that Windows Defender ATP client is configured to interact with. It then prints the results into the *WDATPConnectivityAnalyzer.txt* file for each URL that can potentially be used to communicate with the Windows Defender ATP services. For example: + ```text + Testing URL : https://xxx.microsoft.com/xxx + 1 - Default proxy: Succeeded (200) + 2 - Proxy auto discovery (WPAD): Succeeded (200) + 3 - Proxy disabled: Succeeded (200) + 4 - Named proxy: Doesn't exist + 5 - Command line proxy: Doesn't exist + ``` - - portqry.exe -n eu.vortex-win.data.microsoft.com -e 443 -p tcp - - portqry.exe -n sevillegwcus.microsoft.com -e 443 -p tcp - - portqry.exe -n sevillegweus.microsoft.com -e 443 -p tcp - - portqry.exe -n sevillegwweu.microsoft.com -e 443 -p tcp - - portqry.exe -n sevillegwneu.microsoft.com -e 443 -p tcp - - portqry.exe -n www.microsoft.com -e 80 -p tcp - - portqry.exe -n crl.microsoft.com -e 80 -p tcp +If at least one of the connectivity options returns a (200) status, then the Windows Defender ATP client can communicate with the tested URL properly using this connectivity method.
-8. Verify that each URL shows that the name is **resolved** and the connection status is **listening**. - -If the any of the verification steps indicate a fail, then verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs. +However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Windows Defender ATP service URLs in the proxy server](#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure. ## Related topics - [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..9811157abe --- /dev/null +++ b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md @@ -0,0 +1,43 @@ +--- +title: Configure security information and events management tools +description: Configure supported security information and events management tools to receive and consume alerts. +keywords: configure siem, security information and events management tools, splunk, arcsight +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +--- + +# Configure security information and events management (SIEM) tools to consume alerts + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Windows Defender ATP supports security information and events management (SIEM) tools to consume alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to get alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. + +Windows Defender ATP currently supports the following SIEM tools: + +- Splunk +- HP ArcSight + +To use either of these supported SIEM tools you'll need to: + +- [Configure an Azure Active Directory application for SIEM integration in your tenant](configure-aad-windows-defender-advanced-threat-protection.md) +- Configure the supported SIEM tool: + - [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md) + - [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) + +## In this section + +Topic | Description +:---|:--- +[Configure an Azure Active Directory application](configure-aad-windows-defender-advanced-threat-protection.md)| Learn about configuring an Azure Active Directory application to integrate with supported security information and events management (SIEM) tools. + [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to consume Windows Defender ATP alerts. + [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to consume Windows Defender ATP alerts. diff --git a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..fc3fe7916f --- /dev/null +++ b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md @@ -0,0 +1,110 @@ +--- +title: Configure Splunk to consume Windows Defender ATP alerts +description: Configure Splunk to receive and consume alerts from the Windows Defender ATP portal. +keywords: configure splunk, security information and events management tools, splunk +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +--- + +# Configure Splunk to consume Windows Defender ATP alerts + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +You'll need to configure Splunk so that it can consume Windows Defender ATP alerts. + +## Before you begin + +- Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk +- Contact the Windows Defender ATP team to get your refresh token +- Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page: + - OAuth 2 Token refresh URL + - OAuth 2 Client ID + - OAuth 2 Client secret + +## Configure Splunk + +1. Login in to Splunk. + +2. Click **Search & Reporting**, then **Settings** > **Data inputs**. + +3. Click **REST** under **Local inputs**. +> [!NOTE] +> This input will only appear after you install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/). + +4. Click **New**. + +5. Type the following values in the required fields, then click **Save**: +> [!NOTE] +>All other values in the form are optional and can be left blank. + +
| Field | +Value | +
|---|---|
| Endpoint URL | +https://DataAccess-PRD.trafficmanager.net:444/api/alerts | +
| HTTP Method | +GET | +Authentication Type | +oauth2 | +
| OAuth 2 Token Refresh URL | +Value taken from AAD application | +
| OAuth 2 Client ID | +Value taken from AAD application | +
| OAuth 2 Client Secret | +Value taken from AAD application | +
| Response type | +Json | +
| Response Handler | +JSONArrayHandler | +
| Polling Interval | +Number of seconds that Splunk will ping the Windows Defender ATP endpoint. Accepted values are in seconds. | +
| Set sourcetype | +From list | +
| Source type | +\_json | +
+```source="rest://windows atp alerts"|spath|table*``` + + +## Related topics +- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md) +- [Configure Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md) +- [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index c8f96612a3..b0c15689da 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -12,7 +12,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. @@ -290,7 +290,7 @@ Some ways to store credentials are not protected by Credential Guard, including: - Software that manages credentials outside of Windows feature protection - Local accounts and Microsoft Accounts -- Credential Guard does not protect the Active Directory database running on Windows Server 2016 Technical Preview domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 Technical Preview servers running Remote Desktop Gateway. If you're using a Windows Server 2016 Technical Preview server as a client PC, it will get the same protection as it would be running Windows 10 Enterprise. +- Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would be running Windows 10 Enterprise. - Key loggers - Physical attacks - Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access high value assets in your organization. @@ -328,7 +328,7 @@ Enabling compound authentication also enables Kerberos armoring, which provides ### Deploying machine certificates -If the domain controllers in your organization are running Windows Server 2016 Technical Preview, devices running Windows 10 will automatically enroll a machine certificate when Credential Guard is enabled and the PC is joined to the domain. +If the domain controllers in your organization are running Windows Server 2016, devices running Windows 10 will automatically enroll a machine certificate when Credential Guard is enabled and the PC is joined to the domain. If the domain controllers are running Windows Server 2012 R2, the machine certificates must be provisioned manually on each device. You can do this by creating a certificate template on the domain controller or certificate authority and deploying the machine certificates to each device. The same security procedures used for issuing smart cards to users should be applied to machine certificates. diff --git a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md index 024ddab8e2..e68df885fb 100644 --- a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md @@ -14,11 +14,12 @@ author: mjcaparas **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - The **Dashboard** displays a snapshot of: - The latest active alerts on your network @@ -40,18 +41,18 @@ You can view the overall number of active ATP alerts from the last 30 days in yo Each group is further sub-categorized into their corresponding alert severity levels. Click the number of alerts inside each alert ring to see a sorted view of that category's queue (**New** or **In progress**). -See the [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) topic for more information. +For more information see, [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md). -The **Latest ATP alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. See the [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) topics for more information. +The **Latest ATP alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. For more information see, [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md). ## Machines at risk This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label).  -Click the name of the machine to see details about that machine. See the [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-a-machine) topic for more information. +Click the name of the machine to see details about that machine. For more information see, [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-a-machine). -You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. See the [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) topic for more information. +You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md). ## Status The **Status** tile informs you if the service is active and running and the unique number of machines (endpoints) reporting over the past 30 days. @@ -84,7 +85,8 @@ Threats are considered "active" if there is a very high probability that the mal Clicking on any of these categories will navigate to the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md), filtered by the appropriate category. This lets you see a detailed breakdown of which machines have active malware detections, and how many threats were detected per machine. -> **Note** The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product. +> [!NOTE] +> The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product. ### Related topics - [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md index a5d2bec8ce..4a509cf46a 100644 --- a/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md @@ -14,13 +14,15 @@ author: mjcaparas **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - This section covers some of the most frequently asked questions regarding privacy and data handling for Windows Defender ATP. -> **Note** This document covers the information specific to the Windows Defender ATP service. Other data shared and stored by Windows Defender and Windows 10 is covered under the [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement). See the [Windows 10 privacy FAQ for more information](http://windows.microsoft.com/en-au/windows-10/windows-privacy-faq). +> [!NOTE] +> This document explains the data storage and privacy details related to Windows Defender ATP. For more information related to Windows Defender ATP and other products and services like Windows Defender and Windows 10, see [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement). See also [Windows 10 privacy FAQ](http://windows.microsoft.com/en-au/windows-10/windows-privacy-faq) for more information. ## What data does Windows Defender ATP collect? @@ -28,7 +30,7 @@ Microsoft will collect and store information from your configured endpoints in a Information collected includes code file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as GUIDs, names, and the operating system version). -Microsoft stores this data in a Microsoft Azure security-specific data store, and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://azure.microsoft.com/en-us/support/trust-center/). +Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://azure.microsoft.com/en-us/support/trust-center/). Microsoft uses this data to: - Proactively identify indicators of attack (IOAs) in your organization @@ -39,10 +41,10 @@ Microsoft does not mine your data for advertising or for any other purpose other ## Do I have the flexibility to select where to store my data? -Data for this new service is stored in Microsoft Azure datacenters in the United States and European Union based on the geolocation properties. Subject to the relevant preview program you may be able to specify your preferred geolocation when you onboard to the service. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations in which your data will reside. Microsoft will not transfer the data from the specified geolocation except in specific circumstances during the preview stage. +When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in Europe or United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation. ## Is my data isolated from other customer data? -Yes. The new cloud service provides appropriate segregation at a number of levels, such as isolation of files, configurations, and telemetry data. Aside from data access authentication, simply keeping different data appropriately segregated provides well-recognized protection. +Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides. ## How does Microsoft prevent malicious insider activities and abuse of high privilege roles? @@ -58,18 +60,14 @@ Additionally, Microsoft conducts background verification checks of certain opera No. Customer data is isolated from other customers and is not shared. However, insights on the data resulting from Microsoft processing, and which don’t contain any customer specific data, might be shared with other customers. Each customer can only access data collected from its own organization and generic data that Microsoft provides. ## How long will Microsoft store my data? What is Microsoft’s data retention policy? -Your data privacy is one of Microsoft's key commitments for the cloud. For this service, at contract termination or expiration, your data will be erased from Microsoft’s systems to make it unrecoverable after 90 days (from contract termination or expiration). +**At service onboarding**
+You can choose the data retention policy for your data. This determines how long Window Defender ATP will store your data. There’s a flexibility of choosing in the range of 1 month to six months to meet your company’s regulatory compliance needs. + +**At contract termination or expiration**
+Your data will be kept for a period of at least 90 days, during which it will be available to you. At the end of this period, that data will be erased from Microsoft’s systems to make it unrecoverable, no later than 180 days from contract termination or expiration. + ## Can Microsoft help us maintain regulatory compliance? Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Windows Defender ATP services against their own legal and regulatory requirements. Windows Defender ATP has a roadmap for obtaining national, regional and industry-specific certifications, starting with ISO 27001. The service is designed, implemented, and maintained according to the compliance and privacy principles of ISO 27001, as well as Microsoft’s compliance standards. By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run, including this new Microsoft cloud service. -## Is there a difference between how Microsoft handles data for the preview programs and for General Availability? -Subject to the preview program you are in, you could be asked to choose to store your data in a datacenter either in Europe or United States. Your data will not be copied or moved outside of the datacenter you choose, except in the following specific circumstance: - -1. You choose Europe as your datacenter, and -2. You [submit a file for deep analysis](investigate-files-windows-defender-advanced-threat-protection.md#submit-files-for-analysis). - -In this circumstance, the submitted file will be sent to the US deep analysis laboratory. The results of the analysis will be stored in the European datacenter, and the file and data will be deleted from the US deep analysis laboratory and datacenter. - -This is a temporary measure as we work to integrate our deep analysis capabilities into the European datacenter. If you have any concerns or questions about submitting files for deep analysis and you are using a European datacenter, or if you’d like to be updated as to when the European deep analysis lab is online, email [winatp@microsoft.com](mailto:winatp@microsoft.com). diff --git a/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..2ad4b75d16 --- /dev/null +++ b/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md @@ -0,0 +1,32 @@ +--- +title: Windows Defender compatibility +description: Learn about how Windows Defender works with Windows Defender ATP. +keywords: windows defender compatibility, defender, windows defender atp +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +--- + +# Windows Defender compatibility + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +The Windows Defender Advanced Threat Protection agent depends on Windows Defender for some capabilities such as file scanning. + +If an onboarded endpoint is protected by a third-party antimalware client, Windows Defender on that endpoint will enter into passive mode. + +Windows Defender will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client. + +The Windows Defender interface will be disabled, and users on the endpoint will not be able to use Windows Defender to perform on-demand scans or configure most options. + +For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md# compatibility-with-windows-defender-advanced-threat-protection). diff --git a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md index f019d14fdf..3dd165c68a 100644 --- a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Review events and errors on endpoints with Event Viewer description: Get descriptions and further troubleshooting steps (if required) for all events reported by the Windows Defender ATP service. -keywords: troubleshoot, event viewer, log summary, failure code, failed, Windows Advanced Threat Protection service, cannot start, broken, can't start +keywords: troubleshoot, event viewer, log summary, failure code, failed, Windows Defender Advanced Threat Protection service, cannot start, broken, can't start search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -15,16 +15,19 @@ author: iaanw **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Event Viewer +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/en-US/library/aa745633(v=bts.10).aspx) on individual endpoints. For example, if endpoints are not appearing in the **Machines view** list, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps. -> **Note** It can take several days for endpoints to begin reporting to the Windows Defender ATP service. +> [!NOTE] +> It can take several days for endpoints to begin reporting to the Windows Defender ATP service. **Open Event Viewer and find the Windows Defender ATP service event log:** @@ -35,7 +38,8 @@ For example, if endpoints are not appearing in the **Machines view** list, you m a. You can also access the log by expanding **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE** and click on **Operational**. - > **Note** SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP. + > [!NOTE] + > SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP. 3. Events recorded by the service will appear in the log. See the following table for a list of events recorded by the service. @@ -49,39 +53,39 @@ For example, if endpoints are not appearing in the **Machines view** list, you m
+
This URL will match that seen in the Firewall or network activity.
+
The service could not contact the external processing servers at that URL.
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
@@ -89,72 +93,66 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
**During offboarding:** The service failed to clean its configuration during the offboarding. The offboarding process finished but the service keeps running. +
**Offboarding:** Reboot the system.
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).
**During offboarding:** Failed to change the service start type. The offboarding process continues.
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
It may take several hours for the endpoint to appear in the portal.
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
+
The service could not contact the external processing servers at that URL.
+
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
It will report to the portal, however the service may not appear as registered in SCCM or the registry.
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).
Ensure real-time antimalware protection is running properly.
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
@@ -216,24 +215,115 @@ Ensure real-time antimalware protection is running properly.
If the identifier does not persist, the same machine might appear twice in the portal.
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
Executable
Windows Installer
Script
DLL| You can use the [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise and Windows Server 2016 Technical Preview. | +| Windows 10| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| You can use the [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise and Windows Server 2016. | | Windows Server 2012 R2| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| | | Windows 8.1| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| Only the Enterprise edition supports AppLocker| | Windows RT 8.1| No| No| N/A|| diff --git a/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md b/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md index 81d0358abb..e45619b0a3 100644 --- a/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md @@ -14,11 +14,12 @@ author: DulceMV **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - Use the **Settings** menu  to configure the time zone, suppression rules, and view license information. ## Time zone settings @@ -52,7 +53,7 @@ To set the time zone: 3. The time zone indicator changes to **Timezone:Local**. Click it again to change back to **Timezone:UTC**. ## Suppression rules -The suppression rules control what alerts are suppressed. You can suppress alerts so that certain activities are not flagged as suspicious. See [Suppress alerts](manage-alerts-windows-defender-advanced-threat-protection.md#suppress-alerts). +The suppression rules control what alerts are suppressed. You can suppress alerts so that certain activities are not flagged as suspicious. For more information see, [Suppress alerts](manage-alerts-windows-defender-advanced-threat-protection.md#suppress-alerts). ## License Click the license link in the **Settings** menu to view the license agreement information for Windows Defender ATP. diff --git a/windows/keep-secure/tpm-recommendations.md b/windows/keep-secure/tpm-recommendations.md index 81b6385faf..049685cef2 100644 --- a/windows/keep-secure/tpm-recommendations.md +++ b/windows/keep-secure/tpm-recommendations.md @@ -14,7 +14,7 @@ author: brianlic-msft **Applies to** - Windows 10 - Windows 10 Mobile -- Windows Server 2016 Technical Preview +- Windows Server 2016 - Windows 10 IoT Core (IoT Core) This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows 10. @@ -104,7 +104,7 @@ For end consumers, TPM is behind the scenes but still very relevant for Hello, P - TPM is optional on IoT Core. -### Windows Server 2016 Technical Preview +### Windows Server 2016 - TPM is optional for Windows Server SKUs unless the SKU meets the additional qualification (AQ) criteria for the Host Guardian Services scenario in which case TPM 2.0 is required. diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index 6cbed263b3..2025b51e99 100644 --- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -7,58 +7,48 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: iaanw +author: mjcaparas --- # Troubleshoot Windows Defender Advanced Threat Protection onboarding issues **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] +You might need to troubleshoot the Windows Defender ATP onboarding process if you encounter issues. +This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the endpoints. -You might need to troubleshoot the Windows Defender Advanced Threat Protection onboarding process if you encounter issues. -This page provides detailed steps for troubleshooting endpoints that aren't reporting correctly, and common error codes encountered during onboarding. +If you have completed the endpoint onboarding process and don't see endpoints in the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, it might indicate an endpoint onboarding or connectivity problem. -## Endpoints are not reporting to the service correctly +## Troubleshoot onboarding when deploying with Group Policy +Deployment with Group Policy is done by running the onboarding script on the endpoints. The Group Policy console does not indicate if the deployment has succeeded or not. -If you have completed the endpoint onboarding process and don't see endpoints in the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) after 20 minutes, it might indicate an endpoint onboarding or connectivity problem. +If you have completed the endpoint onboarding process and don't see endpoints in the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, you can check the output of the script on the endpoints. For more information, see [Troubleshoot onboarding when deploying with a script on the endpoint](#troubleshoot-onboarding-when-deploying-with-a-script-on-the-endpoint). -Go through the following verification topics to address this issue: +If the script completes successfully, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur. -- [Ensure the endpoint is onboarded successfully](#Ensure-that-the-endpoint-is-onboarded-successfully) -- [Ensure the Windows Defender ATP service is enabled](#Ensure-that-the-Windows-Defender-ATP-service-is-enabled) -- [Ensure the telemetry and diagnostics service is enabled](#Ensure-that-telemetry-and-diagnostics-service-is-enabled) -- [Ensure the endpoint has an Internet connection](#Ensure-that-the-Windows-Defender-ATP-endpoint-has-internet-connection) +## Troubleshoot onboarding issues when deploying with System Center Configuration Manager +When onboarding endpoints using the following versions of System Center Configuration Manager: +- System Center 2012 Configuration Manager +- System Center 2012 R2 Configuration Manager +- System Center Configuration Manager (current branch) version 1511 +- System Center Configuration Manager (current branch) version 1602 -### Ensure the endpoint is onboarded successfully -If the endpoints aren't reporting correctly, you might need to check that the Windows Defender ATP service was successfully onboarded onto the endpoint. +Deployment with the above-mentioned versions of System Center Configuration Manager is done by running the onboarding script on the endpoints. You can track the deployment in the Configuration Manager Console. -**Check the onboarding state in Registry**: +If the deployment fails, you can check the output of the script on the endpoints. For more information, see [Troubleshoot onboarding when deploying with a script on the endpoint](#troubleshoot-onboarding-when-deploying-with-a-script-on-the-endpoint). -1. Click **Start**, type **Run**, and press **Enter**. +If the onboarding completed successfully but the endpoints are not showing up in the **Machines view** after an hour, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur. -2. From the **Run** dialog box, type **regedit** and press **Enter**. - -4. In the **Registry Editor** navigate to the Status key under: - - ```text -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection -``` - -5. Check the **OnboardingState** value is set to **1**. - -  - -If the **OnboardingState** value is not set to **1**, you can use Event Viewer to review errors on the endpoint. - -If you configured your endpoints with a deployment tool that required a script, you can check the event viewer for the onboarding script results. -
-**Check the result of the script**: +## Troubleshoot onboarding when deploying with a script on the endpoint +**Check the result of the script on the endpoint**: 1. Click **Start**, type **Event Viewer**, and press **Enter**. 2. Go to **Windows Logs** > **Application**. @@ -66,25 +56,82 @@ If you configured your endpoints with a deployment tool that required a script, 3. Look for an event from **WDATPOnboarding** event source. If the script fails and the event is an error, you can check the event ID in the following table to help you troubleshoot the issue. -> **Note** The following event IDs are specific to the onboarding script only. +> [!NOTE] +> The following event IDs are specific to the onboarding script only. Event ID | Error Type | Resolution steps :---|:---|:--- -5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection``` -10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```. Verify that the script was ran as an administrator. -15 | Failed to start SENSE service |Check the service status (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights). +5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```. +10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```.
