deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 15:27:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into atp-vdi

Browse Source
This commit is contained in:
Joey Caparas 2017-08-14 13:23:06 -07:00
commit 7548cb32d5
63 changed files with 1200 additions and 169 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
bcs/index.md
View File

@ -13,7 +13,7 @@ description: Learn about the product documentation and resources available for M
<div class="container">
<ul class="cardsY panelContent featuredContent">
<li>
<a href="http://www.microsoft.com/en-us/microsoft-365/business">
<a href="http://www.microsoft.com/en-us/microsoft-365/business" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -31,7 +31,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/496e690b-b75d-4ff5-bf34-cc32905d0364">
<a href="https://support.office.com/article/496e690b-b75d-4ff5-bf34-cc32905d0364" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -65,7 +65,7 @@ description: Learn about the product documentation and resources available for M
</div>
</li>
<li>
<a href="http://www.microsoft.com/en-us/microsoft-365/business">
<a href="http://www.microsoft.com/en-us/microsoft-365/business" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -84,7 +84,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="support/microsoft-365-business-faqs.md">
<a href="support/microsoft-365-business-faqs.md" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -103,7 +103,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/496e690b-b75d-4ff5-bf34-cc32905d0364">
<a href="https://support.office.com/article/496e690b-b75d-4ff5-bf34-cc32905d0364" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -132,7 +132,7 @@ description: Learn about the product documentation and resources available for M
</div>
</li>
<li>
<a href="https://support.office.com/article/96153102-1db1-4df8-bca5-38cea80b65ce">
<a href="https://support.office.com/article/96153102-1db1-4df8-bca5-38cea80b65ce" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -151,7 +151,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/d5155593-3bac-4d8d-9d8b-f4513a81479e">
<a href="https://support.office.com/article/d5155593-3bac-4d8d-9d8b-f4513a81479e" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -180,7 +180,7 @@ description: Learn about the product documentation and resources available for M
</div>
</li>
<li>
<a href="https://support.office.com/article/ed34fff3-2881-4ed4-9906-1ba6bb8dd804">
<a href="https://support.office.com/article/ed34fff3-2881-4ed4-9906-1ba6bb8dd804" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -199,7 +199,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/cbc6bfe5-565a-4fb8-95f0-b06e7b74ac46">
<a href="https://support.office.com/article/cbc6bfe5-565a-4fb8-95f0-b06e7b74ac46" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -218,7 +218,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/80bdae57-f8bc-4e40-a58c-956007117ecb">
<a href="https://support.office.com/article/80bdae57-f8bc-4e40-a58c-956007117ecb" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -237,7 +237,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/c4db6caf-74df-4734-b1dd-53e371c7a3c3">
<a href="https://support.office.com/article/c4db6caf-74df-4734-b1dd-53e371c7a3c3" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -266,7 +266,7 @@ description: Learn about the product documentation and resources available for M
</div>
</li>
<li>
<a href="https://support.office.com/article/bd66c26c-73a4-45a8-8642-3ea4ee7cd89d">
<a href="https://support.office.com/article/bd66c26c-73a4-45a8-8642-3ea4ee7cd89d" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -285,7 +285,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/6b70fa27-d171-4593-8ecf-f78bb4ed2e99">
<a href="https://support.office.com/article/6b70fa27-d171-4593-8ecf-f78bb4ed2e99" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -333,7 +333,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/365-1b3b5318-6977-42ed-b5c7-96fa74b08846">
<a href="https://support.office.com/article/365-1b3b5318-6977-42ed-b5c7-96fa74b08846" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -352,7 +352,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/FDECCEED-0702-4AF3-85BE-F2A0013937EF">
<a href="https://support.office.com/article/FDECCEED-0702-4AF3-85BE-F2A0013937EF" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -371,7 +371,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/2d7ff45e-0da0-4caa-89a9-48cabf41f193">
<a href="https://support.office.com/article/2d7ff45e-0da0-4caa-89a9-48cabf41f193" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -400,7 +400,7 @@ description: Learn about the product documentation and resources available for M
</div>
</li>
<li>
<a href="https://www.microsoft.com/solution-providers/search">
<a href="https://www.microsoft.com/solution-providers/search" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -419,7 +419,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/496e690b-b75d-4ff5-bf34-cc32905d0364#bkmk_support">
