deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 22:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into FromPrivateRepo

Browse Source
This commit is contained in:
huaping yu 2018-10-16 15:35:07 -07:00
commit 74383a4ca7
11 changed files with 103 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
education/windows/take-a-test-multiple-pcs.md
View File

@ -154,23 +154,26 @@ To set up a test account through Windows Configuration Designer, follow these st
4. Follow the steps in [Apply a provisioning package](https://technet.microsoft.com/en-us/itpro/windows/configure/provisioning-apply-package) to apply the package that you created.
### Set up a test account in Group Policy
To set up a test account using Group Policy, first create a Powershell script that configures the test account and assessment URL, and then create a scheduled task to run the script.
### Set up a tester account in Group Policy
To set up a tester account using Group Policy, first create a Powershell script that configures the tester account and assessment URL, and then create a scheduled task to run the script.
#### Create a PowerShell script
This sample PowerShell script configures the test account and the assessment URL. Edit the sample to:
This sample PowerShell script configures the tester account and the assessment URL. Edit the sample to:
- Use your assessment URL for **$obj.LaunchURI**
- Use your test account for **$obj.TesterAccount**
- Use your test account for **-UserName**
- Use your tester account for **$obj.TesterAccount**
- Use your tester account for **-UserName**
```
$obj = get-wmiobject -namespace root/cimv2/mdm/dmmap -class MDM_SecureAssessment -filter "InstanceID='SecureAssessment' AND ParentID='./Vendor/MSFT'";
$obj.LaunchURI='http://www.foo.com';
$obj.TesterAccount='TestAccount';
$obj.put()
Set-AssignedAccess -AppUserModelId Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App -UserName TestAccount
```
>[!NOTE]
>The account that you specify for the tester account must already exist on the device.
```
$obj = get-wmiobject -namespace root/cimv2/mdm/dmmap -class MDM_SecureAssessment -filter "InstanceID='SecureAssessment' AND ParentID='./Vendor/MSFT'";
$obj.LaunchURI='http://www.foo.com';
$obj.TesterAccount='TestAccount';
$obj.put()
Set-AssignedAccess -AppUserModelId Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App -UserName TestAccount
```
#### Create a scheduled task in Group Policy
1. Open the Group Policy Management Console.

