deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-18 08:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client

Browse Source
This commit is contained in:
Greg Lindsay 2019-01-16 14:58:12 -08:00
commit 7497d0f0a5
10 changed files with 104 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -1765,6 +1765,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
|New or updated topic | Description|
|--- | ---|
|[Policy CSP - Storage](policy-csp-storage.md)|Added the following new policies: AllowStorageSenseGlobal, ConfigStorageSenseGlobalCadence, AllowStorageSenseTemporaryFilesCleanup, ConfigStorageSenseRecycleBinCleanupThreshold, ConfigStorageSenseDownloadsCleanupThreshold, and ConfigStorageSenseCloudContentCleanupThreshold.|
|[SharedPC CSP](sharedpc-csp.md)|Updated values and supported operations.|
### December 2018

61
windows/client-management/mdm/sharedpc-csp.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 06/26/2017
ms.date: 01/16/2019
---
# SharedPC CSP
@ -27,18 +27,18 @@ The supported operation is Get.
<a href="" id="enablesharedpcmode"></a>**EnableSharedPCMode**
A boolean value that specifies whether Shared PC mode is enabled.
The supported operations are Get and Replace.
The supported operations are Add, Get, Replace, and Delete.
Setting this value to True triggers the action to configure a device to Shared PC mode.
The default value is False.
The default value is Not Configured and SharedPC mode is not enabled.
<a href="" id="setedupolicies"></a>**SetEduPolicies**
A boolean value that specifies whether the policies for education environment are enabled. Setting this value to true triggers the action to configure a device as education environment.
The supported operations are Get and Replace.
The supported operations are Add, Get, Replace, and Delete.
The default value changed to false in Windows 10, version 1703. This node needs to be configured independent of EnableSharedPCMode. In Windows 10, version 1607, the default value is true and education environment is automatically configured when SharedPC mode is configured.
The default value changed to false in Windows 10, version 1703. The default value is Not Configured and this node needs to be configured independent of EnableSharedPCMode. In Windows 10, version 1607, the value is set to True and the education environment is automatically configured when SharedPC mode is configured.
<a href="" id="setpowerpolicies"></a>**SetPowerPolicies**
Optional. A boolean value that specifies that the power policies should be set when configuring SharedPC mode.
@ -46,9 +46,9 @@ Optional. A boolean value that specifies that the power policies should be set w
> [!Note]
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
The supported operations are Get and Replace.
The supported operations are Add, Get, Replace, and Delete.
The default value is True.
The default value is Not Configured and the effective power settings are determined by the OS's default power settings. Its value in the SharedPC provisioning package is True.
<a href="" id="maintenancestarttime"></a>**MaintenanceStartTime**
Optional. An integer value that specifies the daily start time of maintenance hour. Given in minutes from midnight. The range is 0-1440.
@ -56,9 +56,9 @@ Optional. An integer value that specifies the daily start time of maintenance ho
> [!Note]
>  If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
The supported operations are Get and Replace.
The supported operations are Add, Get, Replace, and Delete.
The default value is 0 (12 AM).
The default value is Not Configured and its value in the SharedPC provisioning package is 0 (12 AM).
<a href="" id="signinonresume"></a>**SignInOnResume**
Optional. A boolean value that, when set to True, requires sign in whenever the device wakes up from sleep mode.
@ -66,9 +66,9 @@ Optional. A boolean value that, when set to True, requires sign in whenever the
> [!Note]
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
The supported operations are Get and Replace.
The supported operations are Add, Get, Replace, and Delete.
The default value is True.
The default value is Not Configured and its value in the SharedPC provisioning package is True.
<a href="" id="sleeptimeout"></a>**SleepTimeout**
The amount of time in seconds before the PC sleeps. 0 means the PC never sleeps. Default is 5 minutes. This node is optional.
@ -76,9 +76,9 @@ The amount of time in seconds before the PC sleeps. 0 means the PC never sleeps.
> [!Note]
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
The supported operations are Get and Replace.
The supported operations are Add, Get, Replace, and Delete.
The default value changed to 300 in Windows 10, version 1703. The default value is 3600 in Windows 10, version 1607.
The default value is Not Configured, and effective behavior is determined by the OS's default settings. Its value in the SharedPC provisioning package for Windows 10, version 1703 is 300, and in Windows 10, version 1607 is 3600.
<a href="" id="enableaccountmanager"></a>**EnableAccountManager**
A boolean that enables the account manager for shared PC mode.
@ -86,9 +86,9 @@ A boolean that enables the account manager for shared PC mode.
> [!Note]
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
The supported operations are Get and Replace.
The supported operations are Add, Get, Replace, and Delete.
The default value is True.
The default value is Not Configured and its value in the SharedPC provisioning package is True.
<a href="" id="accountmodel"></a>**AccountModel**
Configures which type of accounts are allowed to use the PC.
@ -96,7 +96,7 @@ Configures which type of accounts are allowed to use the PC.
> [!Note]
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