<a href="https://support.office.com/article/496e690b-b75d-4ff5-bf34-cc32905d0364#bkmk_support" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -488,7 +488,7 @@ description: Learn about the product documentation and resources available for M
</li>
-->
<li>
<a href="https://docs.microsoft.com/en-us/windows/windows-10/">
<a href="https://docs.microsoft.com/en-us/windows/windows-10/" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -507,7 +507,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://msdn.microsoft.com/partner-center/autopilot">
<a href="https://msdn.microsoft.com/partner-center/autopilot" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -536,7 +536,7 @@ description: Learn about the product documentation and resources available for M
</div>
</li>
<li>
<a href="https://support.office.com/article/1970f7d6-03b5-442f-b385-5880b9c256ec">
<a href="https://support.office.com/article/1970f7d6-03b5-442f-b385-5880b9c256ec" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -555,7 +555,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/365-2d2fa996-b760-411d-a5cc-190d63f13207">
<a href="https://support.office.com/article/365-2d2fa996-b760-411d-a5cc-190d63f13207" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -595,7 +595,7 @@ description: Learn about the product documentation and resources available for M
</li>
-->
<li>
<a href="https://support.office.com/article/74a1ef8b-3844-4d08-9980-9f8f7a36000f">
<a href="https://support.office.com/article/74a1ef8b-3844-4d08-9980-9f8f7a36000f" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -614,7 +614,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/7a5d073b-7fae-4aa5-8f96-9ecd041aba9c">
<a href="https://support.office.com/article/7a5d073b-7fae-4aa5-8f96-9ecd041aba9c" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -633,7 +633,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/ea7bf1b2-1c2f-477f-a813-313e3ce0d896">
<a href="https://support.office.com/article/ea7bf1b2-1c2f-477f-a813-313e3ce0d896" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -652,7 +652,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/a27f1a99-3557-4f85-9560-a28e3d822a40">
<a href="https://support.office.com/article/a27f1a99-3557-4f85-9560-a28e3d822a40" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -671,7 +671,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/46c667f7-5073-47b9-a75f-05a60cf77d91">
<a href="https://support.office.com/article/46c667f7-5073-47b9-a75f-05a60cf77d91" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -710,7 +710,7 @@ description: Learn about the product documentation and resources available for M
</div>
</li>
<li>
<a href="https://support.office.com/article/d868561b-d340-4c04-a973-e2575d7f09bc">
<a href="https://support.office.com/article/d868561b-d340-4c04-a973-e2575d7f09bc" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -729,9 +729,9 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/eb8244aa-a302-481a-b2b5-d34e88b18ec7">
<a href="https://support.office.com/article/eb8244aa-a302-481a-b2b5-d34e88b18ec7" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
@ -748,7 +748,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/2d7ff45e-0da0-4caa-89a9-48cabf41f193">
<a href="https://support.office.com/article/2d7ff45e-0da0-4caa-89a9-48cabf41f193" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -767,7 +767,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://support.office.com/article/2d7ff45e-0da0-4caa-89a9-48cabf41f193">
<a href="https://support.office.com/article/2d7ff45e-0da0-4caa-89a9-48cabf41f193" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -796,7 +796,7 @@ description: Learn about the product documentation and resources available for M
</div>
</li>
<li>
<a href="http://support.office.com">
<a href="http://support.office.com" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -815,7 +815,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="http://support.microsoft.com/products/windows">
<a href="http://support.microsoft.com/products/windows" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -849,7 +849,7 @@ description: Learn about the product documentation and resources available for M
</div>
</li>
<li>
<a href="http://www.microsoft.com/en-us/microsoft-365/business">
<a href="http://www.microsoft.com/en-us/microsoft-365/business" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -868,7 +868,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="support/microsoft-365-business-faqs.md">
<a href="support/microsoft-365-business-faqs.md" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -887,7 +887,7 @@ description: Learn about the product documentation and resources available for M
</a>
</li>
<li>
<a href="https://www.microsoft.com/solution-providers/search">
<a href="https://www.microsoft.com/solution-providers/search" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">