Verify that the script was ran as an administrator. +15 | Failed to start SENSE service |Check the service status (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights). +15 | Failed to start SENSE service | If the message of the error is: System error 577 has occurred. You need to enable the Windows Defender ELAM driver, see [Ensure the Windows Defender ELAM driver is enabled](#ensure-the-windows-defender-elam-driver-is-enabled) for instructions. 30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). -35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location ```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```. The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). -40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). +35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location
```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.
The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). +40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). +65 | Insufficient privileges| Run the script again with administrator privileges. + +## Troubleshoot onboarding issues using Microsoft Intune +You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue. + +Use the following tables to understand the possible causes of issues while onboarding: + +- Microsoft Intune error codes and OMA-URIs table +- Known issues with non-compliance table +- Mobile Device Management (MDM) event logs table + +If none of the event logs and troubleshooting steps work, download the Local script from the **Endpoint Management** section of the portal, and run it in an elevated command prompt. + +**Microsoft Intune error codes and OMA-URIs**: + +Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps +:---|:---|:---|:---|:--- +0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding
Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.
**Troubleshooting steps:**
Check the event IDs in the [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log) section.
Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120%28v=vs.85%29.aspx). + | | | Onboarding
Offboarding
SampleSharing | **Possible cause:** Windows Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it.
**Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.
If it doesn't exist, open an elevated command and add the key. + | | | SenseIsRunning
OnboardingState
OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed.
**Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](#troubleshoot-windows-defender-advanced-threat-protection-onboarding-issues).
Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120%28v=vs.85%29.aspx). + | | | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.
Currently is supported platforms: Enterprise, Education, and Professional.
Server is not supported. + 0x87D101A9 | -2016345687 |Syncml(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.
Currently is supported platforms: Enterprise, Education, and Professional.
-**Use Event Viewer to identify and adress onboarding errors**: +**Known issues with non-compliance** + +The following table provides information on issues with non-compliance and how you can address the issues. + +Case | Symptoms | Possible cause and troubleshooting steps +:---|:---|:--- +1 | Machine is compliant by SenseIsRunning OMA-URI. But is non-compliant by OrgId, Onboarding and OnboardingState OMA-URIs. | **Possible cause:** Check that user passed OOBE after Windows installation or upgrade. During OOBE onboarding couldn't be completed but SENSE is running already.
**Troubleshooting steps:** Wait for OOBE to complete. +2 | Machine is compliant by OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI. | **Possible cause:** Sense service's startup type is set as "Delayed Start". Sometimes this causes the Microsoft Intune server to report the machine as non-compliant by SenseIsRunning when DM session occurs on system start.
**Troubleshooting steps:** The issue should automatically be fixed within 24 hours. +3 | Machine is non-compliant | **Troubleshooting steps:** Ensure that Onboarding and Offboarding policies are not deployed on the same machine at same time. + +
+**Mobile Device Management (MDM) event logs** + +View the MDM event logs to troubleshoot issues that might arise during onboarding: + +Log name: Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider + +Channel name: Admin + +ID | Severity | Event description | Troubleshooting steps +:---|:---|:---|:--- +1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Windows Defender ELAM driver needs to be enabled see, [Ensure the Windows Defender ELAM driver is enabled](#ensure-the-windows-defender-elam-driver-is-enabled) for instructions. + +## Troubleshoot onboarding issues on the endpoint +If the deployment tools used does not indicate an error in the onboarding process, but endpoints are still not appearing in the machines view an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent: +- [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log) +- [Ensure the telemetry and diagnostics service is enabled](#ensure-the-telemetry-and-diagnostics-service-is-enabled) +- [Ensure the service is set to start](#ensure-the-service-is-set-to-start) +- [Ensure the endpoint has an Internet connection](#ensure-the-endpoint-has-an-internet-connection) +- [Ensure the Windows Defender ELAM driver is enabled](#ensure-the-windows-defender-elam-driver-is-enabled) + + +### View agent onboarding errors in the endpoint event log 1. Click **Start**, type **Event Viewer**, and press **Enter**. 2. In the **Event Viewer (Local)** pane, expand **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE**. - > **Note** SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP. + > [!NOTE] + > SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP. 3. Select **Operational** to load the log. @@ -98,101 +145,16 @@ Event ID | Error Type | Resolution steps Event ID | Message | Resolution steps :---|:---|:--- -5 | Windows Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection). -6 | Windows Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md#manual). -7 | Windows Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection), then run the entire onboarding process again. -15 | Windows Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection). +5 | Windows Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection). +6 | Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md#manual). +7 | Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection), then run the entire onboarding process again. +15 | Windows Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection). 25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support. - - -### Ensure the Windows Defender ATP service is enabled -If the endpoints aren't reporting correctly, you might need to check that the Windows Defender ATP service is set to automatically start and is running on the endpoint. - -You can use the SC command line program for checking and managing the startup type and running state of the service. - -**Check the Windows Defender ATP service startup type from the command line:** - -1. Open an elevated command-line prompt on the endpoint: - - a. Click **Start**, type **cmd**, and press **Enter**. - - b. Right-click **Command prompt** and select **Run as administrator**. - -2. Enter the following command, and press **Enter**: - - ```text - sc qc sense - ``` - -If the the service is running, then the result should look like the following screenshot: - -  - -If the service ```START_TYPE``` is not set to ```AUTO_START```, then you'll need to set the service to automatically start. - -**Change the Windows Defender ATP service startup type from the command line:** - -1. Open an elevated command-line prompt on the endpoint: - - a. Click **Start**, type **cmd**, and press **Enter**. - - b. Right-click **Command prompt** and select **Run as administrator**. - -2. Enter the following command, and press **Enter**: - - ```text - sc config sense start=auto - ``` - -3. A success message is displayed. Verify the change by entering the following command and press **Enter**: - - ```text - sc qc sense - ``` - -**Check the Windows Defender ATP service is running from the command line:** - -1. Open an elevated command-line prompt on the endpoint: - - a. Click **Start**, type **cmd**, and press **Enter**. - - b. Right-click **Command prompt** and select **Run as administrator**. - -2. Enter the following command, and press **Enter**: - - ```text - sc query sense - ``` - -If the service is running, the result should look like the following screenshot: - - - -If the service **STATE** is not set to **RUNNING**, then you'll need to start it. - -**Start the Windows Defender ATP service from the command line:** - -1. Open an elevated command-line prompt on the endpoint: - - a. Click **Start**, type **cmd**, and press **Enter**. - - b. Right-click **Command prompt** and select **Run as administrator**. - -2. Enter the following command, and press **Enter**: - - ```text - sc start sense - ``` - -3. A success message is displayed. Verify the change by entering the following command and press **Enter**: - - ```text - sc qc sense - ``` +
+There are additional components on the endpoint that the Windows Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Windows Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly. ### Ensure the telemetry and diagnostics service is enabled -If the endpoints aren't reporting correctly, you might need to check that the Windows 10 telemetry and diagnostics service is set to automatically start and is running on the endpoint. The service may have been disabled by other programs or user configuration changes. - +If the endpoints aren't reporting correctly, you might need to check that the Windows 10 telemetry and diagnostics service is set to automatically start and is running on the endpoint. The service might have been disabled by other programs or user configuration changes. First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't). @@ -212,12 +174,11 @@ First, you should check that the service is set to start automatically when Wind sc qc diagtrack ``` -If the service is enabled, then the result should look like the following screenshot: + If the service is enabled, then the result should look like the following screenshot: - - -If the ```START_TYPE``` is not set to ```AUTO_START```, then you'll need to set the service to automatically start. +  + If the `START_TYPE` is not set to `AUTO_START`, then you'll need to set the service to automatically start. **Use the command line to set the Windows 10 telemetry and diagnostics service to automatically start:** @@ -240,109 +201,13 @@ If the ```START_TYPE``` is not set to ```AUTO_START```, then you'll need to set sc qc diagtrack ``` -**Use the Windows Services console to check the Windows 10 telemetry and diagnostics service startup type**: +4. Start the service. -1. Open the services console: - - a. Click **Start** and type **services**. - - b. Press **Enter** to open the console. - -2. Scroll through the list of services until you find **Connected User Experiences and Telemetry**. - -3. Check the **Startup type** column - the service should be set as **Automatic**. - -If the startup type is not set to **Automatic**, you'll need to change it so the service starts when the endpoint does. - - -**Use the Windows Services console to set the Windows 10 telemetry and diagnostics service to automatically start:** - -1. Open the services console: - - a. Click **Start** and type **services**. - - b. Press **Enter** to open the console. - -2. Scroll through the list of services until you find **Connected User Experiences and Telemetry**. - -3. Right-click on the entry and click **Properties**. - -4. On the **General** tab, change the **Startup type:** to **Automatic**, as shown in the following image. Click OK. - -  - -### Ensure the service is running - -**Use the command line to check the Windows 10 telemetry and diagnostics service is running**: - -1. Open an elevated command-line prompt on the endpoint: - - a. **Click **Start** and type **cmd**.** - - b. Right-click **Command prompt** and select **Run as administrator**. - -2. Enter the following command, and press **Enter**: - - ```text - sc query diagtrack - ``` - -If the service is running, the result should look like the following screenshot: - - - -If the service **STATE** is not set to **RUNNING**, then you'll need to start it. - - -**Use the command line to start the Windows 10 telemetry and diagnostics service:** - -1. Open an elevated command-line prompt on the endpoint: - - a. **Click **Start** and type **cmd**.** - - b. Right-click **Command prompt** and select **Run as administrator**. - -2. Enter the following command, and press **Enter**: - - ```text - sc start diagtrack - ``` - -3. A success message is displayed. Verify the change by entering the following command, and press **Enter**: - - ```text - sc query diagtrack - ``` - -**Use the Windows Services console to check the Windows 10 telemetry and diagnostics service is running**: - -1. Open the services console: - - a. Click **Start** and type **services**. - - b. Press **Enter** to open the console. - -2. Scroll through the list of services until you find **Connected User Experiences and Telemetry**. - -3. Check the **Status** column - the service should be marked as **Running**. - -If the service is not running, you'll need to start it. - - -**Use the Windows Services console to start the Windows 10 telemetry and diagnostics service:** - -1. Open the services console: - - a. Click **Start** and type **services**. - - b. Press **Enter** to open the console. - -2. Scroll through the list of services until you find **Connected User Experiences and Telemetry**. - -3. Right-click on the entry and click **Start**, as shown in the following image. - - + a. In the command prompt, type the following command and press **Enter**: + ```text + sc start diagtrack + ``` ### Ensure the endpoint has an Internet connection @@ -352,90 +217,103 @@ WinHTTP is independent of the Internet browsing proxy settings and other user co To ensure that sensor has service connectivity, follow the steps described in the [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls) topic. -If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic. +If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic. -## Troubleshoot onboarding issues using Microsoft Intune -You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue. +### Ensure the Windows Defender ELAM driver is enabled +If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. -Use the following tables to understand the possible causes of issues while onboarding: +**Check the ELAM driver status:** -- Microsoft Intune error codes and OMA-URIs table -- Known issues with non-compliance table -- Mobile Device Management (MDM) event logs table +1. Open a command-line prompt on the endpoint: -If none of the event logs and troubleshooting steps work, download the Local script from the **Endpoint Management** section of the portal, and run it in an elevated command prompt. + a. Click **Start**, type **cmd**, and select **Command prompt**. -**Microsoft Intune error codes and OMA-URIs**: +2. Enter the following command, and press Enter: + ``` + sc qc WdBoot + ``` + If the ELAM driver is enabled, the output will be: -Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps -:---|:---|:---|:---|:--- -0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding
Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.
**Troubleshooting steps:**
Check the event IDs in the [Ensure the endpoint is onboarded successfully](#ensure-the-endpoint-is-onboarded-successfully) section.
Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120%28v=vs.85%29.aspx). - | | | Onboarding
Offboarding
SampleSharing | **Possible cause:** Windows Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it.
**Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.
If it doesn't exist, open an elevated command and add the key. - | | | SenseIsRunning
OnboardingState
OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed.
**Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](#troubleshoot-windows-defender-advanced-threat-protection-onboarding-issues).
Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120%28v=vs.85%29.aspx). - | | | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.
Currently is supported platforms: Enterprise, Education, and Professional.
Server is not supported. - 0x87D101A9 | -2016345687 |Syncml(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.
Currently is supported platforms: Enterprise, Education, and Professional. + ``` + [SC] QueryServiceConfig SUCCESS -
-**Known issues with non-compliance** + SERVICE_NAME: WdBoot + TYPE : 1 KERNEL_DRIVER + START_TYPE : 0 BOOT_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : \SystemRoot\system32\drivers\WdBoot.sys + LOAD_ORDER_GROUP : Early-Launch + TAG : 0 + DISPLAY_NAME : Windows Defender Boot Driver + DEPENDENCIES : + SERVICE_START_NAME : + ``` + If the ELAM driver is disabled the output will be: + ``` + [SC] QueryServiceConfig SUCCESS -The following table provides information on issues with non-compliance and how you can address the issues. + SERVICE_NAME: WdBoot + TYPE : 1 KERNEL_DRIVER + START_TYPE : 0 DEMAND_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : \SystemRoot\system32\drivers\WdBoot.sys + LOAD_ORDER_GROUP : _Early-Launch + TAG : 0 + DISPLAY_NAME : Windows Defender Boot Driver + DEPENDENCIES : + SERVICE_START_NAME : + ``` -Case | Symptoms | Possible cause and troubleshooting steps -:---|:---|:--- -1 | Machine is compliant by SenseIsRunning OMA-URI. But is non-compliant by OrgId, Onboarding and OnboardingState OMA-URIs. | **Possible cause:** Check that user passed OOBE after Windows installation or upgrade. During OOBE onboarding couldn't be completed but SENSE is running already.
**Troubleshooting steps:** Wait for OOBE to complete. -2 | Machine is compliant by OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI. | **Possible cause:** Sense service's startup type is set as "Delayed Start". Sometimes this causes the Microsoft Intune server to report the machine as non-compliant by SenseIsRunning when DM session occurs on system start.
**Troubleshooting steps:** The issue should automatically be fixed within 24 hours. -3 | Machine is non-compliant | **Troubleshooting steps:** Ensure that Onboarding and Offboarding policies are not deployed on the same machine at same time. +#### Enable the ELAM driver -
-**Mobile Device Management (MDM) event logs** +1. Open an elevated PowerShell console on the endpoint: -View the MDM event logs to troubleshoot issues that might arise during onboarding: + a. Click **Start**, type **powershell**. -Log name: Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider + b. Right-click **Command prompt** and select **Run as administrator**. -Channel name: Admin +2. Run the following PowerShell cmdlet: -ID | Severity | Event description | Description -:---|:---|:---|:--- -1801 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Get Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3) | Windows Defender ATP has failed to get specific node's value.
TokenName: Contains node name that caused the error.
Result: Error details. -1802 | Information | Windows Defender Advanced Threat Protection CSP: Get Node's Value complete. NodeId: (%1), TokenName: (%2), Result: (%3) | Windows Defender ATP has completed to get specific node's value.
TokenName: Contains node name
Result: Error details or succeeded. -1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Windows Defender ATP has completed to get specific node's value.
TokenName: Contains node name that caused the error
Result: Error details. -1820 | Information | Windows Defender Advanced Threat Protection CSP: Set Nod's Value complete. NodeId: (%1), TokenName: (%2), Result: (%3). | Windows Defender ATP has completed to get specific node's value.