The supported operations are Get and Replace.
The supported operations are Add, Get, Replace, and Delete.
The following list shows the supported values:
@ -104,13 +104,15 @@ The following list shows the supported values:
- 1 - Only domain-joined accounts are enabled.
- 2 - Domain-joined and guest accounts are allowed.
Its value in the SharedPC provisioning package is 1 or 2.
<a href="" id="deletionpolicy"></a>**DeletionPolicy**
Configures when accounts are deleted.
> [!Note]
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
The supported operations are Get and Replace.
The supported operations are Add, Get, Replace, and Delete.
For Windows 10, version 1607, here is the list shows the supported values:
@ -123,17 +125,19 @@ For Windows 10, version 1703, here is the list of supported values:
- 1 - Delete at disk space threshold
- 2 - Delete at disk space threshold and inactive threshold
The default value is Not Configured. Its value in the SharedPC provisioning package is 1 or 2.
<a href="" id="diskleveldeletion"></a>**DiskLevelDeletion**
Sets the percentage of disk space remaining on a PC before cached accounts will be deleted to free disk space. Accounts that have been inactive the longest will be deleted first.
> [!Note]
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
The default value is 25.
The default value is Not Configured. Its default value in the SharedPC provisioning package is 25.
For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevelDeletion** number is set to 25 (both default values). Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) during a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless whether the PC is actively in use or not.
For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevelDeletion** number is set to 25 (both default values). Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) during a daily maintenance period, accounts will be deleted (oldest last used first) when the system is idle until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under half of the deletion threshold and disk space is very low, regardless of whether the PC is actively in use or not.
The supported operations are Get and Replace.
The supported operations are Add, Get, Replace, and Delete.
<a href="" id="disklevelcaching"></a>**DiskLevelCaching**
Sets the percentage of available disk space a PC should have before it stops deleting cached accounts.
@ -141,15 +145,16 @@ Sets the percentage of available disk space a PC should have before it stops del
> [!Note]
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
The default value is 50.
The default value is Not Configured. The default value in the SharedPC provisioning package is 25.
For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevelDeletion** number is set to 25 (both default values). Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) during a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless whether the PC is actively in use or not.
The supported operations are Add, Get, Replace, and Delete.
<a href="" id="restrictlocalstorage"></a>**RestrictLocalStorage**
Added in Windows 10, version 1703. Restricts the user from using local storage. This node is optional.
Default value is true Value type is bool. Supported operations are Get and Replace.
The default value is Not Configured and behavior is no such restriction applied. Value type is bool. Supported operations are Add, Get, Replace, and Delete. Default in SharedPC provisioning package is False.
> [!Note]
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
@ -157,7 +162,7 @@ Default value is true Value type is bool. Supported operations are Get and Repla
<a href="" id="kioskmodeaumid"></a>**KioskModeAUMID**
Added in Windows 10, version 1703. Specifies the AUMID of the app to use with assigned access. This node is optional.
Value type is string. Supported operations are Get and Replace.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
> [!Note]
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
@ -165,7 +170,7 @@ Value type is string. Supported operations are Get and Replace.
<a href="" id="kioskmodeusertiledisplaytext"></a>**KioskModeUserTileDisplayText**
Added in Windows 10, version 1703. Specifies the display text for the account shown on the sign-in screen which launches the app specified by KioskModeAUMID. This node is optional.
Value type is string. Supported operations are Get and Replace.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
> [!Note]
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
@ -173,7 +178,9 @@ Value type is string. Supported operations are Get and Replace.
<a href="" id="inactivethreshold"></a>**InactiveThreshold**
Added in Windows 10, version 1703. Accounts will start being deleted when they have not been logged on during the specified period, given as number of days.
Default value is 30. Value type is integer. Supported operations are Get and Replace.
The default value is Not Configured. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
The default in the SharedPC provisioning package is 30.
<a href="" id="maxpagefilesizemb"></a>**MaxPageFileSizeMB**
Added in Windows 10, version 1703. Maximum size of the paging file in MB. Applies only to systems with less than 32 GB storage and at least 3 GB of RAM. This node is optional.
@ -181,9 +188,9 @@ Added in Windows 10, version 1703. Maximum size of the paging file in MB. Applie
> [!Note]
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
Default value is 1024. Value type is integer. Supported operations are Get and Replace.
Default value is Not Configured. Value type is integer. Supported operations are Add, Get, Replace, and Delete.
The default in the SharedPC provisioning package is 1024.
## Related topics