16
browsers/internet-explorer/ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
View File

@ -1,13 +1,15 @@
---
ms.localizationpriority: low
title: Check for a new Enterprise Mode site list xml file (Internet Explorer 11 for IT Pros)
description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode.
ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df
ms.prod: ie11
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode.
author: eross-msft
ms.prod: ie11
ms.assetid: 2bbc7017-622e-4baa-8981-c0bbda10e9df
title: Check for a new Enterprise Mode site list xml file (Internet Explorer 11 for IT Pros)
ms.sitesec: library
author: eross-msft
ms.author: lizross
ms.date: 08/11/2017
ms.localizationpriority: low
---
@ -23,7 +25,7 @@ ms.sitesec: library
You can have centralized control over Enterprise Mode by creating a single, global XML site list that includes the list of websites to render using Enterprise Mode. You can add and remove sites from your XML list as frequently as you want, changing which sites should render in Enterprise Mode for your employees. For information about turning on Enterprise Mode and using site lists, see [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md).
The information in this topic only covers HTTP protocol. We strongly recommend that you use HTTP protocol instead of file protocol due to increased performance.
The information in this topic only covers HTTPS protocol. We strongly recommend that you use HTTPS protocol instead of file protocol due to increased performance.
**How Internet Explorer 11 looks for an updated site list**

BIN
browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-grouppolicysitelist.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 30 KiB

After

Width:  |  Height:  |  Size: 39 KiB

BIN
browsers/internet-explorer/ie11-deploy-guide/images/ie-emie-registrysitelist.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 14 KiB

After

Width:  |  Height:  |  Size: 18 KiB

25
browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
View File

@ -1,13 +1,20 @@
---
ms.localizationpriority: low
title: Turn on Enterprise Mode and use a site list (Internet Explorer 11 for IT Pros)
description: How to turn on Enterprise Mode and specify a site list.
ms.assetid: 800e9c5a-57a6-4d61-a38a-4cb972d833e1
ms.prod: ie11
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: How to turn on Enterprise Mode and specify a site list.
author: eross-msft
ms.prod: ie11
ms.assetid: 800e9c5a-57a6-4d61-a38a-4cb972d833e1
title: Turn on Enterprise Mode and use a site list (Internet Explorer 11 for IT Pros)
ms.sitesec: library
author: eross-msft
ms.author: lizross
ms.date: 08/11/2017
ms.localizationpriority: low
---
@ -23,8 +30,8 @@ ms.sitesec: library
Before you can use a site list with Enterprise Mode, you need to turn the functionality on and set up the system for centralized control. By allowing centralized control, you can create one global list of websites that render using Enterprise Mode. Approximately 65 seconds after Internet Explorer 11 starts, it looks for a properly formatted site list. If a new site list if found, with a different version number than the active list, IE11 loads and uses the newer version. After the initial check, IE11 wont look for an updated list again until you restart the browser.
**Note**<br>
We recommend that you store and download your website list from a secure web sever (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees computers so if the centralized file location is unavailable, they can still use Enterprise Mode.
>[!NOTE]
>We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees' computers so if the centralized file location is unavailable, they can still use Enterprise Mode.
**To turn on Enterprise Mode using Group Policy**
@ -45,7 +52,7 @@ Turning this setting on also requires you to create and store a site list. For m
![enterprise mode with site list in the registry](images/ie-emie-registrysitelist.png)
- **HTTP location**: `"SiteList"="http://localhost:8080/sites.xml"`
- **HTTPS location**: `"SiteList"="https://localhost:8080/sites.xml"`
- **Local network:** `"SiteList"="\\network\shares\sites.xml"`