46
windows/application-management/msix-app-packaging-tool.md
View File

@ -8,42 +8,19 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: mikeblodge
ms.topic: article
ms.date: 09/21/2018
ms.date: 10/16/2018
---
# Repackage existing win32 applications to the MSIX format
The MSIX Packaging Tool (Preview) is now available to install from the Microsoft Store. The MSIX Packaging Tool enables you to repackage your existing win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your machine and upload to the Microsoft Store (coming soon).
The MSIX Packaging Tool is now available to install from the Microsoft Store. The MSIX Packaging Tool enables you to repackage your existing win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your machine and upload to the Microsoft Store.
> Prerequisites:
- Participation in the Windows Insider Program
- Participate in the Windows Insider Program or update to Windows 10 October 2018 Update (version 1809)
- Minimum Windows 10 build 17701
- Admin privileges on your PC account
- A valid MSA alias (to access the app from the Store)
## What's new
v1.2018.915.0
- Updated UI to improve clarity and experience
- Ability to generate a template file for use with a command line
- Ability to add/remove entry points
- Ability to sign your package from package editor
- File extension handling
v1.2018.821.0
- Command Line Support
- Ability to use existing local virtual machines for packaging environment.
- Ability to cross check publisher information in the manifest with a signing certificate to avoid signing issues.
- Minor updates to the UI for added clarity.
v1.2018.807.0
- Ability to add/edit/remove file and registry exclusion items is now supported in Settings menu.
- Fixed an issue where signing with password protected certificates would fail in the tool.
- Fixed an issue where the tool was crashing when editing an existing MSIX package.
- Fixed an issue where the tool was injecting whitespaces programmatically to install location paths that was causing conversion failures.
- Minor UI tweaks to add clarity.
- Minor updates to the logs to add clarity.
- A valid Micorsoft account (MSA) alias to access the app from the Store
## Installing the MSIX Packaging Tool
@ -51,7 +28,7 @@ v1.2018.807.0
2. Open the product description page.
3. Click the install icon to begin installation.
This is an early preview build and not all features are supported. Here is what you can expect to be able to do with this preview:
Here is what you can expect to be able to do with this tool:
- Package your favorite application installer interactively (msi, exe, App-V 5.x and ClickOnce) to MSIX format by launching the tool and selecting **Application package** icon.
- Create a modification package for a newly created Application MSIX Package by launching the tool and selecting the **Modification package** icon.
@ -99,7 +76,8 @@ Requirements:
AllowTelemetry="true"
ApplyAllPrepareComputerFixes="true"
GenerateCommandLineFile="true"
AllowPromptForPassword="false" >
AllowPromptForPassword="false"
EnforceMicrosoftStoreVersioningRequirements="false">
<ExclusionItems>
<FileExclusion ExcludePath="[{CryptoKeys}]" />
@ -200,6 +178,7 @@ Here is the complete list of parameters that you can use in the Conversion templ
|Settings:: ApplyAllPrepareComputerFixes |[optional] Applies all recommended prepare computer fixes. Cannot be set when other attributes are used. |
|Settings:: GenerateCommandLineFile |[optional] Copies the template file input to the SaveLocation directory for future use. |
|Settings:: AllowPromptForPassword |[optional] Instructs the tool to prompt the user to enter passwords for the Virtual Machine and for the signing certificate if it is required and not specified. |
|Settings:: EnforceMicrosoftStoreVersioningRequirements|[optional] Instructs the tool to enforce the package versioning scheme required for deployment from Microsoft Store and Microsoft Store for Business.|
|ExclusionItems |[optional] 0 or more FileExclusion or RegistryExclusion elements. All FileExclusion elements must appear before any RegistryExclusion elements. |
|ExclusionItems::FileExclusion |[optional] A file to exclude for packaging. |
|ExclusionItems::FileExclusion::ExcludePath |Path to file to exclude for packaging. |
@ -250,8 +229,7 @@ Open Feedback Hub. Alternatively, launch the tool and select the **Settings** ge
- Performing the preparation steps on the **Prepare Computer** page is optional but *highly recommended*.
## Known issues
1. MSIX Packaging Tool Driver will fail to install if Windows Insider flight ring settings do no match the OS build of the conversion environment. Navigate to Settings, Updates & Security, Windows Insider Program to make sure your Insider preview build settings do not need attention. If you see this message click on the Fix me button to log in again. You might have to go to Windows Update page and check for update before settings change takes effect. Then try to run the tool again to download the MSIX Packaging Tool driver. If you are still hitting issues, try changing your flight ring to Canary or Insider Fast, install the latest Windows updates and try again.
2. You cannot edit the manifest manually from within the tool. (edit manifest button is disabled). Please use the SDK tools to unpack the MSIX package to edit the manifest manually.
3. Restarting the machine during application installation is not supported. Please ignore the restart request if possible or pass an argument to the installer to not require a restart.
- MSIX Packaging Tool Driver will fail to install if Windows Insider flight ring settings do no match the OS build of the conversion environment. Navigate to Settings, Updates & Security, Windows Insider Program to make sure your Insider preview build settings do not need attention. If you see this message click on the Fix me button to log in again. You might have to go to Windows Update page and check for update before settings change takes effect. Then try to run the tool again to download the MSIX Packaging Tool driver. If you are still hitting issues, try changing your flight ring to Canary or Insider Fast, install the latest Windows updates and try again.
- Restarting the machine during application installation is not supported. Please ignore the restart request if possible or pass an argument to the installer to not require a restart.
- Setting **EnforceMicrosoftStoreVersioningRequirements=true**, when using the command line interface, will throw an error, even if the vesrion is set correctly. To work around this issue, use **EnforceMicrosoftStoreVersioningRequirements=false** in the conversion template file.
- Adding files to MSIX packages in package editor does not add the file to the folder that the user right-clicks. To work around this issue, ensure that the file being added is in the correct classic app location. For example if you want to add a file in the VFS\ProgramFilesx86\MyApp folder, copy the file locally to your C:\Program Files (86)\MyApp location first, then in the package editor right-click **Package files**, and then click **Add file**. Browse to the newly copied file, then click **Save**.

2
windows/configuration/ue-v/uev-for-windows.md
View File

@ -96,4 +96,4 @@ You can also [customize UE-V to synchronize settings](uev-deploy-uev-for-custom-
## Have a suggestion for UE-V?
Add or vote on suggestions on the [User Experience Virtualization feedback site](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization).<br>For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).
For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc).