1
windows/deployment/windows-autopilot/TOC.md
View File

@ -18,6 +18,7 @@
#### [Adding devices](add-devices.md)
#### [Creating profiles](profiles.md)
#### [Enrollment status page](enrollment-status.md)
#### [BitLocker encryption](bitlocker.md)
### [Administering Autopilot via Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles)
### [Administering Autopilot via Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot)
### [Administering Autopilot via Microsoft 365 Business & Office 365 Admin portal](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)

40
windows/deployment/windows-autopilot/bitlocker.md Normal file
View File

@ -0,0 +1,40 @@
---
title: Setting the BitLocker encryption algorithm for Autopilot devices
description: Microsoft Intune provides a comprehensive set of configuration options to manage BitLocker on Windows 10 devices.
keywords: Autopilot, BitLocker, encryption, 256-bit, Windows 10
ms.prod: w10
ms.technology: Windows
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
ms.localizationpriority: medium
author: greg-lindsay
ms.author: greg-lindsay
---
# Setting the BitLocker encryption algorithm for Autopilot devices
With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. This ensures that the default encrytion algorithm is not applied automatically when this is not the desired setting. Other BitLocker policies that must be applied prior to encryption can also be delivered before automatic BitLocker encryption begins.
The BitLocker encryption algorithm is used when BitLocker is first enabled, and sets the strength to which full volume encryption should occur. Available encryption algorithms are: AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit or XTS-AES 256-bit encryption. The default value is XTS-AES 128-bit encryption. See [BitLocker CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp) for information about the recommended encryption algorithms to use.
An example of encryption settings is shown below.
![BitLocker encryption settings](images/bitlocker-encryption.png)
Note that a device which is encrypted automatically will need to be decrypted prior to changing the encyption algorithm.
To ensure the desired BitLocker encryption algorithm is set before automatic encryption occurs for Autopilot devices:
1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm.
2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group.
- **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users.
3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. This is a critical step because if the ESP is not enabled, the policy will not apply when the device boots.
## Requirements
Windows 10, version 1809 or later.
## See also
[Bitlocker overview](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview)

BIN
windows/deployment/windows-autopilot/images/bitlocker-encryption.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

4
windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
View File

@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: justinha
ms.author: justinha
ms.date: 10/16/2018
ms.date: 01/16/2019
---
# Application Guard testing scenarios
@ -46,7 +46,7 @@ How to install, set up, turn on, and configure Application Guard for Enterprise-
### Install, set up, and turn on Application Guard
Before you can use Application Guard in enterprise mode, you must install Windows 10 Enterprise edition, version 1709, which includes the functionality. Then, you must use Group Policy to set up the required settings.
1. Install Application Guard, using the [installation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard) steps in this guide.
1. Install Application Guard, using the [installation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard#install-application-guard) steps in this guide.
2. Restart the device and then start Microsoft Edge.