4
education/windows/use-set-up-school-pcs-app.md
View File

@ -233,7 +233,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
![Select the USB drive and save the provisioning package](images/suspc_savepackage_insertusb.png)
11. When the provisioning package is ready, you will see the name of the file and you can remove the USB drive. Click **Next** if you're done, or click **Add a USB** to save the same provisioning package to another USB drive.
11. <a name="suspc_pkgready"></a>When the provisioning package is ready, you will see the name of the file and you can remove the USB drive. Click **Next** if you're done, or click **Add a USB** to save the same provisioning package to another USB drive.
**Figure 9** - Provisioning package is ready
@ -246,7 +246,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
![Line up the student PCs and get them ready for setup](images/suspc_runpackage_getpcsready.png)
13. Click **Next**.
14. In the **Install the package** page, follow the instructions in [Apply the provisioning package to the student PCs](#apply-the-provisioning-package-to-the-student-pcs) to set up the student PCs.
14. <a name="suspc_installpkg"></a>In the **Install the package** page, follow the instructions in [Apply the provisioning package to the student PCs](#apply-the-provisioning-package-to-the-student-pcs) to set up the student PCs.
Select **Create new package** if you need to create a new provisioning package. Otherwise, you can remove the USB drive if you're completely done creating the package.

63
windows/access-protection/access-control/microsoft-accounts.md
View File

@ -14,20 +14,12 @@ ms.pagetype: security
This topic for the IT professional explains how a Microsoft account works to enhance security and privacy for users, and how you can manage this consumer account type in your organization.
Microsoft sites, services, and properties such as Windows Live, MSN, Xbox LIVE, Zune, Windows Phone, and computers running Windows 10, Windows 8.1, Windows 8, and Windows RT use a Microsoft account as a mean of identifying users. Microsoft account is the name for what was previously called Windows Live ID. It has user-defined secrets associated with it, and it consists of a unique email address and a password.
Microsoft sites, services, and properties, as well as computers running Windows 10, can use a Microsoft account as a mean of identifying a user. Microsoft account was previously called Windows Live ID. It has user-defined secrets, and consists of a unique email address and a password.
There are some benefits and considerations when using Microsoft accounts in the enterprise. For more information, see [Microsoft account in the enterprise](#bkmk-msaccountintheenterprise) later in this topic.
When a user signs in with a Microsoft account, their device is connected to cloud services, and many of the settings, preferences, and apps associated with that user account can roam between devices.
**Note**  
This content applies to the operating system versions that are designated in the **Applies To** list at the beginning of this topic.
 
When a user signs in with a Microsoft account, the device is connected to cloud services. Many of the user's settings, preferences, and apps can be shared across devices.
## <a href="" id="bkmk-benefits"></a>How a Microsoft account works
The Microsoft account allows users to sign in to websites that support this service by using a single set of credentials. Users' credentials are validated by a Microsoft account authentication server that is associated with a website. The Windows Store is an example of this association. When new users sign in to websites that are enabled to use Microsoft accounts, they are redirected to the nearest authentication server, which asks for a user name and password. Windows uses the Schannel Security Support Provider to open a Transport Level Security/Secure Sockets Layer (TLS/SSL) connection for this function. Users then have the option to use Credential Manager to store their credentials.
When users sign in to websites that are enabled to use a Microsoft account, a time-limited cookie is installed on their computers, which includes a triple DES encrypted ID tag. This encrypted ID tag has been agreed upon between the authentication server and the website. This ID tag is sent to the website, and the website plants another time-limited encrypted HTTP cookie on the users computer. When these cookies are valid, users are not required to supply a user name and password. If a user actively signs out of their Microsoft account, these cookies are removed.
@ -35,19 +27,17 @@ When users sign in to websites that are enabled to use a Microsoft account, a ti
**Important**  
Local Windows account functionality has not been removed, and it is still an option to use in managed environments.
 