5
windows/security/threat-protection/index.md
View File

@ -55,11 +55,12 @@ The attack surface reduction set of capabilities provide the first line of defen
**[Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)**<br>
To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation protection designed to catch all types of emerging threats.
- [Windows Defender Antivirus](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
- [Behavior monitoring](/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus)
- [Cloud-based protection](/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus)
- [Machine learning](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
- [URL Protection](/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus)
- [Automated sandbox service](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md)
<a name="edr"></a>
**[Endpoint protection and response](windows-defender-atp/overview-endpoint-detection-response.md)**<br>

2
windows/security/threat-protection/intelligence/supply-chain-malware.md
View File

@ -17,6 +17,8 @@ Supply chain attacks are an emerging kind of threat that target software develop
## How supply chain attacks work
[!video https://www.youtube.com/embed/uXm2XNSavwo]
Attackers hunt for unsecure network protocols, unprotected server infrastructures, and unsafe coding practices. They break in, change source codes, and hide malware in build and update processes.
Because software is built and released by trusted vendors, these apps and updates are signed and certified. In software supply chain attacks, vendors are likely unaware that their apps or updates are infected with malicious code when theyre released to the public. The malicious code then runs with the same trust and permissions as the app.

6
windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
View File

@ -44,7 +44,7 @@ These settings, located at **Computer Configuration\Administrative Templates\Win
|Allow Persistence|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<br><br>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<br><br>**Note**<br>If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<br>**To reset the container:**<ol><li>Open a command-line program and navigate to Windows/System32.</li><li>Type `wdagtool.exe cleanup`.<br>The container environment is reset, retaining only the employee-generated data.</li><li>Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.<br>The container environment is reset, including discarding all employee-generated data.</li></ol>|
|Turn on Windows Defender Application Guard in Enterprise Mode|Windows 10 Enterprise, 1709 or higher|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.<br><br>**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.|
|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Windows Defender Application Guard container to the host operating system.<br><br>**Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.|
|Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, 1803 or higher<br><br>Windows 10 Pro, 1803 or higher|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering.<br><br><ul>**Important**<br>Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br></ul>**Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and wont load any third-party graphics drivers or interact with any connected graphics hardware.<br><br>.|
|Allow camera and microphone access in Windows Defender Application Guard|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Windows Defender Application Guard.|**Enabled.** Applications inside Windows Defender Application Guard are able to access the camera and microphone on the user's device.<br><br></ul>**Important**<br>Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.<br><br></ul>**Disabled or not configured.** Applications inside Windows Defender Application Guard are unable to access the camera and microphone on the user's device.<br><br>.|
|Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, 1803 or higher<br><br>Windows 10 Pro, 1803 or higher|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering.<br><br><ul>**Important**<br>Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br></ul>**Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and wont load any third-party graphics drivers or interact with any connected graphics hardware.|
|Allow camera and microphone access in Windows Defender Application Guard|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Windows Defender Application Guard.|**Enabled.** Applications inside Windows Defender Application Guard are able to access the camera and microphone on the user's device.<br><br></ul>**Important**<br>Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.<br><br></ul>**Disabled or not configured.** Applications inside Windows Defender Application Guard are unable to access the camera and microphone on the user's device.|
|Allow Windows Defender Application Guard to use Root Certificate Authorities from users's device|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher|Determines whether Root Certificates are shared with Windows Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Multiple certificates can be specified by using a common to separate.<br><br></ul>**Disabled or not configured.** Certificates are not shared with Windows Defender Application Guard.<br><br>.|
|Allow users to trust files that open in Windows Defender Application Guard|Windows 10 Enterprise, 1809 or higher|Determines whether users are able to manually trust untrusted files to open them on the host.|**Enabled.** Users are able to manually trust files or trust files after an antivirus check.<br><br></ul>**Disabled or not configured.** Users are unable to manually trust files and files continue to open in Windows Defender Application Guard.<br><br>.|
|Allow users to trust files that open in Windows Defender Application Guard|Windows 10 Enterprise, 1809 or higher|Determines whether users are able to manually trust untrusted files to open them on the host.|**Enabled.** Users are able to manually trust files or trust files after an antivirus check.<br><br></ul>**Disabled or not configured.** Users are unable to manually trust files and files continue to open in Windows Defender Application Guard.|