TokenName: Contains node name
Result: Error details or succeeded. + ```text + 'Set-ExecutionPolicy -ExecutionPolicy Bypass’ + ``` +3. Run the following PowerShell script: + + ```text + Add-Type @' + using System; + using System.IO; + using System.Runtime.InteropServices; + using Microsoft.Win32.SafeHandles; + using System.ComponentModel; + + public static class Elam{ + [DllImport("Kernel32", CharSet=CharSet.Auto, SetLastError=true)] + public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle); + + public static void InstallWdBoot(string path) + { + Console.Out.WriteLine("About to call create file on {0}", path); + var stream = File.Open(path, FileMode.Open, FileAccess.Read, FileShare.Read); + var handle = stream.SafeFileHandle; + + Console.Out.WriteLine("About to call InstallELAMCertificateInfo on handle {0}", handle.DangerousGetHandle()); + if (!InstallELAMCertificateInfo(handle)) + { + Console.Out.WriteLine("Call failed."); + throw new Win32Exception(Marshal.GetLastWin32Error()); + } + Console.Out.WriteLine("Call successful."); + } + } + '@ + + $driverPath = $env:SystemRoot + "\System32\Drivers\WdBoot.sys" + [Elam]::InstallWdBoot($driverPath) + ``` - ## Related topics - [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) - [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) - diff --git a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md index 8340e9dcc0..5ed6bf4bc5 100644 --- a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md @@ -13,11 +13,12 @@ author: mjcaparas **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - This section addresses issues that might arise as you use the Windows Defender Advanced Threat service. ### Server error - Access is denied due to invalid credentials @@ -39,9 +40,11 @@ U.S. region: - sevillefeedback-prd.trafficmanager.net - sevillesettings-prd.trafficmanager.net - threatintel-cus-prd.cloudapp.net -- threatintel-eus-prd.cloudapp.net - - +- threatintel-eus-prd.cloudapp.net +- winatpauthorization.windows.com +- winatpfeedback.windows.com +- winatpmanagement.windows.com +- winatponboarding.windows.com EU region: @@ -52,7 +55,10 @@ EU region: - sevillesettings-prd.trafficmanager.net - threatintel-neu-prd.cloudapp.net - threatintel-weu-prd.cloudapp.net - +- winatpauthorization.windows.com +- winatpfeedback.windows.com +- winatpmanagement.windows.com +- winatponboarding.windows.com ### Windows Defender ATP service shows event or error logs in the Event Viewer diff --git a/windows/keep-secure/use-windows-defender-advanced-threat-protection.md b/windows/keep-secure/use-windows-defender-advanced-threat-protection.md index 717abdaec8..cadbd4c872 100644 --- a/windows/keep-secure/use-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/use-windows-defender-advanced-threat-protection.md @@ -14,11 +14,12 @@ author: mjcaparas **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - A typical security breach investigation requires a member of a security operations team to: 1. View an alert on the **Dashboard** or **Alerts queue** @@ -41,6 +42,6 @@ Topic | Description [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)| Investigate alerts in Windows Defender ATP which might indicate possible security breaches on endpoints in your organization. [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) | The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats. [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) | Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach. -[Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) | Examine possible communication between your machines and external internet protocol (IP) addresses. +[Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) | Examine possible communication between your machines and external Internet protocol (IP) addresses. [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) | Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain. [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) | The **Manage Alert** menu on every alert lets you change an alert's status, resolve it, suppress it, or contribute comments about the alert. diff --git a/windows/keep-secure/windows-10-mobile-security-guide.md b/windows/keep-secure/windows-10-mobile-security-guide.md index 16389caf95..0cb9c52700 100644 --- a/windows/keep-secure/windows-10-mobile-security-guide.md +++ b/windows/keep-secure/windows-10-mobile-security-guide.md @@ -166,7 +166,7 @@ Table 2. Windows 10 cryptography policies -For a complete list of policies available, see [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkId=733963). +For a complete list of policies available, see [Policy CSP](https://technet.microsoft.com/library/dn904962.aspx). ### Enterprise data protection @@ -174,7 +174,7 @@ Enterprises have seen huge growth in the convergence of personal and corporate d One growing risk is authorized users’ accidental disclosure of sensitive data—a risk that is rapidly becoming the biggest source of confidential data leakage as organizations allow personal devices to access corporate resources. One example is common among organizations: an employee connects his or her personal phone to the company’s Microsoft Exchange Server instance for email. He or she uses the phone to work on email that includes attachments with sensitive data. When sending the email, the user accidentally copies a supplier. Content protection is only as strong as the weakest link, and in this example, the unintended sharing of sensitive data with unauthorized people might not have been prevented with standard data encryption. -In Windows 10 Mobile, enterprise data protection (EDP) helps separate personal and enterprise data and prevent data leakage. Key features include its ability to: +In Windows 10 Mobile, Windows Information Protection (WIP) helps separate personal and enterprise data and prevent data leakage. Key features include its ability to: - Automatically tag personal and corporate data. - Protect data while it’s at rest on local or removable storage. @@ -182,21 +182,21 @@ In Windows 10 Mobile, enterprise data protection (EDP) helps separate personal - Control which apps can access a virtual private network (VPN) connection. - Prevent users from copying corporate data to public locations. -> **Note:** EDP is currently being tested in select customer evaluation programs. For more information about EDP, see [Enterprise data protection overview](../whats-new/edp-whats-new-overview.md). +> **Note:** WIP is currently being tested in select customer evaluation programs. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip). ### Enlightenment -Third-party data loss protection solutions usually require developers to wrap their apps. In contrast, EDP puts the intelligence in Windows 10 Mobile so that it doesn’t require wrappers. As a result, most apps require nothing extra to work with EDP. +Third-party data loss protection solutions usually require developers to wrap their apps. In contrast, WIP puts the intelligence in Windows 10 Mobile so that it doesn’t require wrappers. As a result, most apps require nothing extra to work with WIP. -EDP can enforce policy without the need for an app to change. This means that an app that always handles business data (such as an LOB app) can be added to the allowed list and will always encrypt all data that it handles. However, if the app does not use common controls, cut and paste operations from this app to a non-enterprise app will silently fail. In addition, if the app needs to handle personal data, this data will also be encrypted. -Therefore, to improve the user experience, in some cases, developers should enlighten their apps by adding code to and compiling them to use the EDP application programming interfaces. Those cases include apps that: +WIP can enforce policy without the need for an app to change. This means that an app that always handles business data (such as an LOB app) can be added to the allowed list and will always encrypt all data that it handles. However, if the app does not use common controls, cut and paste operations from this app to a non-enterprise app will silently fail. In addition, if the app needs to handle personal data, this data will also be encrypted. +Therefore, to improve the user experience, in some cases, developers should enlighten their apps by adding code to and compiling them to use the WIP application programming interfaces. Those cases include apps that: - Don’t use common controls for saving files. - Don’t use common controls for text boxes. - Work on personal and enterprise data simultaneously (for example, contact apps that display personal and enterprise data in a single view; a browser that displays personal and enterprise web pages on tabs within a single instance). -Figure 1 summarizes when an app might require enlightenment to work with EDP. Microsoft Word is a good example. Not only can Word access personal and enterprise data simultaneously, but it can also transmit enterprise data (for example, email attachments containing enterprise data). +Figure 1 summarizes when an app might require enlightenment to work with WIP. Microsoft Word is a good example. Not only can Word access personal and enterprise data simultaneously, but it can also transmit enterprise data (for example, email attachments containing enterprise data). -In any case, most apps don’t require enlightenment for them to use EDP protection. Simply adding them to the EDP allow list is all you must do. Because unenlightened apps cannot automatically tag data as personal or enterprise, if they are in an EDP policy, they treat all data as enterprise data. An LOB app is a good example. Adding an LOB app to an EDP policy protects all data that the app handles. Another example is a legacy app that cannot be updated, which you can add to an EDP policy and use without even being aware that EDP exists. +In any case, most apps don’t require enlightenment for them to use WIP protection. Simply adding them to the WIP allow list is all you must do. Because unenlightened apps cannot automatically tag data as personal or enterprise, if they are in a WIP policy, they treat all data as enterprise data. An LOB app is a good example. Adding an LOB app to a WIP policy protects all data that the app handles. Another example is a legacy app that cannot be updated, which you can add to a WIP policy and use without even being aware that WIP exists.  @@ -204,32 +204,32 @@ Figure 1. When is enlightenment required? ### Data leakage control -To configure EDP in an MDM solution that supports it, add authorized apps to the EDP allow list. When a device running Windows 10 Mobile enrolls in the MDM solution, apps that this policy doesn’t authorize won’t have access to enterprise data. +To configure WIP in an MDM solution that supports it, add authorized apps to the WIP allow list. When a device running Windows 10 Mobile enrolls in the MDM solution, apps that this policy doesn’t authorize won’t have access to enterprise data. -EDP works seamlessly until users try to access enterprise data with or try to paste enterprise data into unauthorized apps or locations on the web. For example, copying enterprise data from an authorized app to another authorized app works as usual, but EDP blocks users from copying enterprise data from an authorized app to an unauthorized app. Likewise, EDP blocks users from using an unauthorized app to open a file that contains enterprise data. -In addition, users cannot copy and paste data from authorized apps to unauthorized apps or locations on the Web without triggering one of the EDP protection levels: -- **Block.** EDP blocks users from completing the operation. -- **Override.** EDP notifies users that the operation is inappropriate but allows them to override the policy, although it logs the operation in the audit log. -- **Audit.** EDP does not block or notify users but logs the operation in the audit log. -- **Off.** EDP does not block or notify users and does not log operations in the audit log. +WIP works seamlessly until users try to access enterprise data with or try to paste enterprise data into unauthorized apps or locations on the web. For example, copying enterprise data from an authorized app to another authorized app works as usual, but WIP blocks users from copying enterprise data from an authorized app to an unauthorized app. Likewise, WIP blocks users from using an unauthorized app to open a file that contains enterprise data. +In addition, users cannot copy and paste data from authorized apps to unauthorized apps or locations on the Web without triggering one of the WIP protection levels: +- **Block.** WIP blocks users from completing the operation. +- **Override.** WIP notifies users that the operation is inappropriate but allows them to override the policy, although it logs the operation in the audit log. +- **Audit.** WIP does not block or notify users but logs the operation in the audit log. +- **Off.** WIP does not block or notify users and does not log operations in the audit log. ### Data separation As the name suggests, data separation separates personal from enterprise data. Most third-party solutions require an app wrapper, and from here, enterprise data goes in a container while personal data is outside the container. Often, people must use two different apps for the same purpose: one for personal data and another for enterprise data. -EDP provides the same data separation but neither uses containers nor requires a special version of an app to access business data, and then a second instance of it to access personal data. There are no containers, partitions, or special folders to physically separate personal and business data. Instead, Windows 10 Mobile is the access control broker, identifying enterprise data because it’s encrypted to the enterprise. Therefore, EDP provides data separation by virtue of encrypting enterprise data. +WIP provides the same data separation but neither uses containers nor requires a special version of an app to access business data, and then a second instance of it to access personal data. There are no containers, partitions, or special folders to physically separate personal and business data. Instead, Windows 10 Mobile is the access control broker, identifying enterprise data because it’s encrypted to the enterprise. Therefore, WIP provides data separation by virtue of encrypting enterprise data. ### Visual cues -In Windows 10 Mobile, visual cues indicate the status of EDP to users (see Figure 2): +In Windows 10 Mobile, visual cues indicate the status of WIP to users (see Figure 2): -- **Start screen.** On the Start screen, apps that an EDP policy manages display a visual cue. +- **Start screen.** On the Start screen, apps that a WIP policy manages display a visual cue. - **Files.** In File Explorer, a visual cue indicates whether a file or folder contains enterprise data and is therefore encrypted. -For example, Erwin is an employee at Fabrikam. He opens Microsoft Edge from the Start screen and sees that the tile indicates that an EDP policy manages the browser. Erwin opens the Fabrikam sales website and downloads a spreadsheet. In File Explorer, Erwin sees that the file he downloaded has a visual cue which indicates that it’s encrypted and contains enterprise data. When Erwin tries to paste data from that spreadsheet into an app that no EDP policy manages (for example, his Twitter app), Erwin might see a message that allows him to override protection while logging the action, depending on the protection level configured in the EDP policy. +For example, Erwin is an employee at Fabrikam. He opens Microsoft Edge from the Start screen and sees that the tile indicates that a WIP policy manages the browser. Erwin opens the Fabrikam sales website and downloads a spreadsheet. In File Explorer, Erwin sees that the file he downloaded has a visual cue which indicates that it’s encrypted and contains enterprise data. When Erwin tries to paste data from that spreadsheet into an app that no WIP policy manages (for example, his Twitter app), Erwin might see a message that allows him to override protection while logging the action, depending on the protection level configured in the WIP policy.  -Figure 2. Visual cues in EDP +Figure 2. Visual cues in WIP ## Malware resistance diff --git a/windows/keep-secure/windows-defender-advanced-threat-protection.md b/windows/keep-secure/windows-defender-advanced-threat-protection.md index bae239bf1c..16a3332352 100644 --- a/windows/keep-secure/windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/windows-defender-advanced-threat-protection.md @@ -14,12 +14,13 @@ author: mjcaparas **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - -Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks. +Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks. Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service: @@ -63,7 +64,7 @@ detect sophisticated cyber-attacks, providing: - Behavior-based, cloud-powered, advanced attack detection - Finds the attacks that made it past all other defenses (post breach detection),provides actionable, correlated alerts for known and unknown adversaries trying to hide their activities on endpoints. + Finds the attacks that made it past all other defenses (post breach detection), provides actionable, correlated alerts for known and unknown adversaries trying to hide their activities on endpoints. - Rich timeline for forensic investigation and mitigation @@ -78,10 +79,12 @@ detect sophisticated cyber-attacks, providing: Topic | Description :---|:--- [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md) | This overview topic for IT professionals provides information on the minimum requirements to use Windows Defender ATP such as network and data storage configuration, and endpoint hardware and software requirements, and deployment channels. -[Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md) | You'll need to onboard and configure the Windows Defender ATP service and the endpoints in your network before you can use the service. Learn about how you can assign users to the Windows Defender ATP service in Azure Active Directory (AAD) and using a configuration package to configure endpoints. [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)| Learn about how Windows Defender ATP collects and handles information and where data is stored. +[Assign user access to the Windows Defender ATP portal](assign-portal-access-windows-defender-advanced-threat-protection.md)| Before users can access the portal, they'll need to be granted specific roles in Azure Active Directory. +[Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md) | You'll need to onboard and configure the Windows Defender ATP service and the endpoints in your network before you can use the service. Learn about how you can assign users to the Windows Defender ATP service in Azure Active Directory (AAD) and using a configuration package to configure endpoints. [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) | Understand the main features of the service and how it leverages Microsoft technology to protect enterprise endpoints from sophisticated cyber attacks. [Use the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) | Learn about the capabilities of Windows Defender ATP to help you investigate alerts that might be indicators of possible breaches in your enterprise. [Windows Defender Advanced Threat Protection settings](settings-windows-defender-advanced-threat-protection.md) | Learn about setting the time zone and configuring the suppression rules to configure the service to your requirements. [Troubleshoot Windows Defender Advanced Threat Protection](troubleshoot-windows-defender-advanced-threat-protection.md) | This topic contains information to help IT Pros find workarounds for the known issues and troubleshoot issues in Windows Defender ATP. [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)| Review events and errors associated with event IDs to determine if further troubleshooting steps are required. +[Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md) | Learn about how Windows Defender works in conjunction with Windows Defender ATP. \ No newline at end of file diff --git a/windows/keep-secure/windows-defender-in-windows-10.md b/windows/keep-secure/windows-defender-in-windows-10.md index 07242d64f4..d962b39947 100644 --- a/windows/keep-secure/windows-defender-in-windows-10.md +++ b/windows/keep-secure/windows-defender-in-windows-10.md @@ -1,76 +1,76 @@ ---- -title: Windows Defender in Windows 10 (Windows 10) -description: This topic provides an overview of Windows Defender, including a list of system requirements and new features. -ms.assetid: 6A9EB85E-1F3A-40AC-9A47-F44C4A2B55E2 -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -author: jasesso ---- - -# Windows Defender in Windows 10 - -**Applies to** -- Windows 10 - -Windows Defender in Windows 10 is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers. -This topic provides an overview of Windows Defender, including a list of system requirements and new features. - -For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server Technical Preview](https://technet.microsoft.com/library/dn765478.aspx). - -Take advantage of Windows Defender by configuring settings and definitions using the following tools: -- Microsoft Active Directory *Group Policy* for settings -- Windows Server Update Services (WSUS) for definitions - -Windows Defender provides the most protection when cloud-based protection is enabled. Learn how to enable cloud-based protection in [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md). -> **Note:** System Center 2012 R2 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, and Microsoft Intune can provide centralized management of Windows Defender, including: -- Settings management -- Definition update management -- Alerts and alert management -- Reports and report management - -When you enable endpoint protection for your clients, it will install an additional management layer on Windows Defender to manage the in-box Windows Defender agent. While the client user interface will still appear as Windows Defender, the management layer for Endpoint Protection will be listed in the **Add/Remove Programs** control panel, though it will appear as if the full product is installed. - - -### Compatibility with Windows Defender Advanced Threat Protection - -Windows Defender Advanced Threat Protection (ATP) is an additional service that helps enterprises to detect, investigate, and respond to advanced persistent threats on their network. - -See the [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) topics for more information about the service. - -If you are enrolled in Windows Defender ATP, and you are not using Windows Defender as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. - -In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won’t run, and Windows Defender will not provide real-time protection from malware. - -You can [configure updates for Windows Defender](configure-windows-defender-in-windows-10.md), however you can't move Windows Defender into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware. - -If you uninstall the other product, and choose to use Windows Defender to provide protection to your endpoints, Windows Defender will automatically return to its normal active mode. - - - -### Minimum system requirements - -Windows Defender has the same hardware requirements as Windows 10. For more information, see: -- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086.aspx) -- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049.aspx) - -### New and changed functionality - -- **Improved detection for unwanted applications and emerging threats using cloud-based protection.