### How Microsoft accounts are created
To prevent fraud, the Microsoft system verifies the IP address when a user creates an account. If a user tries to create multiple Microsoft accounts with the same IP address, they are stopped.
To prevent fraud, the Microsoft system verifies the IP address when a user creates an account. A user who tries to create multiple Microsoft accounts with the same IP address is stopped.
Microsoft accounts are not designed to be created in batches, for example, for a group of domain users within your enterprise.
Microsoft accounts are not designed to be created in batches, such as for a group of domain users within your enterprise.
There are two methods for creating a Microsoft account:
- **Use an existing email address**.
Users are able to use their valid email addresses to sign up for Microsoft accounts. The service turns the requesting user's email address into a Microsoft account. Users can also choose their personal password.
Users are able to use their valid email addresses to sign up for Microsoft accounts. The service turns the requesting user's email address into a Microsoft account. Users can also choose their personal passwords.
- **Sign up for a Microsoft email address**.
@ -118,13 +108,46 @@ Depending on your IT and business models, introducing Microsoft accounts into yo
### <a href="" id="bkmk-restrictuse"></a>Restrict the use of the Microsoft account
If employees are allowed to join the domain with their personal devices, they might expect to connect to enterprise resources by using their Microsoft accounts. If you want to prevent any use of Microsoft accounts within your enterprise, you can configure the local security policy setting [Accounts: Block Microsoft accounts](/windows/device-security/security-policy-settings/accounts-block-microsoft-accounts). However, this setting can prevent the users from signing in to their Windows devices with their Microsoft accounts (if they had set them up to do so) when they are joined to the domain.
The following Group Policy settings help control the use of Microsoft accounts in the enterprise:
The default for this setting is **Disabled**, which enables users to use their Microsoft accounts on devices that are joined to your domain. Other options in the setting can:
- [Block all consumer Microsoft account user authentication](#block-all-consumer-microsoft-account-user-authentication)
- [Accounts: Block Microsoft accounts](#accounts-block-microsoft-accounts)
1. Prevent users from creating new Microsoft accounts on a computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
#### Block all consumer Microsoft account user authentication
2. Prevent users with an existing Microsoft account from signing in to Windows. Selecting this option might make it impossible for an existing administrator to sign in to a computer and manage the system.
This setting controls whether users can provide Microsoft accounts for authentication for applications or services.
If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication.
This applies both to existing users of a device and new users who may be added.
However, any application or service that has already authenticated a user will not be affected by enabling this setting until the authentication cache expires.
It is recommended to enable this setting before any user signs in to a device to prevent cached tokens from being present.
If this setting is disabled or not configured, applications and services can use Microsoft accounts for authentication.
By default, this setting is **Disabled**.
This setting does not affect whether users can sign in to devices by using Microsoft accounts, or the ability for users to provide Microsoft accounts via the browser for authentication with web-based applications.
The path to this setting is:
Computer Configuration\Administrative Templates\Windows Components\Microsoft account
#### Accounts: Block Microsoft accounts
This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services.
There are two options if this setting is enabled:
- **Users cant add Microsoft accounts** means that existing connected accounts can still sign in to the device (and appear on the Sign in screen). However, users cannot use the **Settings** app to add new connected accounts (or connect local accounts to Microsoft accounts).
- **Users cant add or log on with Microsoft accounts** means that users cannot add new connected accounts (or connect local accounts to Microsoft accounts) or use existing connected accounts through **Settings**.
This setting does not affect adding a Microsoft account for application authentication. For example, if this setting is enabled, a user can still provide a Microsoft account for authentication with an application such as **Mail**, but the user cannot use the Microsoft account for single sign-on authentication for other applications or services (in other words, the user will be prompted to authenticate for other applications or services).
By default, this setting is **Not defined**.
The path to this setting is:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
### <a href="" id="bkmk-cfgconnectedaccounts"></a>Configure connected accounts
@ -135,8 +158,6 @@ Users can disconnect a Microsoft account from their domain account at any time a
**Note**  
Connecting Microsoft accounts with domain accounts can limit access to some high-privileged tasks in Windows. For example, Task Scheduler will evaluate the connected Microsoft account for access and fail. In these situations, the account owner should disconnect the account.
 
### <a href="" id="bkmk-provisionaccounts"></a>Provision Microsoft accounts in the enterprise
Microsoft accounts are private user accounts. There are no methods provided by Microsoft to provision Microsoft accounts for an enterprise. Enterprises should use domain accounts.