BIN
windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-camera-and-mic.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 129 KiB

BIN
windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-root-certificates.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 116 KiB

BIN
windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 154 KiB

BIN
windows/security/threat-protection/windows-defender-application-guard/images/appguard-security-center-settings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 317 KiB

83
windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
View File

@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: justinha
ms.author: justinha
ms.date: 10/19/2017
ms.date: 10/16/2018
---
# Application Guard testing scenarios
@ -66,9 +66,9 @@ Before you can use Application Guard in enterprise mode, you must install Window
![Group Policy editor with Neutral resources setting](images/appguard-gp-network-isolation-neutral.png)
4. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Turn on Windows Defender Application Guard in Enterprise Mode** setting.
4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Turn on Windows Defender Application Guard in Enterprise Mode** setting.
5. Click **Enabled**.
5. Click **Enabled** and click **OK**.
![Group Policy editor with Turn On/Off setting](images/appguard-gp-turn-on.png)
@ -104,10 +104,11 @@ You have the option to change each of these settings to work with your enterpris
- Windows 10 Enterpise edition, version 1709 or higher
- Windows 10 Professional edition, version 1803
**To change the copy and paste options**
1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings**.
#### Copy and paste options
2. Click **Enabled**.
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings**.
2. Click **Enabled** and click **OK**.
![Group Policy editor clipboard options](images/appguard-gp-clipboard.png)
@ -129,10 +130,11 @@ You have the option to change each of these settings to work with your enterpris
5. Click **OK**.
**To change the print options**
1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard print** settings.
#### Print options
2. Click **Enabled**.
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard print** settings.
2. Click **Enabled** and click **OK**.
![Group Policy editor Print options](images/appguard-gp-print.png)
@ -140,10 +142,11 @@ You have the option to change each of these settings to work with your enterpris
4. Click **OK**.
**To change the data persistence options**
1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard** setting.
#### Data persistence options
2. Click **Enabled**.
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard** setting.
2. Click **Enabled** and click **OK**.
![Group Policy editor Data Persistence options](images/appguard-gp-persistence.png)
@ -164,10 +167,11 @@ You have the option to change each of these settings to work with your enterpris
- Windows 10 Enterpise edition, version 1803
- Windows 10 Professional edition, version 1803
**To change the download options**
1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow files to download and save to the host operating system from Windows Defender Application Guard** setting.
#### Download options
2. Click **Enabled**.
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow files to download and save to the host operating system from Windows Defender Application Guard** setting.
2. Click **Enabled** and click **OK**.
![Group Policy editor Download options](images/appguard-gp-download.png)
@ -177,10 +181,11 @@ You have the option to change each of these settings to work with your enterpris
5. Check to see the file has been downloaded into This PC > Downloads > Untrusted files.
**To change hardware acceleration options**
1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow hardware-accelerated rendering for Windows Defender Application Guard** setting.
#### Hardware acceleration options
2. Click **Enabled**.
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow hardware-accelerated rendering for Windows Defender Application Guard** setting.
2. Click **Enabled** and click **OK**.
![Group Policy editor hardware acceleration options](images/appguard-gp-vgpu.png)
@ -188,3 +193,45 @@ You have the option to change each of these settings to work with your enterpris
4. Assess the visual experience and battery performance.
**Applies to:**
- Windows 10 Enterpise edition, version 1809
- Windows 10 Professional edition, version 1809
#### File trust options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow users to trust files that open in Windows Defender Application Guard** setting.
2. Click **Enabled**, set **Options** to 2, and click **OK**.
![Group Policy editor Download options](images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png)
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
4. Open a file in Edge, such an Office 365 file.
5. Check to see that an antivirus scan completed before the file was opened.
#### Camera and microphone options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow camera and microphone access in Windows Defender Application Guard** setting.
2. Click **Enabled** and click **OK**.
![Group Policy editor Download options](images/appguard-gp-allow-camera-and-mic.png)
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
4. Open an application with video or audio capability in Edge.
5. Check that the camera and microphone work as expected.
#### Root certificate sharing options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow Windows Defender Application Guard to use Root Certificate Authorities from the user's device** setting.
2. Click **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and click **OK**.
![Group Policy editor Download options](images/appguard-gp-allow-root-certificates.png)
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.