5
windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
View File

@ -16,7 +16,10 @@ ms.date: 1/26/2018
- Windows 10
- Windows 10 Mobile
Windows Defender SmartScreen works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Windows Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely.
Windows Defender SmartScreen works with Intune, Group Policy, and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Windows Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely.
See [Windows 10 (and later) settings to protect devices using Intune](https://docs.microsoft.com/en-us/intune/endpoint-protection-windows-10#windows-defender-smartscreen-settings) for the controls you can use in Intune.
## Group Policy settings
SmartScreen uses registry-based Administrative Template policy settings. For more info about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). This site provides links to the latest technical documentation, videos, and downloads for Group Policy.

15
windows/whats-new/ltsc/whats-new-windows-10-2015.md
View File

@ -286,20 +286,7 @@ For more information about updating Windows 10, see [Windows 10 servicing optio
## Microsoft Edge
Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.
- **Web Note.** Microsoft Edge lets you annotate, highlight, and call things out directly on webpages.
- **Reading view.** Microsoft Edge lets you enjoy and print online articles in a distraction-free layout that's optimized for your screen size. While in reading view, you can also save webpages or PDF files to your reading list, for later viewing.
- **Cortana.** Cortana is automatically enabled on Microsoft Edge. Microsoft Edge lets you highlight words for more info and gives you one-click access to things like restaurant reservations and reviews, without leaving the webpage.
- **Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls.
### Enterprise guidance
Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Microsoft Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956).
We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10.
[Learn more about using Microsoft Edge in the enterprise](https://technet.microsoft.com/itpro/microsoft-edge/enterprise-guidance-using-microsoft-edge-and-ie11)
Microsoft Edge is not available in the LTSC release of Windows 10.
## See Also