** Use the Microsoft Active Protection Service to improve protection against unwanted applications and advanced persistent threats in your enterprise. -- **Windows 10 integration.** All Windows Defender in Windows 10 endpoints will show the Windows Defender user interface, even when the endpoint is managed. -- **Operating system, enterprise-level management, and bring your own device (BYOD) integration.** Windows 10 introduces a mobile device management (MDM) interface for devices running Windows 10. Administrators can use MDM-capable products, such as Intune, to manage Windows Defender on Windows 10 devices. - -For more information about what's new in Windows Defender in Windows 10, see [Windows Defender in Windows 10: System integration](https://www.microsoft.com/security/portal/enterprise/threatreports_august_2015.aspx) on the Microsoft Active Protection Service website. - -## In this section - -Topic | Description -:---|:--- -[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)|Use Active Directory or Windows Server Update Services to manage and deploy updates to endpoints on your network. Configure and run special scans, including archive and email scans. -[Configure updates for Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)|Configure definition updates and cloud-based protection with Active Directory and Windows Server Update Services. -[Windows Defender Offline in Windows 10](windows-defender-offline.md)|Manually run an offline scan directly from winthin Windows without having to download and create bootable media. -[Use PowerShell cmdlets for Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md)|Run scans and configure Windows Defender options with Windows PowerShell cmdlets in Windows 10. -[Enable the Black at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md)|Use the Block at First Sight feature to leverage the Windows Defender cloud. -[Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md)|Enable or disable enhanced notifications on endpoints running Windows Defender for greater details about threat detections and removal. -[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)|Review event IDs in Windows Defender for Windows 10 and take the appropriate actions. +--- +title: Windows Defender in Windows 10 (Windows 10) +description: This topic provides an overview of Windows Defender, including a list of system requirements and new features. +ms.assetid: 6A9EB85E-1F3A-40AC-9A47-F44C4A2B55E2 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +author: jasesso +--- + +# Windows Defender in Windows 10 + +**Applies to** +- Windows 10 + +Windows Defender in Windows 10 is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers. +This topic provides an overview of Windows Defender, including a list of system requirements and new features. + +For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server Technical Preview](https://technet.microsoft.com/library/dn765478.aspx). + +Take advantage of Windows Defender by configuring settings and definitions using the following tools: +- Microsoft Active Directory *Group Policy* for settings +- Windows Server Update Services (WSUS) for definitions + +Windows Defender provides the most protection when cloud-based protection is enabled. Learn how to enable cloud-based protection in [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md). +> **Note:** System Center 2012 R2 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, and Microsoft Intune can provide centralized management of Windows Defender, including: +- Settings management +- Definition update management +- Alerts and alert management +- Reports and report management + +When you enable endpoint protection for your clients, it will install an additional management layer on Windows Defender to manage the in-box Windows Defender agent. While the client user interface will still appear as Windows Defender, the management layer for Endpoint Protection will be listed in the **Add/Remove Programs** control panel, though it will appear as if the full product is installed. + + +### Compatibility with Windows Defender Advanced Threat Protection + +Windows Defender Advanced Threat Protection (ATP) is an additional service that helps enterprises to detect, investigate, and respond to advanced persistent threats on their network. + +See the [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) topics for more information about the service. + +If you are enrolled in Windows Defender ATP, and you are not using Windows Defender as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. + +In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won’t run, and Windows Defender will not provide real-time protection from malware. + +You can [configure updates for Windows Defender](configure-windows-defender-in-windows-10.md), however you can't move Windows Defender into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware. + +If you uninstall the other product, and choose to use Windows Defender to provide protection to your endpoints, Windows Defender will automatically return to its normal active mode. + + + +### Minimum system requirements + +Windows Defender has the same hardware requirements as Windows 10. For more information, see: +- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086.aspx) +- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049.aspx) + +### New and changed functionality + +- **Improved detection for unwanted applications and emerging threats using cloud-based protection.** Use the Microsoft Active Protection Service to improve protection against unwanted applications and advanced persistent threats in your enterprise. +- **Windows 10 integration.** All Windows Defender in Windows 10 endpoints will show the Windows Defender user interface, even when the endpoint is managed. +- **Operating system, enterprise-level management, and bring your own device (BYOD) integration.** Windows 10 introduces a mobile device management (MDM) interface for devices running Windows 10. Administrators can use MDM-capable products, such as Intune, to manage Windows Defender on Windows 10 devices. + +For more information about what's new in Windows Defender in Windows 10, see [Windows Defender in Windows 10: System integration](https://www.microsoft.com/security/portal/enterprise/threatreports_august_2015.aspx) on the Microsoft Active Protection Service website. + +## In this section + +Topic | Description +:---|:--- +[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)|Use Active Directory or Windows Server Update Services to manage and deploy updates to endpoints on your network. Configure and run special scans, including archive and email scans. +[Configure updates for Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)|Configure definition updates and cloud-based protection with Active Directory and Windows Server Update Services. +[Windows Defender Offline in Windows 10](windows-defender-offline.md)|Manually run an offline scan directly from winthin Windows without having to download and create bootable media. +[Use PowerShell cmdlets for Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md)|Run scans and configure Windows Defender options with Windows PowerShell cmdlets in Windows 10. +[Enable the Black at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md)|Use the Block at First Sight feature to leverage the Windows Defender cloud. +[Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md)|Enable or disable enhanced notifications on endpoints running Windows Defender for greater details about threat detections and removal. +[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)|Review event IDs in Windows Defender for Windows 10 and take the appropriate actions. diff --git a/windows/keep-secure/windows-defender-offline.md b/windows/keep-secure/windows-defender-offline.md index d861493653..bdd1e45d8b 100644 --- a/windows/keep-secure/windows-defender-offline.md +++ b/windows/keep-secure/windows-defender-offline.md @@ -1,181 +1,181 @@ ---- -title: Windows Defender Offline in Windows 10 -description: You can use Windows Defender Offline straight from the Windows Defender client. You can also manage how it is deployed in your network. -keywords: scan, defender, offline -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -author: iaanw ---- - -# Windows Defender Offline in Windows 10 - -**Applies to:** - -- Windows 10, version 1607 - -Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR). - -In Windows 10, Windows Defender Offline can be run with one click directly from the Windows Defender client. In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media. - -## Pre-requisites and requirements - -Windows Defender Offline in Windows 10 has the same hardware requirements as Windows 10. - -For more information about Windows 10 requirements, see the following topics: - -- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx) - -- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049(v=vs.85).aspx) - -> [!NOTE] -> Windows Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units. - -To run Windows Defender Offline from the endpoint, the user must be logged in with administrator privileges. - -## Windows Defender Offline updates - -Windows Defender Offline uses the most up-to-date signature definitions available on the endpoint; it's updated whenever Windows Defender is updated with new signature definitions. Depending on your setup, this is usually though Microsoft Update or through the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx). - -> [!NOTE] -> Before running an offline scan, you should attempt to update the definitions on the endpoint. You can either force an update via Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx). - -For information on setting up Windows Defender updates, see the [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) topic. - -## Usage scenarios - -In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint. The need to perform an offline scan will also be revealed in System Center Configuration Manager, if you're using it to manage your endpoints. - -The prompt can occur via a notification, similar to the following: - - - -The user will also be notified within the Windows Defender client: - - - -In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**. Windows Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**. - - - -## Manage notifications - - -You can suppress Windows Defender Offline notifications with Group Policy. - -> [!NOTE] -> Changing these settings will affect *all* notifications from Windows Defender. Disabling notifications will mean the endpoint user will not see any messages about any threats detected, removed, or if additional steps are required. - -**Use Group Policy to suppress Windows Defender notifications:** - -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. - -5. Expand the tree to **Windows components > Windows Defender > Client Interface**. - -1. Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This will disable all notifications shown by the Windows Defender client. - -## Configure Windows Defender Offline settings - -You can use Windows Management Instrumentation to enable and disable certain features in Windows Defender Offline. For example, you can use `Set-MpPreference` to change the `UILockdown` setting to disable and enable notifications. - -For more information about using Windows Management Instrumentation to configure Windows Defender Offline, including configuration parameters and options, see the following topics: - -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx) - -- [Windows Defender MSFT_MpPreference class](https://msdn.microsoft.com/en-us/library/windows/desktop/dn455323(v=vs.85).aspx) - -For more information about notifications in Windows Defender, see the [Configure enhanced notifications in Windows Defender](windows-defender-enhanced-notifications.md)] topic. - -## Run a scan - -Windows Defender Offline uses up-to-date threat definitions to scan the endpoint for malware that might be hidden. In Windows 10, version 1607, you can manually force an offline scan using Windows Update and Security settings. - -> [!NOTE] -> Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. - -You can set up a Windows Defender Offline scan with the following: - -- Windows Update and Security settings - -- Windows Defender - -- Windows Management Instrumentation - -- Windows PowerShell - -- Group Policy - -> [!NOTE] -> The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally. - -**Run Windows Defender Offline from Windows Settings:** - -1. Open the **Start** menu and click or type **Settings**. - -1. Click **Update & Security** and then **Windows Defender**. Scroll to the bottom of the settings page until you see the **Windows Defender Offline** section. - -1. Click **Scan offline**. - -  - -1. Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart. - -**Run Windows Defender Offline from Windows Defender:** - -1. Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client. - -1. On the **Home** tab click **Download and Run**. - -  - -1. Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart. - - -**Use Windows Management Instrumentation to configure and run Windows Defender Offline:** - -Use the `MSFT_MpWDOScan` class (part of the Windows Defender Windows Management Instrumentation provider) to run a Windows Defender Offline scan. - -The following Windows Management Instrumentation script snippet will immediately run a Windows Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows. - -```WMI -wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start -``` - -For more information about using Windows Management Instrumentation to run a scan in Windows Defender, including configuration parameters and options, see the following topics: - -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx) - -- [MSFT_MpWDOScan class article](https://msdn.microsoft.com/library/windows/desktop/mt622458(v=vs.85).aspx) - -**Run Windows Defender Offline using PowerShell:** - -Use the PowerShell parameter `Start-MpWDOScan` to run a Windows Defender Offline scan. - -For more information on available cmdlets and optios, see the [Use PowerShell cmdlets to configure and run Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md) topic. - -## Review scan results - -Windows Defender Offline scan results will be listed in the main Windows Defender user interface after performing the scan. - -1. Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client. - -1. Go to the **History** tab. - -1. Select **All detected items**. - -1. Click **View details**. - -Any detected items will display. Items that are detected by Windows Defender Offline will be listed as **Offline** in the **Detection source**: - - - -## Related topics - +--- +title: Windows Defender Offline in Windows 10 +description: You can use Windows Defender Offline straight from the Windows Defender client. You can also manage how it is deployed in your network. +keywords: scan, defender, offline +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +author: iaanw +--- + +# Windows Defender Offline in Windows 10 + +**Applies to:** + +- Windows 10, version 1607 + +Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR). + +In Windows 10, Windows Defender Offline can be run with one click directly from the Windows Defender client. In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media. + +## Pre-requisites and requirements + +Windows Defender Offline in Windows 10 has the same hardware requirements as Windows 10. + +For more information about Windows 10 requirements, see the following topics: + +- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx) + +- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049(v=vs.85).aspx) + +> [!NOTE] +> Windows Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units. + +To run Windows Defender Offline from the endpoint, the user must be logged in with administrator privileges. + +## Windows Defender Offline updates + +Windows Defender Offline uses the most up-to-date signature definitions available on the endpoint; it's updated whenever Windows Defender is updated with new signature definitions. Depending on your setup, this is usually though Microsoft Update or through the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx). + +> [!NOTE] +> Before running an offline scan, you should attempt to update the definitions on the endpoint. You can either force an update via Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx). + +For information on setting up Windows Defender updates, see the [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) topic. + +## Usage scenarios + +In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint. The need to perform an offline scan will also be revealed in System Center Configuration Manager, if you're using it to manage your endpoints. + +The prompt can occur via a notification, similar to the following: + + + +The user will also be notified within the Windows Defender client: + + + +In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**. Windows Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**. + + + +## Manage notifications + + +You can suppress Windows Defender Offline notifications with Group Policy. + +> [!NOTE] +> Changing these settings will affect *all* notifications from Windows Defender. Disabling notifications will mean the endpoint user will not see any messages about any threats detected, removed, or if additional steps are required. + +**Use Group Policy to suppress Windows Defender notifications:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender > Client Interface**. + +1. Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This will disable all notifications shown by the Windows Defender client. + +## Configure Windows Defender Offline settings + +You can use Windows Management Instrumentation to enable and disable certain features in Windows Defender Offline. For example, you can use `Set-MpPreference` to change the `UILockdown` setting to disable and enable notifications. + +For more information about using Windows Management Instrumentation to configure Windows Defender Offline, including configuration parameters and options, see the following topics: + +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx) + +- [Windows Defender MSFT_MpPreference class](https://msdn.microsoft.com/en-us/library/windows/desktop/dn455323(v=vs.85).aspx) + +For more information about notifications in Windows Defender, see the [Configure enhanced notifications in Windows Defender](windows-defender-enhanced-notifications.md)] topic. + +## Run a scan + +Windows Defender Offline uses up-to-date threat definitions to scan the endpoint for malware that might be hidden. In Windows 10, version 1607, you can manually force an offline scan using Windows Update and Security settings. + +> [!NOTE] +> Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. + +You can set up a Windows Defender Offline scan with the following: + +- Windows Update and Security settings + +- Windows Defender + +- Windows Management Instrumentation + +- Windows PowerShell + +- Group Policy + +> [!NOTE] +> The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally. + +**Run Windows Defender Offline from Windows Settings:** + +1. Open the **Start** menu and click or type **Settings**. + +1. Click **Update & Security** and then **Windows Defender**. Scroll to the bottom of the settings page until you see the **Windows Defender Offline** section. + +1. Click **Scan offline**. + +  + +1. Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart. + +**Run Windows Defender Offline from Windows Defender:** + +1. Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client. + +1. On the **Home** tab click **Download and Run**. + +  + +1. Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart. + + +**Use Windows Management Instrumentation to configure and run Windows Defender Offline:** + +Use the `MSFT_MpWDOScan` class (part of the Windows Defender Windows Management Instrumentation provider) to run a Windows Defender Offline scan. + +The following Windows Management Instrumentation script snippet will immediately run a Windows Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows. + +```WMI +wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start +``` + +For more information about using Windows Management Instrumentation to run a scan in Windows Defender, including configuration parameters and options, see the following topics: + +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx) + +- [MSFT_MpWDOScan class article](https://msdn.microsoft.com/library/windows/desktop/mt622458(v=vs.85).aspx) + +**Run Windows Defender Offline using PowerShell:** + +Use the PowerShell parameter `Start-MpWDOScan` to run a Windows Defender Offline scan. + +For more information on available cmdlets and optios, see the [Use PowerShell cmdlets to configure and run Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md) topic. + +## Review scan results + +Windows Defender Offline scan results will be listed in the main Windows Defender user interface after performing the scan. + +1. Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client. + +1. Go to the **History** tab. + +1. Select **All detected items**. + +1. Click **View details**. + +Any detected items will display. Items that are detected by Windows Defender Offline will be listed as **Offline** in the **Detection source**: + + + +## Related topics + - [Windows Defender in Windows 10](windows-defender-in-windows-10.md) \ No newline at end of file diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md index b110a8fdcd..bf74983e5d 100644 --- a/windows/manage/TOC.md +++ b/windows/manage/TOC.md @@ -133,6 +133,34 @@ #### [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md) #### [Viewing App-V Server Publishing Metadata](appv-viewing-appv-server-publishing-metadata.md) #### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](appv-running-locally-installed-applications-inside-a-virtual-environment.md) +## [User Experience Virtualization (UE-V)](uev-for-windows.md) +### [Get Started with UE-V](uev-getting-started.md) +#### [What's New in UE-V for Windows 10, version 1607](uev-whats-new-in-uev-for-windows.md) +#### [User Experience Virtualization Release Notes](uev-release-notes-1607.md) +#### [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md) +### [Prepare a UE-V Deployment](uev-prepare-for-deployment.md) +#### [Deploy Required UE-V Features](uev-deploy-required-features.md) +#### [Deploy UE-V for use with Custom Applications](uev-deploy-uev-for-custom-applications.md) +### [Administering UE-V](uev-administering-uev.md) +#### [Manage Configurations for UE-V](uev-manage-configurations.md) +##### [Configuring UE-V with Group Policy Objects](uev-configuring-uev-with-group-policy-objects.md) +##### [Configuring UE-V with System Center Configuration Manager](uev-configuring-uev-with-system-center-configuration-manager.md) +##### [Administering UE-V with Windows PowerShell and WMI](uev-administering-uev-with-windows-powershell-and-wmi.md) +###### [Managing the UE-V Service and Packages with Windows PowerShell and WMI](uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md) +###### [Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md) +#### [Working with Custom UE-V Templates and the UE-V Template Generator](uev-working-with-custom-templates-and-the-uev-generator.md) +#### [Manage Administrative Backup and Restore in UE-V](uev-manage-administrative-backup-and-restore.md) +#### [Changing the Frequency of UE-V Scheduled Tasks](uev-changing-the-frequency-of-scheduled-tasks.md) +#### [Migrating UE-V Settings Packages](uev-migrating-settings-packages.md) +#### [Using UE-V with Application Virtualization Applications](uev-using-uev-with-application-virtualization-applications.md) +### [Troubleshooting UE-V](uev-troubleshooting.md) +### [Technical Reference for UE-V](uev-technical-reference.md) +#### [Sync Methods for UE-V](uev-sync-methods.md) +#### [Sync Trigger Events for UE-V](uev-sync-trigger-events.md) +#### [Synchronizing Microsoft Office with UE-V](uev-synchronizing-microsoft-office-with-uev.md) +#### [Application Template Schema Reference for UE-V](uev-application-template-schema-reference.md) +#### [Accessibility for UE-V](uev-accessibility.md) +#### [Security Considerations for UE-V](uev-security-considerations.md) ## [Windows Store for Business](windows-store-for-business.md) ### [Sign up and get started](sign-up-windows-store-for-business-overview.md) ####[Windows Store for Business overview](windows-store-for-business-overview.md) diff --git a/windows/manage/configure-windows-telemetry-in-your-organization.md b/windows/manage/configure-windows-telemetry-in-your-organization.md index 2642bdeb9e..9965ade8d5 100644 --- a/windows/manage/configure-windows-telemetry-in-your-organization.md +++ b/windows/manage/configure-windows-telemetry-in-your-organization.md @@ -16,7 +16,7 @@ author: brianlic-msft - Windows 10 - Windows 10 Mobile -- Windows Server 2016 Technical Preview +- Windows Server 2016 At Microsoft, we use Windows telemetry to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Telemetry gives users a voice in the operating system’s development. This guide describes the importance of Windows telemetry and how we protect that data. Additionally, it differentiates between telemetry and functional data. It also describes the telemetry levels that Windows supports. Of course, you can choose how much telemetry is shared with Microsoft, and this guide demonstrates how. @@ -36,7 +36,7 @@ Use this article to make informed decisions about how you might configure teleme ## Overview -In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016 Technical Preview, you can control telemetry streams by using the Privacy option in Settings, Group Policy, or MDM. +In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016, you can control telemetry streams by using the Privacy option in Settings, Group Policy, or MDM. For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization. @@ -159,7 +159,7 @@ Microsoft believes in and practices information minimization. We strive to gathe ## Telemetry levels -This section explains the different telemetry levels in Windows 10, Windows Server 2016 Technical Preview, and System Center. These levels are available on all desktop and mobile editions of Windows 10, with the exception of the **Security** level which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016 Technical Preview. +This section explains the different telemetry levels in Windows 10, Windows Server 2016, and System Center. These levels are available on all desktop and mobile editions of Windows 10, with the exception of the **Security** level which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. The telemetry data is categorized into four levels: @@ -171,7 +171,7 @@ The telemetry data is categorized into four levels: - **Full**. All data necessary to identify and help to fix problems, plus data from the **Security**, **Basic**, and **Enhanced** levels. -The levels are cumulative and are illustrated in the following diagram. Also, these levels apply to all editions of Windows Server 2016 Technical Preview. +The levels are cumulative and are illustrated in the following diagram. Also, these levels apply to all editions of Windows Server 2016.  @@ -216,7 +216,7 @@ The Basic level gathers a limited set of data that’s critical for understandin The data gathered at this level includes: -- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 Technical Preview in the ecosystem. Examples include: +- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 in the ecosystem. Examples include: - Device attributes, such as camera resolution and display type @@ -306,7 +306,7 @@ We do not recommend that you turn off telemetry in your organization as valuable You can turn on or turn off System Center telemetry gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center telemetry is turned on. However, setting the operating system telemetry level to **Basic** will turn off System Center telemetry, even if the System Center telemetry switch is turned on. -The lowest telemetry setting level supported through management policies is **Security**. The lowest telemetry setting supported through the Settings UI is **Basic**. The default telemetry setting for Windows Server 2016 Technical Preview is **Enhanced**. +The lowest telemetry setting level supported through management policies is **Security**. The lowest telemetry setting supported through the Settings UI is **Basic**. The default telemetry setting for Windows Server 2016 is **Enhanced**. ### Configure the operating system telemetry level diff --git a/windows/manage/images/deploymentworkflow.png b/windows/manage/images/deploymentworkflow.png new file mode 100644 index 0000000000..b665a0bfea Binary files /dev/null and b/windows/manage/images/deploymentworkflow.png differ diff --git a/windows/manage/images/uev-adk-select-uev-feature.png b/windows/manage/images/uev-adk-select-uev-feature.png new file mode 100644 index 0000000000..1556f115c0 Binary files /dev/null and b/windows/manage/images/uev-adk-select-uev-feature.png differ diff --git a/windows/manage/images/uev-archdiagram.png b/windows/manage/images/uev-archdiagram.png new file mode 100644 index 0000000000..eae098e666 Binary files /dev/null and b/windows/manage/images/uev-archdiagram.png differ diff --git a/windows/manage/images/uev-checklist-box.gif b/windows/manage/images/uev-checklist-box.gif new file mode 100644 index 0000000000..8af13c51d1 Binary files /dev/null and b/windows/manage/images/uev-checklist-box.gif differ diff --git a/windows/manage/images/uev-deployment-preparation.png b/windows/manage/images/uev-deployment-preparation.png new file mode 100644 index 0000000000..b665a0bfea Binary files /dev/null and b/windows/manage/images/uev-deployment-preparation.png differ diff --git a/windows/manage/images/uev-generator-process.png b/windows/manage/images/uev-generator-process.png new file mode 100644 index 0000000000..e16cedd0a7 Binary files /dev/null and b/windows/manage/images/uev-generator-process.png differ diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 1a3ffc0c33..d1bedc3492 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -275,7 +275,7 @@ To turn off font streaming, create a REG\_DWORD registry setting called **Disabl To turn off Insider Preview builds if you're running a released version of Windows 10. If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds. -- Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Stop Insider builds**. +- Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Insider Program** > **Stop Insider Preview builds**. -or- @@ -1181,7 +1181,10 @@ If you're not running Windows 10, version 1607 or later, you can use the other o - Configure the following in **Settings**: - - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Show me tips, tricks, and more on the lock screen**. + - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Get fun facts, tips, tricks and more on your lock screen**. + + > [!NOTE] + > In Windows 10, version 1507 and Windows 10, version 1511, this setting was called **Show me tips, tricks, and more on the lock screen**. - **Personalization** > **Start** > **Occasionally show suggestions in Start**. diff --git a/windows/manage/uev-accessibility.md b/windows/manage/uev-accessibility.md new file mode 100644 index 0000000000..e54c168813 --- /dev/null +++ b/windows/manage/uev-accessibility.md @@ -0,0 +1,88 @@ +--- +title: Accessibility for UE-V +description: Accessibility for UE-V +author: MaggiePucciEvans +ms.pagetype: mdop, virtualization +ms.mktglfcycl: deploy +ms.sitesec: library +ms.prod: w10 +--- + + +# Accessibility for UE-V + + +Microsoft is committed to making its products and services easier for everyone to use. This section provides information about features and services that make this product and its corresponding documentation more accessible for people with disabilities. + +## Access any command with a few keystrokes + + +You can access most commands by using two keystrokes. To use an access key: + +1. Press Alt. + + The keyboard shortcuts are displayed over each feature that is available in the current view. + +2. Press the letter that is shown in the keyboard shortcut over the feature that you want to use. + +### Documentation in alternative formats + +If you have difficulty reading or handling printed materials, you can obtain the documentation for many Microsoft products in more accessible formats. You can view an index of accessible product documentation on the Microsoft Accessibility website. In addition, you can obtain additional Microsoft publications from Learning Ally, formerly known as Recording for the Blind & Dyslexic, Inc. Learning Ally distributes these documents to registered, eligible members of their distribution service. + +For information about the availability of Microsoft product documentation and books from Microsoft Press, use the following contact. + +
Learning Ally (formerly Recording for the Blind & Dyslexic, Inc.) +20 Roszel Road +Princeton, NJ 08540 |
++ |
Telephone number from within the United States: |
+(800) 221-4792 |
+
Telephone number from outside the United States and Canada: |
+(609) 452-0606 |
+
Fax: |
+(609) 987-8116 |
+
[http://www.learningally.org/](http://go.microsoft.com/fwlink/p/?linkid=239) |
+Web addresses can change, so you might be unable to connect to the website or sites that are mentioned here. |
+
Element |
+Data Type |
+Mandatory |
+
Filename |
+FilenameString |
+True |
+
Architecture |
+Architecture |
+False |
+
ProductName |
+String |
+False |
+
FileDescription |
+String |
+False |
+
ProductVersion |
+ProcessVersion |
+False |
+
FileVersion |
+ProcessVersion |
+False |
+
Element |
+Description |
+
Asynchronous |
+Asynchronous settings packages are applied without blocking the application startup so that the application start proceeds while the settings are still being applied. This is useful for settings that can be applied asynchronously, such as those |
+
PreventOverlappingSynchronization |
+By default, UE-V only saves settings for an application when the last instance of an application using the template is closed. When this element is set to ‘false’, UE-V exports the settings even if other instances of an application are running. Suited templates – those that include a Common element section– that are shipped with UE-V use this flag to enable shared settings to always export on application close, while preventing application-specific settings from exporting until the last instance is closed. |
+
AlwaysApplySettings |
+This parameter forces an imported settings package to be applied even if there are no differences between the package and the current state of the application. This parameter should be used only in special cases since it can slow down settings import. |
+
Field/Type |
+Description |
+
Name |
+Specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see [Name](#name21). |
+
ID |
+Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V service uses to reference the template at runtime. For more information, see [ID](#id21). |
+
Description |
+An optional description of the template. |
+
LocalizedNames |
+An optional name displayed in the UI, localized by a language locale. |
+
LocalizedDescriptions |
+An optional template description localized by a language locale. |
+
Version |
+Identifies the version of the settings location template for administrative tracking of changes. For more information, see [Version](#version21). |
+
DeferToMSAccount |
+Controls whether this template is enabled in conjunction with a Microsoft account or not. If MSA syncing is enabled for a user on a machine, then this template will automatically be disabled. |
+
DeferToOffice365 |
+Similar to MSA, this controls whether this template is enabled in conjunction with Office365. If Office 365 is being used to sync settings, this template will automatically be disabled. |
+
FixedProfile |
+Specifies that this template can only be associated with the profile specified within this element, and cannot be changed via WMI or PowerShell. |
+
Processes |
+A container for a collection of one or more Process elements. For more information, see [Processes](#processes21). |
+
Settings |
+A container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings. For more information, see Settings in [Data types](#data21). |
+
Field/Type |
+Description |
+
Name |
+Specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see [Name](#name21). |
+
ID |
+Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V service uses to reference the template at runtime. For more information, see [ID](#id21). |
+
Description |
+An optional description of the template. |
+
LocalizedNames |
+An optional name displayed in the UI, localized by a language locale. |
+
LocalizedDescriptions |
+An optional template description localized by a language locale. |
+
Version |
+Identifies the version of the settings location template for administrative tracking of changes. For more information, see [Version](#version21). |
+
DeferToMSAccount |
+Controls whether this template is enabled in conjunction with a Microsoft account or not. If MSA syncing is enabled for a user on a machine, then this template will automatically be disabled. |
+
DeferToOffice365 |
+Similar to MSA, this controls whether this template is enabled in conjunction with Office365. If Office 365 is being used to sync settings, this template will automatically be disabled. |
+
FixedProfile |
+Specifies that this template can only be associated with the profile specified within this element, and cannot be changed via WMI or PowerShell. |
+
Settings |
+A container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings. For more information, see Settings in [Data types](#data21). |
+
Field/Type |
+Description |
+
Name |
+Specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see [Name](#name21). |
+
ID |
+Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V service uses to reference the template at runtime. For more information, see [ID](#id21). |
+
Description |
+An optional description of the template. |
+
LocalizedNames |
+An optional name displayed in the UI, localized by a language locale. |
+
LocalizedDescriptions |
+An optional template description localized by a language locale. |
+
| Task name | +Default event | +
|---|---|
\Microsoft\UE-V\Monitor Application Status |
+Logon |
+
| Task name | +Default event | +
|---|---|
\Microsoft\UE-V\Sync Controller Application |
+Logon, and every 30 minutes thereafter |
+
| Task name | +Default event | +
|---|---|
\Microsoft\UE-V\Synchronize Settings at Logoff |
+Logon |
+
| Task name | +Default event | +
|---|---|
\Microsoft\UE-V\Template Auto Update |
+System startup and at 3:30 AM every day, at a random time within a 1-hour window |
+
Task Name (file name) |
+Default Frequency |
+Power Toggle |
+Idle Only |
+Network Connection |
+Description |
+
Monitor Application Settings (UevAppMonitor.exe) |
+Starts 30 seconds after logon and continues until logoff. |
+No |
+Yes |
+N/A |
+Synchronizes settings for Windows (AppX) apps. |
+
Sync Controller Application (Microsoft.Uev.SyncController.exe) |
+At logon and every 30 min thereafter. |
+Yes |
+Yes |
+Only if Network is connected |
+Starts the Sync Controller which synchronizes local settings with the settings storage location. |
+
Synchronize Settings at Logoff (Microsoft.Uev.SyncController.exe) |
+Runs at logon and then waits for Logoff to Synchronize settings. |
+No |
+Yes |
+N/A |
+Start an application at logon that controls the synchronization of applications at logoff. |
+
Template Auto Update (ApplySettingsCatalog.exe) |
+Runs at initial logon and at 3:30 AM every day thereafter. |
+Yes |
+No |
+N/A |
+Checks the settings template catalog for new, updated, or removed templates. This task only runs if SettingsTemplateCatalog is configured. |
+
| Group Policy setting name | +Target | +Group Policy setting description | +Configuration options | +
|---|---|---|---|
Do not use the sync provider |
+Computers and Users |
+By using this Group Policy setting, you can configure whether UE-V uses the sync provider feature. This policy setting also lets you enable notification to appear when the import of user settings is delayed. |
+Enable this setting to configure the UE-V service not to use the sync provider. |
+
First Use Notification |
+Computers Only |
+This Group Policy setting enables a notification in the notification area that appears when the UE-V service runs for the first time. |
+The default is enabled. |
+
Roam Windows settings |
+Computers and Users |
+This Group Policy setting configures the synchronization of Windows settings. |
+Select which Windows settings synchronize between computers. +By default, Windows themes, desktop settings, and Ease of Access settings synchronize settings between computers of the same operating system version. |
+
Settings package size warning threshold |
+Computers and Users |
+This Group Policy setting lets you configure the UE-V service to report when a settings package file size reaches a defined threshold. |
+Specify the preferred threshold for settings package sizes in kilobytes (KB). +By default, the UE-V service does not have a package file size threshold. |
+
Settings storage path |
+Computers and Users |
+This Group Policy setting configures where the user settings are to be stored. |
+Enter a Universal Naming Convention (UNC) path and variables such as \\Server\SettingsShare\%username%. |
+
Settings template catalog path |
+Computers Only |
+This Group Policy setting configures where custom settings location templates are stored. This policy setting also configures whether the catalog is to be used to replace the default Microsoft templates that are installed with the UE-V service. |
+Enter a Universal Naming Convention (UNC) path such as \\Server\TemplateShare or a folder location on the computer. +Select the check box to replace the default Microsoft templates. |
+
Sync settings over metered connections |
+Computers and Users |
+This Group Policy setting defines whether UE-V synchronizes settings over metered connections. |
+By default, the UE-V service does not synchronize settings over a metered connection. |
+
Sync settings over metered connections even when roaming |
+Computers and Users |
+This Group Policy setting defines whether UE-V synchronizes settings over metered connections outside of the home provider network, for example, when the data connection is in roaming mode. |
+By default, UE-V does not synchronize settings over a metered connection when it is in roaming mode. |
+
Synchronization timeout |
+Computers and Users |
+This Group Policy setting configures the number of milliseconds that the computer waits before a time-out when it retrieves user settings from the remote settings location. If the remote storage location is unavailable, and the user does not use the sync provider, the application start is delayed by this many milliseconds. |
+Specify the preferred synchronization time-out in milliseconds. The default value is 2000 milliseconds. |
+
Tray Icon |
+Computers Only |
+This Group Policy setting enables the User Experience Virtualization (UE-V) tray icon. |
+This setting only has an effect for UE-V 2.x and earlier. It has no effect for UE-V in Windows 10, version 1607. |
+
Use User Experience Virtualization (UE-V) |
+Computers and Users |
+This Group Policy setting lets you enable or disable User Experience Virtualization (UE-V). |
+This setting only has an effect for UE-V 2.x and earlier. For UE-V in Windows 10, version 1607, use the **Enable UE-V** setting. |
+
Enable UE-V |
+Computers and Users |
+This policy setting allows you to enable or disable User Experience Virtualization (UE-V) feature. Reboot is needed for enable to take effect. |
+This setting only has an effect for UE-V in Windows 10, version 1607. For UE-V 2.x and earlier, choose the **Use User Experience Virtualization (UE-V)** setting. |
+
| Group Policy setting name | +Target | +Group Policy setting description | +Configuration options | +
|---|---|---|---|
Do not synchronize Windows Apps |
+Computers and Users |
+This Group Policy setting defines whether the UE-V service synchronizes settings for Windows apps. |
+The default is to synchronize Windows apps. |
+
Windows App List |
+Computer and User |
+This setting lists the family package names of the Windows apps and states expressly whether UE-V synchronizes that app’s settings. |
+You can use this setting to specify that settings of an app are never synchronized by UE-V, even if the settings of all other Windows apps are synchronized. |
+
Sync Unlisted Windows Apps |
+Computer and User |
+This Group Policy setting defines the default settings sync behavior of the UE-V service for Windows apps that are not explicitly listed in the Windows app list. |
+By default, the UE-V service only synchronizes settings of those Windows apps that are included in the Windows app list. |
+
Max package size |
+ Enable/disable Windows app sync |
+ Wait for sync on application start |
+
Setting import delay |
+ Sync unlisted Windows apps |
+ Wait for sync on logon |
+
Settings import notification |
+ IT contact URL |
+ Wait for sync timeout |
+
Settings storage path |
+ IT contact descriptive text |
+ Settings template catalog path |
+
Sync enablement |
+ Tray icon enabled |
+ Start/Stop UE-V agent service |
+
Sync method |
+ First use notification |
+ Define which Windows apps will roam settings |
+
Sync timeout |
+ + | + |
+
+
+
+| **Component** | **Function** |
+|--------------------------|------------------|
+| **UE-V service** | Enabled on every device that needs to synchronize settings, the **UE-V service** monitors registered applications and Windows for any settings changes, then synchronizes those settings between devices. |
+| **Settings packages** | Application settings and Windows settings are stored in **settings packages** created by the UE-V service. Settings packages are built, locally stored, and copied to the settings storage location.The setting values for **desktop applications** are stored when the user closes the application.
Values for **Windows settings** are stored when the user logs off, when the computer is locked, or when the user disconnects remotely from a computer.
The sync provider determines when the application or operating system settings are read from the **Settings Packages** and synchronized. | +| **Settings storage location** | This is a standard network share that your users can access. The UE-V service verifies the location and creates a hidden system folder in which to store and retrieve user settings. | +| **Settings location templates** | UE-V uses XML files as settings location templates to monitor and synchronize desktop application settings and Windows desktop settings between user computers. By default, some settings location templates are included in UE-V. You can also create, edit, or validate custom settings location templates by [managing settings synchronization for custom applications](#manage-settings-synchronization-for-custom-applications).
**Note** Settings location templates are not required for Windows applications. | +| **Universal Windows applications list** | Settings for Windows applications are captured and applied dynamically. The app developer specifies the settings that are synchronized for each app. UE-V determines which Windows applications are enabled for settings synchronization using a managed list of applications. By default, this list includes most Windows applications.
You can add or remove applications in the Windows app list by following the procedures in [Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md). | + +## Manage settings synchronization for custom applications + +Use these UE-V components to create and manage custom templates for your third-party or line-of-business applications. + +| Component | Description | +|-------------------------------|---------------| +| **UE-V template generator** | Use the **UE-V template generator** to create custom settings location templates that you can then distribute to user computers. The UE-V template generator also lets you edit an existing template or validate a template that was created with a different XML editor.
With the Windows 10, version 1607 release, the UE-V template generator is installed with the [Windows 10 Assessment and Deployment kit](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) (Windows ADK).
If you are upgrading from an existing UE-V installation, you’ll need to use the new generator to create new settings location templates. Application templates created with previous versions of the UE-V template generator are still supported, however. | +| **Settings template catalog** | The **settings template catalog** is a folder path on UE-V computers or a Server Message Block (SMB) network share that stores the custom settings location templates. The UE-V service checks this location once a day, retrieves new or updated templates, and updates its synchronization behavior.
If you use only the UE-V default settings location templates, then a settings template catalog is unnecessary. For more information about settings deployment catalogs, see [Deploy a UE-V settings template catalog](uev-deploy-uev-for-custom-applications.md#deploycatalogue). | + + + + + +## Settings synchronized by default + +UE-V synchronizes settings for these applications by default. For a complete list and more detailed information, see [Settings that are automatically synchronized in a UE-V deployment](uev-prepare-for-deployment.md#autosyncsettings). + +- Microsoft Office 2016, 2013, and 2010 + +- Internet Explorer 11, 10, and 9 + +- Many Windows applications, such as Xbox + +- Many Windows desktop applications, such as Notepad + +- Many Windows settings, such as desktop background or wallpaper + +**Note** +You can also [customize UE-V to synchronize settings](uev-deploy-uev-for-custom-applications.md) for applications other than those synchronized by default. + +## Other resources for this feature + +- [Get Started with UE-V](uev-getting-started.md) + +- [UE-V Release Notes](uev-release-notes-1607.md) + +- [Prepare a UE-V Deployment](uev-prepare-for-deployment.md) + +- [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md) + +- [Administer UE-V](uev-administering-uev.md) + +- [Technical Reference for UE-V](uev-technical-reference.md) + +## Have a suggestion for UE-V? + +Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc). diff --git a/windows/manage/uev-getting-started.md b/windows/manage/uev-getting-started.md new file mode 100644 index 0000000000..42fdafe047 --- /dev/null +++ b/windows/manage/uev-getting-started.md @@ -0,0 +1,139 @@ +--- +title: Get Started with UE-V +description: Get Started with UE-V +author: MaggiePucciEvans +ms.pagetype: mdop, virtualization +ms.mktglfcycl: deploy +ms.sitesec: library +ms.prod: w10 +--- + +# Get Started with UE-V + +Applies to: Windows 10, version 1607 + +Follow the steps in this topic to deploy User Experience Virtualization (UE-V) for the first time in a test environment. Evaluate UE-V to determine whether it’s the right solution to manage user settings across multiple devices within your enterprise. + +>**Note** +The information in this section is explained in greater detail throughout the rest of the documentation. If you’ve already determined that UE-V is the right solution and you don’t need to further evaluate it, see [Prepare a UE-V deployment](uev-prepare-for-deployment.md). + +The standard installation of UE-V synchronizes the default Microsoft Windows and Office settings and many Windows applications settings. For best results, ensure that your test environment includes two or more user computers that share network access. + +- [Step 1: Confirm prerequisites](#step-1-confirm-prerequisites). Review the supported configurations in this section to verify that your environment is able to run UE-V. + +- [Step 2: Deploy the settings storage location](#step-2-deploy-the-settings-storage-location). Explains how to deploy a settings storage location. All UE-V deployments require a location to store settings packages that contain the synchronized setting values. + +- [Step 3: Enable the UE-V service](#step-3-enable-the-ue-v-service-on-user-devices). Explains how to enable to UE-V service on user devices. To synchronize settings using UE-V, devices must have the UE-V service enabled and running. + +- [Step 4: Test Your UE-V evaluation deployment](#step-4-test-your-ue-v-evaluation-deployment). Run a few tests on two computers with the UE-V service enabled to see how UE-V works and if it meets your organization’s needs. + +- Step 5: Deploy UE-V for custom applications (optional). If you want to evaluate how your third-party and line-of-business applications work with UE-V, follow the steps in [Use UE-V with custom applications](uev-deploy-uev-for-custom-applications.md). Following this link takes you to another topic. Use your browser’s **Back** button to return to this topic. + +## Step 1: Confirm prerequisites + +Before you proceed, ensure that your environment meets the following requirements for running UE-V. + +| **Operating system** | **Edition** | **Service pack** | **System architecture** | **Windows PowerShell** | **Microsoft .NET Framework** | +|-------------------------|-------------|------------------|-------------------------|----------------------------------|------------------------------| +| Windows 10, version 1607 | Windows 10 Enterprise | NA | 32-bit or 64-bit | Windows PowerShell 3.0 or higher | .NET Framework 4 or higher | +| Windows 8 and Windows 8.1 | Enterprise or Pro | None | 32-bit or 64-bit | Windows PowerShell 3.0 or higher | .NET Framework 4.5 | +| Windows Server 2012 or Windows Server 2012 R2 | Standard or Datacenter | None | 64-bit | Windows PowerShell 3.0 or higher | .NET Framework 4.5 | + +## Step 2: Deploy the settings storage location + +You’ll need to deploy a settings storage location, a standard network share where user settings are stored in a settings package file. When you create the settings storage share, you should limit access to users that require it. [Deploy a settings storage location](https://technet.microsoft.com/library/dn458891.aspx#ssl) provides more detailed information. + +**Create a network share** + +1. Create a new security group and add UE-V users to it. + +2. Create a new folder on the centrally located computer that stores the UE-V settings packages, and then grant the UE-V users access with group permissions to the folder. The administrator who supports UE-V must have permissions to this shared folder. + +3. Assign UE-V users permission to create a directory when they connect. Grant full permission to all subdirectories of that directory, but block access to anything above. + +4. Set the following share-level Server Message Block (SMB) permissions for the settings storage location folder. + + | **User account** | **Recommended permissions** | + |------------------------------|-----------------------------| + | Everyone | No permissions | + | Security group of UE-V users | Full control | + +5. Set the following NTFS file system permissions for the settings storage location folder. + + | **User account** | **Recommended permissions** | **Folder** | + |------------------------------|---------------------------------------------------|---------------------------| + | Creator/owner | Full control | Subfolders and files only | + | Security group of UE-V users | List folder/read data, create folders/append data | This folder only | + +**Security Note** If you create the settings storage share on a computer running a Windows Server operating system, configure UE-V to verify that either the local Administrators group or the current user is the owner of the folder where settings packages are stored. To enable this additional security, specify this setting in the Windows Server Registry Editor: + +1. Add a **REG\_DWORD** registry key named **"RepositoryOwnerCheckEnabled"** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\UEV\\Agent\\Configuration**. + +2. Set the registry key value to *1*. + +## Step 3: Enable the UE-V service on user devices + +For evaluation purposes, enable the service on at least two devices that belong to the same user in your test environment. + +The UE-V service is the client-side component that captures user-personalized application and Windows settings and saves them in settings packages. Settings packages are built, locally stored, and copied to the settings storage location. + +Before enabling the UE-V service, you'll need to register the UE-V templates for first use. In a PowerShell window, type `register-TemplateName` where **TemplateName** is the name of the UE-V template you want to register, and press ENTER. + +With Windows 10, version 1607 and later, the UE-V service is installed on user devices when the operating system is installed. Enable the service to start using UE-V. You can enable the service with the Group Policy editor or with Windows PowerShell. + +**To enable the UE-V service with Group Policy** + +1. Open the device’s **Group Policy Editor**. + +2. Navigate to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft** **User Experience Virtualization**. + +3. Run **Enable UEV**. + +4. Restart the device. + +**To enable the UE-V service with Windows PowerShell** + +1. In a PowerShell window, type **Enable-UEV** and press ENTER. + +2. Restart the device. + +3. In a PowerShell window, type **Get-UEVStatus** and press ENTER to verify that the UE-V service was successfully enabled. + +## Step 4: Test your UE-V evaluation deployment + +You’re ready to run a few tests on your UE-V evaluation deployment to see how UE-V works. + +1. On the first device (Computer A), make one or more of these changes: + + - Open Windows Desktop and move the taskbar to a different location in the window. + + - Change the default fonts. + + - Open Notepad and set format -> word wrap **on**. + + - Change the behavior of any Windows application, as detailed in [Managing UE-V settings location templates using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md). + + - Disable Microsoft Account settings synchronization and roaming profiles. + +2. Log off Computer A. Settings are saved in a UE-V settings package when users lock, logoff, exit an application, or when the sync provider runs (every 30 minutes by default). + +3. Log in to the second device (Computer B) as the same user as Computer A. + +4. Open Windows Desktop and verify that the taskbar location matches that of Computer A. Verify that the default fonts match and that NotePad is set to **word wrap on**. Also verify the change you made to any Windows applications. + +5. You can change the settings in Computer B back to the original Computer A settings. Then log off Computer B and log in to Computer A to verify the changes. + +Other resources for this feature +-------------------------------- + +- [User Experience Virtualization overview](uev-for-windows.md) + +- [Prepare a UE-V Deployment](uev-prepare-for-deployment.md) + +- [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md) + +- [Administering UE-V ](uev-administering-uev.md) + +- [Troubleshooting UE-V ](uev-troubleshooting.md) + +- [Technical Reference for UE-V](uev-technical-reference.md) diff --git a/windows/manage/uev-manage-administrative-backup-and-restore.md b/windows/manage/uev-manage-administrative-backup-and-restore.md new file mode 100644 index 0000000000..61f024d919 --- /dev/null +++ b/windows/manage/uev-manage-administrative-backup-and-restore.md @@ -0,0 +1,168 @@ +--- +title: Manage Administrative Backup and Restore in UE-V +description: Manage Administrative Backup and Restore in UE-V +author: MaggiePucciEvans +ms.pagetype: mdop, virtualization +ms.mktglfcycl: deploy +ms.sitesec: library +ms.prod: w10 +--- + + +# Manage Administrative Backup and Restore in UE-V + +As an administrator of User Experience Virtualization (UE-V), you can restore application and Windows settings to their original state. You can also restore additional settings when a user adopts a new device. + +## Restore Settings in UE-V when a User Adopts a New Device + + +To restore settings when a user adopts a new device, you can put a settings location template in **backup** or **roam (default)** profile using the Set-UevTemplateProfile PowerShell cmdlet. This lets computer settings sync to the new computer, in addition to user settings. Templates assigned to the backup profile are backed up for that device and configured on a per-device basis. To backup settings for a template, use the following cmdlet in Windows PowerShell: + +``` syntax +Set-UevTemplateProfile -ID
| Windows PowerShell cmdlet | +Description | +
|---|---|
|
+ Restores the user settings for an application or restores a group of Windows settings. |
+
| WMI command | +Description | +
|---|---|
|
+ Restores the user settings for an application or restores a group of Windows settings. |
+
| Windows PowerShell command | +Description | +
|---|---|
|
+ Lists all the settings location templates that are registered on the computer. |
+
|
+ Lists all the settings location templates that are registered on the computer where the application name or template name contains <string>. |
+
|
+ Lists all the settings location templates that are registered on the computer where the template ID contains <string>. |
+
|
+ Lists all the settings location templates that are registered on the computer where the application or template name, or template ID contains <string>. |
+
|
+ Gets the name of the program and version information, which depend on the template ID. |
+
|
+ Gets the effective list of Windows apps. |
+
|
+ Gets the list of Windows apps that are configured for the computer. |
+
|
+ Gets the list of Windows apps that are configured for the current user. |
+
|
+ Registers one or more settings location template with UE-V by using relative paths and/or wildcard characters in file paths. After a template is registered, UE-V synchronizes the settings that are defined in the template between computers that have the template registered. |
+
|
+ Registers one or more settings location template with UE-V by using literal paths, where no characters can be interpreted as wildcard characters. After a template is registered, UE-V synchronizes the settings that are defined in the template between computers that have the template registered. |
+
|
+ Unregisters a settings location template with UE-V. When a template is unregistered, UE-V no longer synchronizes the settings that are defined in the template between computers. |
+
|
+ Unregisters all settings location templates with UE-V. When a template is unregistered, UE-V no longer synchronizes the settings that are defined in the template between computers. |
+
|
+ Updates one or more settings location templates with a more recent version of the template. Use relative paths and/or wildcard characters in the file paths. The new template should be a newer version than the existing template. |
+
|
+ Updates one or more settings location templates with a more recent version of the template. Use full paths to template files, where no characters can be interpreted as wildcard characters. The new template should be a newer version than the existing template. |
+
|
+ Removes one or more Windows apps from the computer Windows app list. |
+
|
+ Removes Windows app from the current user Windows app list. |
+
|
+ Removes all Windows apps from the computer Windows app list. |
+
|
+ Removes one or more Windows apps from the current user Windows app list. |
+
|
+ Removes all Windows apps from the current user Windows app list. |
+
|
+ Disables a settings location template for the current user of the computer. |
+
|
+ Disables one or more Windows apps in the computer Windows app list. |
+
|
+ Disables one or more Windows apps in the current user Windows app list. |
+
|
+ Enables a settings location template for the current user of the computer. |
+
|
+ Enables one or more Windows apps in the computer Windows app list. |
+
|
+ Enables one or more Windows apps in the current user Windows app list. |
+
|
+ Determines whether one or more settings location templates comply with its XML schema. Can use relative paths and wildcard characters. |
+
|
+ Determines whether one or more settings location templates comply with its XML schema. The path must be a full path to the template file, but does not include wildcard characters. |
+
Windows PowerShell command |
+ Description | +
|---|---|
|
+ Lists all the settings location templates that are registered for the computer. |
+
|
+ Gets the name of the program and version information, which depends on the template name. |
+
|
+ Gets the effective list of Windows apps. |
+
Get-WmiObject -Namespace root\Microsoft\UEV MachineConfiguredWindows8App |
+ Gets the list of Windows apps that are configured for the computer. |
+
|
+ Gets the list of Windows apps that are configured for the current user. |
+
|
+ Registers a settings location template with UE-V. |
+
|
+ Unregisters a settings location template with UE-V. As soon as a template is unregistered, UE-V no longer synchronizes the settings that are defined in the template between computers. |
+
|
+ Updates a settings location template with UE-V. The new template should be a newer version than the existing one. |
+
|
+ Removes one or more Windows apps from the computer Windows app list. |
+
|
+ Removes one or more Windows apps from the current user Windows app list. |
+
|
+ Disables one or more settings location templates with UE-V. |
+
|
+ Disables one or more Windows apps in the computer Windows app list. |
+
|
+ Disables one or more Windows apps in the current user Windows app list. |
+
|
+ Enables a settings location template with UE-V. |
+
|
+ Enables Windows apps in the computer Windows app list. |
+
|
+ Enables Windows apps in the current user Windows app list. |
+
|
+ Determines whether a given settings location template complies with its XML schema. |
+
| Windows PowerShell command | +Description | +
|---|---|
|
+ Turns on the UE-V service. Requires reboot. |
+
|
+ Turns off the UE-V service. Requires reboot. |
+
|
+ Displays whether UE-V service is enabled or disabled, using a Boolean value. |
+
|
+ Gets the effective UE-V service settings. User-specific settings have precedence over the computer settings. |
+
|
+ Gets the UE-V service settings values for the current user only. |
+
|
+ Gets the UE-V service configuration settings values for all users on the computer. |
+
|
+ Gets the details for each configuration setting. Displays where the setting is configured or if it uses the default value. Is displayed if the current setting is valid. |
+
|
+ Configures the UE-V service to not synchronize any Windows apps for all users on the computer. |
+
|
+ Configures the UE-V service to not synchronize any Windows apps for the current computer user. |
+
|
+ Configures the UE-V service to display notification the first time the service runs for all users on the computer. |
+
|
+ Configures the UE-V service to not display notification the first time that the service runs for all users on the computer. |
+
|
+ Configures the UE-V service to notify all users on the computer when settings synchronization is delayed. +Use the DisableSettingsImportNotify parameter to disable notification. |
+
|
+ Configures the UE-V service to notify the current user when settings synchronization is delayed. +Use the DisableSettingsImportNotify parameter to disable notification. |
+
|
+ Configures the UE-V service to synchronize all Windows apps that are not explicitly disabled by the Windows app list for all users of the computer. For more information, see "Get-UevAppxPackage" in [Managing UE-V 2.x Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md). +Use the DisableSyncUnlistedWindows8Apps parameter to configure the UE-V service to synchronize only Windows apps that are explicitly enabled by the Windows App List. |
+
|
+ Configures the UE-V service to synchronize all Windows apps that are not explicitly disabled by the Windows app list for the current user on the computer. For more information, see "Get-UevAppxPackage" in [Managing UE-V 2.x Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md). +Use the DisableSyncUnlistedWindows8Apps parameter to configure the UE-V service to synchronize only Windows apps that are explicitly enabled by the Windows App List. |
+
|
+ Disables UE-V for all the users on the computer. +Use the EnableSync parameter to enable or re-enable. |
+
|
+ Disables UE-V for the current user on the computer. +Use the EnableSync parameter to enable or re-enable. |
+
|
+ Enables the UE-V icon in the notification area for all users of the computer. +Use the DisableTrayIcon parameter to disable the icon. |
+
|
+ Configures the UE-V service to report when a settings package file size reaches the defined threshold for all users on the computer. Sets the threshold package size in bytes. |
+
|
+ Configures the UE-V service to report when a settings package file size reaches the defined threshold. Sets the package size warning threshold for the current user. |
+
|
+ Specifies the time in seconds before the user is notified for all users of the computer |
+
|
+ Specifies the time in seconds before notification for the current user is sent. |
+
|
+ Defines a per-computer settings storage location for all users of the computer. |
+
|
+ Defines a per-user settings storage location. |
+
|
+ Sets the settings template catalog path for all users of the computer. |
+
|
+ Sets the synchronization method for all users of the computer: SyncProvider or None. |
+
|
+ Sets the synchronization method for the current user: SyncProvider or None. |
+
|
+ Sets the synchronization time-out in milliseconds for all users of the computer |
+
|
+ Set the synchronization time-out for the current user. |
+
|
+ Clears the specified setting for all users on the computer. |
+
|
+ Clears the specified setting for the current user only. |
+
|
+ Exports the UE-V computer configuration to a settings migration file. The file name extension must be .uev. +The |
+
|
+ Imports the UE-V computer configuration from a settings migration file. The file name extension must be .uev. |
+
Windows PowerShell command |
+ Description |
+
|
+ Extracts the settings from a Microsoft Notepad package file and converts them into a human-readable format in XML. |
+
|
+ Repairs the index of the UE-V settings location templates. |
+
Windows PowerShell command |
+ Description | +
|---|---|
|
+ Displays the active UE-V service settings. User-specific settings have precedence over the computer settings. |
+
|
+ Displays the UE-V service configuration that is defined for a user. |
+
|
+ Displays the UE-V service configuration that is defined for a computer. |
+
|
+ Displays the details for each configuration item. |
+
$config.Put() |
+ Defines a per-computer settings storage location. |
+
|
+ Defines a per-user settings storage location. |
+
|
+ Sets the synchronization time-out in milliseconds for all users of the computer. |
+
|
+ Configures the UE-V service to report when a settings package file size reaches a defined threshold. Set the threshold package file size in bytes for all users of the computer. |
+
|
+ Sets the synchronization method for all users of the computer: SyncProvider or None. |
+
|
+ To enable a specific per-computer setting, clear the setting, and use $null as the setting value. Use UserConfiguration for per-user settings. |
+
|
+ To disable a specific per-computer setting, clear the setting, and use $null as the setting value. Use User Configuration for per-user settings. |
+
|
+ Updates a specific per-computer setting. To clear the setting, use $null as the setting value. |
+
|
+ Updates a specific per-user setting for all users of the computer. To clear the setting, use $null as the setting value. |
+
| WMI command | +Description | +
|---|---|
|
+ Extracts the settings from a package file and converts them into a human-readable format in XML. |
+
|
+ Repairs the index of the UE-V settings location templates. Must be run as administrator. |
+
[Download a list of all settings synced](https://gallery.technet.microsoft.com/Authored-Office-2016-32-0dc05cd8) | Microsoft Access 2016
Microsoft Lync 2016
Microsoft Excel 2016
Microsoft OneNote 2016
Microsoft Outlook 2016
Microsoft PowerPoint 2016
Microsoft Project 2016
Microsoft Publisher 2016
Microsoft SharePoint Designer 2013 (not updated for 2016)
Microsoft Visio 2016
Microsoft Word 2016
Microsoft Office Upload Manager
Microsoft Infopath has been removed (deprecated) from the Office 2016 suite | +| Microsoft Office 2013 applications
[Download a list of all settings synced](https://www.microsoft.com/download/details.aspx?id=46367) | Microsoft Word 2013
Microsoft Excel 2013
Microsoft Outlook 2013
Microsoft Access 2013
Microsoft Project 2013
Microsoft PowerPoint 2013
Microsoft Publisher 2013
Microsoft Visio 2013
Microsoft InfoPath 2013
Microsoft Lync 2013
Microsoft OneNote 2013
Microsoft SharePoint Designer 2013
Microsoft Office 2013 Upload Center
Microsoft OneDrive for Business 2013 +| Microsoft Office 2010 applications
[Download a list of all settings synced](https://www.microsoft.com/download/details.aspx?id=46367) | Microsoft Word 2010
Microsoft Excel 2010
Microsoft Outlook 2010
Microsoft Access 2010
Microsoft Project 2010
Microsoft PowerPoint 2010
Microsoft Publisher 2010
Microsoft Visio 2010
Microsoft SharePoint Workspace 2010
Microsoft InfoPath 2010
Microsoft Lync 2010
Microsoft OneNote 2010
Microsoft SharePoint Designer 2010 | +| Browser options: Internet Explorer 11 and 10 | Synchronize favorites, home page, tabs, and toolbars.