52
windows/whats-new/ltsc/whats-new-windows-10-2019.md
View File

@ -30,6 +30,11 @@ The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC use
>[!IMPORTANT]
>The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited.
## Microsoft Intune
>[!NOTE]
>Some features that are described on this page require Microsoft Intune. Currently, information about Microsoft Intune support for LTSC 2019 is pending.
## Security
This version of Window 10 includes security improvements for threat protection, information protection, and identity protection.
@ -175,12 +180,6 @@ This release enables support for WIP with Files on Demand, allows file encryptio
The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3).
#### Delivering BitLocker policy to AutoPilot devices during OOBE
You can choose which encryption algorithm to apply automatic BitLocker encryption to capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before automatic BitLocker encryption begins.
For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE.
#### Silent enforcement on fixed drives
Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that dont pass the HSTI.
@ -396,6 +395,13 @@ In the Feedback and Settings page under Privacy Settings you can now delete the
## Configuration
<<<<<<< HEAD
### Kiosk configuration
Microsoft Edge has many improvements specifically targeted to Kiosks, however Edge is not available in the LTSC release of Windows 10. Internet Explorer is included in Windows 10 LTSC releases as its feature set is not changing, and it will continue to get security fixes for the life of a Windows 10 LTSC release.
If you wish to take advantage of [Kiosk capabilities in Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy), consider [Kiosk mode](https://docs.microsoft.com/windows/configuration/kiosk-methods) with a semi-annual release channel.
=======
### Kiosk Configuration
We introduced a simplified assigned access configuration experience in **Settings** that allows device administrators to easily set up a PC as a kiosk or digital sign. A wizard experience walks you through kiosk setup including creating a kiosk account that will automatically sign in when a device starts.
@ -444,6 +450,7 @@ With this release you can easily deploy and manage kiosk devices with Microsoft
For more information, see:
- [Making IT simpler with a modern workplace](https://www.microsoft.com/en-us/microsoft-365/blog/2018/04/27/making-it-simpler-with-a-modern-workplace/)
- [Simplifying kiosk management for IT with Windows 10](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Simplifying-kiosk-management-for-IT-with-Windows-10/ba-p/187691)
>>>>>>> 29ecd8ba10cf9401b75cb72a382839f4b4becd26
### Co-management
@ -455,20 +462,6 @@ For more information, see [What's New in MDM enrollment and management](https://
The OS uninstall period is a length of time that users are given when they can optionally roll back a Windows 10 update. With this release, administrators can use Intune or [DISM](#dism) to customize the length of the OS uninstall period.
### Windows Configuration Designer
Previously known as *Windows Imaging and Configuration Designer (ICD)*, the tool for creating provisioning packages is renamed **Windows Configuration Designer**. The new Windows Configuration Designer is available in [Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22) as an app. To run Windows Configuration Designer on earlier versions of Windows, you can still install Windows Configuration Designer from the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit).
Windows Configuration Designer in Windows 10 Enterprise 2019 LTSC includes several new wizards to make it easier to create provisioning packages.
![wizards for desktop, mobile, kiosk, Surface Hub](../images/wcd-options.png)
Both the desktop and kiosk wizards include an option to remove pre-installed software, based on the new [CleanPC configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp).
![remove pre-installed software option](../images/wcd-cleanpc.png)
[Learn more about Windows Configuration Designer.](/windows/configuration/provisioning-packages/provisioning-packages)
### Azure Active Directory join in bulk
Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards.
@ -495,25 +488,6 @@ Previously, the customized taskbar could only be deployed using Group Policy or
- Settings for Power: [**Start/HidePowerButton**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep)
- Additional new settings: [**Start/HideFrequentlyUsedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist).
### Cortana at work
Cortana is Microsofts personal digital assistant, who helps busy people get things done, even while at work. Cortana has powerful configuration options, specifically optimized for your business. By signing in with an Azure Active Directory (Azure AD) account, your employees can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work.
Using Azure AD also means that you can remove an employees profile (for example, when an employee leaves your organization) while respecting Windows Information Protection (WIP) policies and ignoring enterprise content, such as emails, calendar items, and people lists that are marked as enterprise data.
For more info about Cortana at work, see [Cortana integration in your business or enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview)
## Microsoft Edge
iOS and Android versions of Edge are now available. For more information, see [Microsoft Edge Tips](https://microsoftedgetips.microsoft.com/en-us?source=firstrunwip).
Support in [Windows Defender Application Guard](#windows-defender-application-guard) is also improved.
#### Microsoft Edge Group Policies
We introduced new group policies and Modern Device Management settings to manage Microsoft Edge. The new policies include enabling and disabling full-screen mode, printing, favorites bar, and saving history; preventing certificate error overrides; configuring the Home button and startup options; setting the New Tab page and Home button URL, and managing extensions. Learn more about the [new Microsoft Edge policies](https://aka.ms/new-microsoft-edge-group-policies).
## Windows Update
### Windows Update for Business

8
windows/whats-new/whats-new-windows-10-version-1809.md
View File

@ -69,6 +69,14 @@ You can choose which encryption algorithm to apply automatic BitLocker encryptio
For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE.
To achieve this:
1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm.
2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group.
- **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users.
1. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. This is also important because if the ESP is not enabled, the policy will not apply when the device boots.
### Windows Defender Application Guard Improvements
Windows Defender Application Guard (WDAG) introduced a new user interface inside **Windows Security** in this release. Standalone users can now install and configure their Windows Defender Application Guard settings in Windows Security without needing to change registry key settings.