**Note**
UE-V does not roam settings for Internet Explorer cookies. | +| Windows accessories | Microsoft NotePad, WordPad | + +**Notes** +An Outlook profile must be created for any device on which a user wants to sync their Outlook signature. If the profile is not already created, the user can create one and then restart Outlook on that device to enable signature synchronization. + +UE-V does not synchronize settings between the Microsoft Calculator in Windows 10 and the Microsoft Calculator in previous operating systems. + +### Windows settings synchronized by default + +UE-V includes settings location templates that capture settings values for these Windows settings. + +| **Windows settings** | **Description** | **Apply on** | **Export on** | **Default state** | +|----------------------|-----------------|--------------|---------------|-------------------| +| Desktop background | Currently active desktop background or wallpaper | Log on, unlock, remote connect, Scheduled Task events | Log off, lock, remote disconnect, or scheduled task interval | Enabled | +| Ease of Access | Accessibility and input settings, Microsoft Magnifier, Narrator, and on-Screen Keyboard | Log on only | Log off or scheduled task interval | Enabled | +| Desktop settings | Start menu and Taskbar settings, folder options, default desktop icons, additional clocks, and region and language settings | Log on only | Log off or scheduled task | Enabled | + +>**Important** +UE-V roams taskbar settings between Windows 10 devices. However, UE-V does not synchronize taskbar settings between Windows 10 devices and devices running previous operating systems versions. + +| **Settings group** | **Category** | **Capture** | **Apply** | +|--------------------------|----------------|----------------|--------------| +| **Application Settings** | Windows applications | Close appllication
Windows application settings change event | Start the UE-V App Monitor at startup
Open app
Windows application settings change event
Arrival of a settings package | +| | Desktop applications | Application closes | Application opens and closes | +| **Desktop settings** | Desktop background | Lock or log off | Log on, unlock, remote connect, notification of new package arrival, or scheduled task runs | +| | Ease of Access (Common – Accessibility, Narrator, Magnifier, On-Screen-Keyboard) | Lock or Log off | Log on | +| | Ease of Access (Shell - Audio, Accessibility, Keyboard, Mouse) | Lock or log off | Log on, unlock, remote connect, notification of new package arrival, or scheduled task runs | +| | Desktop settings | Lock or log off | Log on | + +### UE-V-support for Windows applications + +For Windows applications, the application developer specifies which user settings are synchronized. You can specify which Windows apps are enabled for settings synchronization. + +To display a list of Windows applications that can synchronize settings with their package family name, enabled status, and enabled source, open a Windows PowerShell window, type Get-UevAppxPackage, and press ENTER. + +>**Note** +Starting in Windows 10, version 1607, you can configure UE-V to not synchronize Windows applications settings if the device is configured to use Enterprise State Roaming. + +### UE-V-support for roaming printers + +Users can print to their saved network printers, including their default network printer, from any network device. + +Printer roaming in UE-V requires one of these scenarios: + +- The print server can download the required driver when it roams to a new device. + +- The driver for the roaming network printer is pre-installed on any device that needs to access that network printer. + +- The printer driver can be imported from Windows Update. + +>**Note** +The UE-V printer roaming feature does not roam printer settings or preferences, such as printing double-sided. + +### Determine whether you need settings synchronized for other applications + +After you have reviewed the settings that are synchronized automatically in a UE-V deployment, you’ll need to decide whether to synchronize settings for other applications as your decision will determine how you deploy UE-V throughout your enterprise. + +As an administrator, when you consider which desktop applications to include in your UE-V solution, consider which settings can be customized by users, and how and where the application stores its settings. Not all desktop applications have settings that can be customized or that are routinely customized by users. In addition, not all desktop applications settings can be synchronized safely across multiple devices or environments. + +In general, you can synchronize settings that meet the following criteria: + +- Settings that are stored in user-accessible locations. For example, do not synchronize settings that are stored in System32 or outside the HKEY\_CURRENT\_USER (HKCU) section of the registry. + +- Settings that are not specific to the particular device. For example, exclude network shortcuts or hardware configurations. + +- Settings that can be synchronized between computers without risk of corrupted data. For example, do not use settings that are stored in a database file. + +### Checklist for evaluating custom applications + +If you’ve decided that you need to synchronize settings for custom applications, use this checklist to determine which applications you’ll include. + +| | **Description** | +|-------|--------------------------| +|  | Does this application contain settings that the user can customize? | +|  | Is it important for the user that these settings are synchronized? | +|  | Are these user settings already managed by an application management or settings policy solution? UE-V applies application settings at application startup and Windows settings at logon, unlock, or remote connect events. If you use UE-V with other settings sharing solutions, users might experience inconsistency across synchronized settings. | +|  | Are the application settings specific to the computer? Application preferences and customizations that are associated with hardware or specific computer configurations do not consistently synchronize across sessions and can cause a poor application experience. | +|  | Does the application store settings in the Program Files directory or in the file directory that is located in the **Users**\\ \[User name\] \\**AppData**\\**LocalLow** directory? Application data that is stored in either of these locations usually should not synchronize with the user, because this data is specific to the computer or because the data is too large to synchronize. | +|  | Does the application store any settings in a file that contains other application data that should not synchronize? UE-V synchronizes files as a single unit. If settings are stored in files that include application data other than settings, then synchronizing this additional data can cause a poor application experience. | +|  | How large are the files that contain the settings? The performance of the settings synchronization can be affected by large files. Including large files can affect the performance of settings synchronization. | + +## Other considerations when preparing a UE-V deployment + +You should also consider these things when you are preparing to deploy UE-V: + +- [Managing credentials synchronization](#managing-credentials-synchronization-in-ue-v) + +- [Windows applications settings synchronization](#windows-applications-settings-synchronization) + +- [Custom UE-V settings location templates](#custom-ue-v-settings-location-templates) + +- [Unintentional user settings configurations](#prevent-unintentional-user-settings-configuration) + +- [Performance and capacity](#performance-and-capacity-planning) + +- [High availability](#high-availability-for-ue-v) + +- [Computer clock synchronization](#synchronize-computer-clocks-for-ue-v-settings-synchronization) + +### Managing credentials synchronization in UE-V + +Many enterprise applications, including Microsoft Outlook, Lync, and Skype for Business prompt users for their domain credentials when they log in. Users have the option of saving their credentials to disk to prevent having to enter them every time they open these applications. Enabling roaming credentials synchronization lets users save their credentials on one computer and avoid re-entering them on every computer they use in their environment. Users can synchronize some domain credentials with UE-V. + +**Important** +Credentials synchronization is disabled by default. You must explicitly enable credentials synchronization after you enable the UE-V service to implement this feature. + +UE-V can synchronize enterprise credentials, but does not roam credentials intended only for use on the local device. + +Credentials are synchronous settings, meaning that they are applied to users' profiles the first time they log on to their devices after UE-V synchronizes. + +Credentials synchronization is managed by its own settings location template, which is disabled by default. You can enable or disable this template through the same methods used for other templates. The template identifier for this feature is RoamingCredentialSettings. + +>**Important** +If you are using Active Directory Credential Roaming in your environment, we recommend that you do not enable the UE-V credential roaming template. Instead, use PowerShell or Group Policy to enable credentials synchronization. Note that credentials are encrypted during synchronization. + +[PowerShell](uev-administering-uev-with-windows-powershell-and-wmi.md)**:** Enter this PowerShell cmdlet to enable credential synchronization: + +`Enable-UevTemplate RoamingCredentialSettings` + +`Copy` + +Use this PowerShell cmdlet to disable credential synchronization: + +`Disable-UevTemplate RoamingCredentialSettings` + +`Copy` + + + +[Group Policy](uev-configuring-uev-with-group-policy-objects.md)**:** You must edit the Group Policy administrative template for UE-V, which is included in Windows 10, version 1607, to enable credential synchronization through group policy. Credentials synchronization is managed in Windows settings. To manage this feature with Group Policy, enable the **Synchronize Windows** settings policy. + +1. Open Group Policy Editor and navigate to **User Configuration > Administrative Templates > Windows Components > Microsoft User Experience Virtualization**. + +2. Double-click **Synchronize Windows settings**. + +3. If this policy is enabled, you can enable credentials synchronization by checking the **Roaming Credentials** check box, or disable credentials synchronization by unchecking it. + +4. Click **OK**. + +### Credential locations synchronized by UE-V + +Credential files saved by applications into the following locations are synchronized: + +- %UserProfile%\\AppData\\Roaming\\Microsoft\\Credentials\\ + +- %UserProfile%\\AppData\\Roaming\\Microsoft\\Crypto\\ + +- %UserProfile%\\AppData\\Roaming\\Microsoft\\Protect\\ + +- %UserProfile%\\AppData\\Roaming\\Microsoft\\SystemCertificates\\ + +Credentials saved to other locations are not synchronized by UE-V. + +### Windows applications settings synchronization + +UE-V manages Windows application settings synchronization in three ways: + +- **Sync Windows applications:** Allow or deny any Windows application synchronization + +- **Windows applications list:** Synchronize a list of Windows applications + +- **Unlisted default sync behavior:** Determine the synchronization behavior of Windows applications that are not in the Windows applications list. + +For more information, see the [Windows Application List](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md#win8applist). + +### Custom UE-V settings location templates + +If you are deploying UE-V to synchronize settings for custom applications, you’ll use the UE-V template generator to create custom settings location templates for those desktop applications. After you create and test a custom settings location template in a test environment, you can deploy the settings location templates to user devices. + +Custom settings location templates must be deployed with an existing deployment infrastructure, such as an enterprise software distribution method, including System Center Configuration Manager, with preferences, or by configuring a UE-V settings template catalog. Templates that are deployed with Configuration Manager or Group Policy must be registered using UE-V WMI or Windows PowerShell. + +For more information about custom settings location templates, see [Deploy UE-V with custom applications](uev-deploy-uev-for-custom-applications.md). For more information about using UE-V with Configuration Manager, see [Configuring UE-V with System Center Configuration Manager](uev-configuring-uev-with-system-center-configuration-manager.md). + +### Prevent unintentional user settings configuration + +UE-V downloads new user settings information from a settings storage location and applies the settings to the local device in these instances: + +- Each time an application is started that has a registered UE-V template + +- When a user logs on to a device + +- When a user unlocks a device + +- When a connection is made to a remote desktop device running UE-V + +- When the Sync Controller Application scheduled task is run + +If UE-V is installed on computer A and computer B, and the settings that you want for the application are on computer A, then computer A should open and close the application first. If the application is opened and closed on computer B first, then the application settings on computer A are configured to the application settings on computer B. Settings are synchronized between computers on per-application basis. Over time, settings become consistent between computers as they are opened and closed with preferred settings. + +This scenario also applies to Windows settings. If the Windows settings on computer B should be the same as the Windows settings on computer A, then the user should log on and log off computer A first. + +If the user settings that the user wants are applied in the wrong order, they can be recovered by performing a restore operation for the specific application or Windows configuration on the computer on which the settings were overwritten. For more information, see [Manage Administrative Backup and Restore in UE-V](uev-manage-administrative-backup-and-restore.md). + +### Performance and capacity planning + +Specify your requirements for UE-V with standard disk capacity and network health monitoring. + +UE-V uses a Server Message Block (SMB) share for the storage of settings packages. The size of settings packages varies depending on the settings information for each application. While most settings packages are small, the synchronization of potentially large files, such as desktop images, can result in poor performance, particularly on slower networks. + +To reduce problems with network latency, create settings storage locations on the same local networks where the users’ computers reside. We recommend 20 MB of disk space per user for the settings storage location. + +By default, UE-V synchronization times out after 2 seconds to prevent excessive lag due to a large settings package. You can configure the SyncMethod=SyncProvider setting by using [Group Policy objects](uev-configuring-uev-with-group-policy-objects.md). + +### High availability for UE-V + +The UE-V settings storage location and settings template catalog support storing user data on any writable share. To ensure high availability, follow these criteria: + +- Format the storage volume with an NTFS file system. + + + +- The share can use Distributed File System (DFS) replication, but Distributed File System Replication (DFSR) is specifically not supported. Distributed File System Namespaces (DFSN) are supported. For detailed information, see [Microsoft’s Support Statement Around Replicated User Profile Data](http://go.microsoft.com/fwlink/p/?LinkId=313991). + + In addition, because SYSVOL uses DFSR for replication, SYSVOL cannot be used for UE-V data file replication. + +- Configure the share permissions and NTFS access control lists (ACLs) as specified in [Deploying the settings storage location for UE-V](uev-deploy-required-features.md#ssl). + +- Use file server clustering along with the UE-V service to provide access to copies of user state data in the event of communications failures. + +- You can store the settings storage path data (user data) and settings template catalog templates on clustered shares, on DFSN shares, or on both. + +### Synchronize computer clocks for UE-V settings synchronization + +Computers that run the UE-V service must use a time server to maintain a consistent settings experience. UE-V uses time stamps to determine if settings must be synchronized from the settings storage location. If the computer clock is inaccurate, older settings can overwrite newer settings, or the new settings might not be saved to the settings storage location. + +## Confirm prerequisites and supported configurations for UE-V + +Before you proceed, ensure that your environment meets these requirements for using UE-V. + +| **Operating system** | **Edition** | **Service pack** | **System architecture** | **Windows PowerShell** | **Microsoft .NET Framework** | +|--------------------------|---------------|------------------|-------------------------|--------------------------|--------------------------------| +| Windows 10, version 1607 | Windows 10 for Enterprise | NA | 32-bit or 64-bit | Windows PowerShell 3.0 or higher | .NET Framework 4.5 or higher | +| Windows 8 and Windows 8.1 | Enterprise or Pro | None | 32-bit or 64-bit | Windows PowerShell 3.0 or higher | .NET Framework 4.5 or higher | +| Windows Server 2012 and Windows Server 2012 R2 | Standard or Datacenter | None | 64-bit | Windows PowerShell 3.0 or higher | .NET Framework 4.5 or higher | + +**Note** +- Windows Server 2012 operating systems come with .NET Framework 4.5 installed. The Windows 10 operating system comes with .NET Framework 4.6 installed. + +- The “Delete Roaming Cache” policy for mandatory profiles is not supported with UE-V and should not be used. + +There are no special random access memory (RAM) requirements specific to UE-V. + +### Synchronization of settings through the Sync Provider + +Sync Provider is the default setting for users and synchronizes a local cache with the settings storage location in these instances: + +- Log on/log off + +- Lock/unlock + +- Remote desktop connect/disconnect + +- Application open/close + +A scheduled task manages this synchronization of settings every 30 minutes or through trigger events for certain applications. For more information, see [Changing the frequency of UE-V scheduled tasks](uev-changing-the-frequency-of-scheduled-tasks.md). + +The UE-V service synchronizes user settings for devices that are not always connected to the enterprise network (remote devices and laptops) and devices that are always connected to the network (devices that run Windows Server and host virtual desktop interface (VDI) sessions). + +**Synchronization for computers with always-available connections** When you use UE-V on devices that are always connected to the network, you must configure the UE-V service to synchronize settings by using the *SyncMethod=None* parameter, which treats the settings storage server as a standard network share. In this configuration, the UE-V service can be configured to notify if the import of the application settings is delayed. + +Enable this configuration using one of these methods: + +- After you enable the UE-V service, use the Settings Management feature in System Center Configuration Manager or the UE-V ADMX templates (installed with Windows 10, version 1607) to push the SyncMethod = None configuration. + +- Use Windows PowerShell or Windows Management Instrumentation (WMI) to set the SyncMethod = None configuration. + +Restart the device to allow the settings to synchronize. + +- >**Note** +These methods do not work for pooled virtual desktop infrastructure (VDI) environments. + + +>**Note** +If you set *SyncMethod = None*, any settings changes are saved directly to the server. If the network connection to the settings storage path is not found, then the settings changes are cached on the device and are synchronized the next time that the sync provider runs. If the settings storage path is not found and the user profile is removed from a pooled VDI environment on log off, settings changes are lost and the user must reapply the change when the computer is reconnected to the settings storage path. + +**Synchronization for external sync engines** The *SyncMethod=External* parameter specifies that if UE-V settings are written to a local folder on the user device, then any external sync engine (such as OneDrive for Business, Work Folders, Sharepoint, or Dropbox) can be used to apply these settings to the different devices that users access. + +**Support for shared VDI sessions** UE-V supports VDI sessions that are shared among end users. You can register and configure a special VDI template, which ensures that UE-V keeps all of its functionality intact for non-persistent VDI sessions. + +>**Note** +If you do not enable VDI mode for non-persistent VDI sessions, certain features do not work, such as [back-up/restore and last known good (LKG)](uev-manage-administrative-backup-and-restore.md). + +The VDI template is provided with UE-V and is typically available here after installation: C:\ProgramData\Microsoft\UEV\InboxTemplates + +### Prerequisites for UE-V template generator support + +Install the UE-V template generator on the device that is used to create custom settings location templates. This device should be able to run the applications that you want to synchronize settings for. You must be a member of the Administrators group on the device that runs the UE-V template generator software. + +The UE-V template generator must be installed on a device that uses an NTFS file system. The UE-V template generator software requires .NET Framework 4. For more information, see [Use UE-V with custom applications](uev-deploy-uev-for-custom-applications.md). + +## Other resources for this feature + +- [User Experience Virtualization overview](uev-for-windows.md) + +- [Get started with UE-V](uev-getting-started.md) + +- [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md) + +- [Administering UE-V ](uev-administering-uev.md) + +- [Troubleshooting UE-V ](uev-troubleshooting.md) + +- [Technical Reference for UE-V](uev-technical-reference.md) diff --git a/windows/manage/uev-privacy-statement.md b/windows/manage/uev-privacy-statement.md new file mode 100644 index 0000000000..30e1e65622 --- /dev/null +++ b/windows/manage/uev-privacy-statement.md @@ -0,0 +1,156 @@ +--- +title: User Experience Virtualization Privacy Statement +description: User Experience Virtualization Privacy Statement +author: jamiejdt +ms.assetid: c2919034-f2cf-48d6-b18e-4dd318252426 +ms.pagetype: mdop, virtualization +ms.mktglfcycl: deploy +ms.sitesec: library +ms.prod: w8 +--- + + +# User Experience Virtualization Privacy Statement + + +Microsoft is committed to protecting your privacy, while delivering software that brings you the performance, power, and convenience you desire in your personal computing. This privacy statement explains many of the data collection and use practices of Microsoft User Experience Virtualization (“UE-V”). This is a preliminary disclosure that focuses on features that communicate with the Internet and is not intended to be an exhaustive list. + +Microsoft User Experience Virtualization allows the separation of settings from an application or operating system. Those settings can then be transferred to a remote storage location, eliminating the constraints of local storage and giving users the ability to have their settings follow them to other computers. + +## Collection and Use of Your Information + + +The information we collect from you will be used by Microsoft and its controlled subsidiaries and affiliates to enable the features you are using and provide the service(s) or carry out the transaction(s) you have requested or authorized. It may also be used to analyze and improve Microsoft products and services. + +We may send certain mandatory service communications such as welcome letters, billing reminders, information on technical service issues, and security announcements. Some Microsoft services may send periodic member letters that are considered part of the service. We may occasionally request your feedback, invite you to participate in surveys, or send you promotional mailings to inform you of other products or services available from Microsoft and its affiliates. + +In order to offer you a more consistent and personalized experience in your interactions with Microsoft, information collected through one Microsoft service may be combined with information obtained through other Microsoft services. We may also supplement the information we collect with information obtained from other companies. For example, we may use services from other companies that enable us to derive a general geographic area based on your IP address in order to customize certain services to your geographic area. + +Except as described in this statement, personal information you provide will not be transferred to third parties without your consent. We occasionally hire other companies to provide limited services on our behalf, such as packaging, sending and delivering purchases and other mailings, answering customer questions about products or services, processing event registration, or performing statistical analysis of our services. We will only provide those companies the personal information they need to deliver the service, and they are prohibited from using that information for any other purpose. + +Microsoft may access or disclose information about you, including the content of your communications, in order to: (a) comply with the law or respond to lawful requests or legal process; (b) protect the rights or property of Microsoft or our customers, including the enforcement of our agreements or policies governing your use of the services; or (c) act on a good faith belief that such access or disclosure is necessary to protect the personal safety of Microsoft employees, customers, or the public. We may also disclose personal information as part of a corporate transaction such as a merger or sale of assets. + +Information that is collected by or sent to Microsoft by UE-V may be stored and processed in the United States or any other country in which Microsoft or its affiliates, subsidiaries, or service providers maintain facilities. Microsoft abides by the safe harbor framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of data from the European Union, the European Economic Area, and Switzerland. + +## Collection and Use of Information about Your Computer + + +When you use software with Internet-enabled features, information about your computer ("standard computer information") is sent to the Web sites you visit and online services you use. Microsoft uses standard computer information to provide you Internet-enabled services, to help improve our products and services, and for statistical analysis. Standard computer information typically includes information such as your IP address, operating system version, browser version, and regional and language settings. In some cases, standard computer information may also include hardware ID, which indicates the device manufacturer, device name, and version. If a particular feature or service sends information to Microsoft, standard computer information will be sent as well. + +The privacy details for each UE-V feature, software or service listed in this privacy statement describe what additional information is collected and how it is used. + +## Security of Your Information + + +Microsoft is committed to helping protect the security of your information. We use a variety of security technologies and procedures to help protect your information from unauthorized access, use, or disclosure. For example, we store the information you provide on computer systems with limited access, which are located in controlled facilities. + +## Changes to This Privacy Statement + + +We will occasionally update this privacy statement to reflect changes in our products, services, and customer feedback. When we post changes, we will revise the "last updated" date at the top of this statement. If there are material changes to this statement or in how Microsoft will use your personal information, we will notify you either by posting a notice of such changes prior to implementing the change or by directly sending you a notification. We encourage you to periodically review this statement to be informed of how Microsoft is protecting your information. + +## For More Information + + +Microsoft welcomes your comments regarding this privacy statement. If you have questions about this statement or believe that we have not adhered to it, please contact us [MSUEVPrivacy@microsoft.com](mailto:%20MSUEVPrivacy@microsoft.com). + +## Specific features + + +The remainder of this document will address the following specific features: + +### UE-V Generator + +**What This Feature Does**: + +The UE-V generator is used to create settings location templates. These templates allow users to roam the settings for their applications. + +**Information Collected, Processed, or Transmitted**: + +When creating a settings location template the UE-V generator uses a Lightweight Directory Access Protocol (LDAP) query to get username and email address of the current logged in user. This information is stored in the template as the template author name and template author email. None of this information is sent to Microsoft. + +If you plan to share settings location templates with anyone outside your organization you should review all the settings locations and ensure the settings location template do not contain any personal or company information. You can view the contents by opening the settings location template files using any XML viewer. The following are ways you can view and remove any personal or company information from the settings location template files before sharing with anyone outside your company: + +- **Template Author Name** – Specify a general, non-identifying name for the template author name or exclude this data from the template. + +- **Template Author Email** – Specify a general, non-identifying template author email or exclude this data from the template. + +**Use of Information**: + +The template author name and template author email can be used to identify the author of settings location template. If you share the template, the author name and email is viewable to all who use the template. No information is sent to Microsoft. + +**Choice/Control**: + +To remove the template author name or template author email, start the UE-V generator application. Select **Edit a Settings Location Template**. Select the settings location template to edit from the recently used templates or Browse to the settings template file. Select **Next** to continue. On the Properties page, remove the data from the Template author name or Template author email text fields. Save the settings location template. + +## Customer Experience Improvement Program + + +**What This Feature Does:** + +The Customer Experience Improvement Program (“CEIP”) collects basic information about your hardware configuration and how you use our software and services in order to identify trends and usage patterns. CEIP also collects the type and number of errors you encounter, software and hardware performance, and the speed of services. We will not collect your name, address, or other contact information. + +**Information Collected, Processed, or Transmitted:** + +For more information about the information collected, processed, or transmitted by CEIP, see the CEIP privacy statement at
| User account | +Recommended permissions | +
|---|---|
Everyone |
+ No permissions |
+
Security group of UE-V |
+ Full control |
+
| User account | +Recommended permissions | +Folder | +
|---|---|---|
Creator/Owner |
+ No permissions |
+ No permissions |
+
Domain Admins |
+ Full control |
+ This folder, subfolders, and files |
+
Security group of UE-V users |
+ List folder/read data, create folders/append data |
+ This folder only |
+
Everyone |
+ Remove all permissions |
+ No permissions |
+
| User account | +Recommend permissions | +
|---|---|
Everyone |
+ No permissions |
+
Domain computers |
+ Read permission Levels |
+
Administrators |
+ Read/write permission levels |
+
| User account | +Recommended permissions | +Apply to | +
|---|---|---|
Creator/Owner |
+ Full control |
+ This folder, subfolders, and files |
+
Domain Computers |
+ List folder contents and Read permissions |
+ This folder, subfolders, and files |
+
Everyone |
+ No permissions |
+ No permissions |
+
Administrators |
+ Full Control |
+ This folder, subfolders, and files |
+
This default setting is the gold standard for computers. This option attempts to synchronize the setting and times out after a short delay to ensure that the application or operating system startup isn’t delayed for a long period of time.
This functionality is also tied to the Scheduled task – Sync Controller Application. The administrator controls the frequency of the Scheduled task. By default, computers synchronize their settings every 30 min after logging on. | +| External | This configuration method specifies that if UE-V settings are written to a local folder on the user computer, then any external sync engine (such as OneDrive for Business, Work Folders, Sharepoint, or Dropbox) can be used to apply these settings to the different computers that users access. | +| None | This configuration setting is designed for the Virtual Desktop Infrastructure (VDI) and Streamed Application experience primarily. This setting should be used on computers running the Windows Server operating system in a datacenter, where the connection will always be available.
Any settings changes are saved directly to the server. If the network connection to the settings storage path is not available, then the settings changes are cached on the device and are synchronized the next time that the Sync Provider runs. If the settings storage path is not found and the user profile is removed from a pooled VDI environment on logoff, then these settings changes are lost, and the user must reapply the change when the computer can again reach the settings storage path.
Apps and OS will wait indefinitely for the location to be present. This could cause App load or OS logon time to dramatically increase if the location is not found. | + +You can configure the sync method in these ways: + +- Through [Group Policy](uev-configuring-uev-with-group-policy-objects.md) settings + +- With the [System Center Configuration Pack](uev-configuring-uev-with-system-center-configuration-manager.md) for UE-V + +- With [Windows PowerShell or Windows Management Instrumentation (WMI)](uev-administering-uev-with-windows-powershell-and-wmi.md) + +## Have a suggestion for UE-V? + +Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc). + +## Related topics + +[Deploy Required UE-V Features](uev-deploy-required-features.md) + +[Technical Reference for UE-V](uev-technical-reference.md) diff --git a/windows/manage/uev-sync-trigger-events.md b/windows/manage/uev-sync-trigger-events.md new file mode 100644 index 0000000000..811a463e97 --- /dev/null +++ b/windows/manage/uev-sync-trigger-events.md @@ -0,0 +1,126 @@ +--- +title: Sync Trigger Events for UE-V +description: Sync Trigger Events for UE-V +author: MaggiePucciEvans +ms.pagetype: mdop, virtualization +ms.mktglfcycl: deploy +ms.sitesec: library +ms.prod: w10 +--- + +# Sync Trigger Events for UE-V + + +User Experience Virtualization (UE-V) lets you synchronize your application and Windows settings across all your domain-joined devices. *Sync trigger events* define when the UE-V service synchronizes those settings with the settings storage location. For more information about Sync Method configuration, see [Sync Methods for UE-V](uev-sync-methods.md). + +## UE-V Sync Trigger Events + + +The following table explains the trigger events for classic applications and Windows settings. + +
UE-V Trigger Event |
+SyncMethod=SyncProvider |
+SyncMethod=None |
+
Windows Logon |
+
|
+
|
+
Windows Logoff |
+Store changes locally and cache and copy asynchronous and synchronous Windows settings to the settings storage location server, if available |
+Store changes to asynchronous and synchronous Windows settings storage location |
+
Windows Connect (RDP) / Unlock |
+Synchronize any asynchronous Windows settings from settings storage location to local cache, if available. +Apply cached Windows settings |
+Download and apply asynchronous windows settings from settings storage location |
+
Windows Disconnect (RDP) / Lock |
+Store asynchronous Windows settings changes to the local cache. +Synchronize any asynchronous Windows settings from the local cache to settings storage location, if available |
+Store asynchronous Windows settings changes to the settings storage location |
+
Application start |
+Apply application settings from local cache as the application starts |
+Apply application settings from settings storage location as the application starts |
+
Application closes |
+Store any application settings changes to the local cache and copy settings to settings storage location, if available |
+Store any application settings changes to settings storage location |
+
Sync Controller Scheduled Task + |
+Application and Windows settings are synchronized between the settings storage location and the local cache. +
+Note
+
+Settings changes are not cached locally until an application closes. This trigger will not export changes made to a currently running application. +For Windows settings, this means that any changes will not be cached locally and exported until the next Lock (Asynchronous) or Logoff (Asynchronous and Synchronous). +
+
+
+Settings are applied in these cases: +
|
+NA |
+
Asynchronous Settings updated on remote store* |
+Load and apply new asynchronous settings from the cache. |
+Load and apply settings from central server |
+
| Office 2016 templates (UE-V for Windows 10 and Windows 10, version 1607, available in UE-V gallery) | +Office 2013 templates (UE-V for Windows 10 and UE-V 2.x, available on UE-V gallery) | +Office 2010 templates (UE-V 1.0 and 1.0 SP1) | +
|---|---|---|
MicrosoftOffice2016Win32.xml +MicrosoftOffice2016Win64.xml +MicrosoftSkypeForBusiness2016Win32.xml +MicrosoftSkypeForBusiness2016Win64.xml |
+MicrosoftOffice2013Win32.xml +MicrosoftOffice2013Win64.xml +MicrosoftLync2013Win32.xml +MicrosoftLync2013Win64.xml |
+MicrosoftOffice2010Win32.xml +MicrosoftOffice2010Win64.xml +MicrosoftLync2010.xml + |
+
Microsoft Access 2016 +Microsoft Lync 2016 +Microsoft Excel 2016 +Microsoft OneNote 2016 +Microsoft Outlook 2016 +Microsoft PowerPoint 2016 +Microsoft Project 2016 +Microsoft Publisher 2016 +Microsoft SharePoint Designer 2013 (not udpated for 2016) +Microsoft Visio 2016 +Microsoft Word 2016 +Microsoft Office Upload Manager |
+Microsoft Access 2013 +Microsoft Lync 2013 +Microsoft Excel 2013 +Microsoft InfoPath 2013 +Microsoft OneNote 2013 +Microsoft Outlook 2013 +Microsoft PowerPoint 2013 +Microsoft Project 2013 +Microsoft Publisher 2013 +Microsoft SharePoint Designer 2013 +Microsoft Visio 2013 +Microsoft Word 2013 +Microsoft Office Upload Manager |
+Microsoft Access 2010 +Microsoft Lync 2010 +Microsoft Excel 2010 +Microsoft InfoPath 2010 +Microsoft OneNote 2010 +Microsoft Outlook 2010 +Microsoft PowerPoint 2010 +Microsoft Project 2010 +Microsoft Publisher 2010 +Microsoft SharePoint Designer 2010 +Microsoft Visio 2010 +Microsoft Word 2010 + |
+