5
windows/access-protection/change-history-for-access-protection.md
View File

@ -11,6 +11,11 @@ author: brianlic-msft
# Change history for access protection
This topic lists new and updated topics in the [Access protection](index.md) documentation.
## August 2017
|New or changed topic |Description |
|---------------------|------------|
|[Microsoft accounts](access-control/microsoft-accounts.md) |Revised to cover new Group Policy setting in Windows 10, version 1703, named **Block all consumer Microsoft account user authentication**.|
## March 2017
|New or changed topic |Description |
|---------------------|------------|

9
windows/access-protection/credential-guard/credential-guard-manage.md
View File

@ -100,15 +100,6 @@ You can also enable Credential Guard by using the [Device Guard and Credential G
DG_Readiness_Tool_v3.2.ps1 -Enable -AutoReboot
```
### Credential Guard deployment in virtual machines
Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. When Credential Guard is deployed on a VM, secrets are protected from attacks inside the VM. Credential Guard does not provide additional protection from privileged system attacks originating from the host.
#### Requirements for running Credential Guard in Hyper-V virtual machines
- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10.
### Review Credential Guard performance
**Is Credential Guard running?**

13
windows/access-protection/credential-guard/credential-guard-requirements.md
View File

@ -35,6 +35,19 @@ The Virtualization-based security requires:
- CPU virtualization extensions plus extended page tables
- Windows hypervisor
### Credential Guard deployment in virtual machines
Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. When Credential Guard is deployed on a VM, secrets are protected from attacks inside the VM. Credential Guard does not provide additional protection from privileged system attacks originating from the host.
#### Requirements for running Credential Guard in Hyper-V virtual machines
- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and be running at least Windows Server 2016 or Windows 10.
For information about other host platforms, see [Enabling Windows Server 2016 and Hyper-V virtualization based security features on other platforms](https://blogs.technet.microsoft.com/windowsserver/2016/09/29/enabling-windows-server-2016-and-hyper-v-virtualization-based-security-features-on-other-platforms/)
For information about Remote Credential Guard hardware and software requirements, see [Remote Credential Guard requirements](https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard#hardware-and-software-requirements)
## Application requirements
When Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality.

13
windows/access-protection/remote-credential-guard.md
View File

@ -47,12 +47,15 @@ Use the following table to compare different security options for Remote Desktop
## Hardware and software requirements
The Remote Desktop client and server must meet the following requirements in order to use Remote Credential Guard:
To use Remote Credential Guard, the Remote Desktop client and server must meet the following requirements:
- They must be joined to an Active Directory domain
- Both devices must either joined to the same domain or the Remote Desktop server must be joined to a domain with a trust relationship to the client device's domain.
- They must use Kerberos authentication.
- They must be running at least Windows 10, version 1607 or Windows Server 2016.
- In order to connect using credentials other than signed-in credentials, the Remote Desktop client device must be running at least Windows 10, version 1703.
> [!NOTE]
> Remote Desktop client devices running earlier versions, at minimum Windows 10 version 1607, only support signed-in credentials, so the client device must also be joined to an Active Directory domain. Both Remote Desktop client and server must either be joined to the same domain, or the Remote Desktop server can be joined to a domain that has a trust relationship to the client device's domain.
- For Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication
- The remote host must be running at least Windows 10 version 1607, or Windows Server 2016.
- The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Remote Credential Guard.
## Enable Remote Credential Guard

2
windows/application-management/TOC.md
View File

@ -100,5 +100,5 @@
#### [Viewing App-V Server Publishing Metadata](app-v/appv-viewing-appv-server-publishing-metadata.md)
#### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md)
## [Service Host process refactoring](svchost-service-refactoring.md)
## [Deploy app updgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md)
## [Deploy app upgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md)
## [Change history for Application management](change-history-for-application-management.md)

1
windows/client-management/mdm/TOC.md
View File

@ -6,6 +6,7 @@
### [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
### [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
## [Understanding ADMX-backed policies](understanding-admx-backed-policies.md)
## [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md)
## [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md)
## [Implement server-side support for mobile application management on Windows](implement-server-side-mobile-application-management.md)
## [Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md)

66
windows/client-management/mdm/applocker-csp.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/19/2017
ms.date: 08/10/2017
---
# AppLocker CSP
@ -791,8 +791,70 @@ The following list shows the apps that may be included in the inbox.
 
## Whitelist example
## Whitelist examples
The following example disables the calendar application.
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>&lt;AppPolicy Version="1" xmlns="http://schemas.microsoft.com/phone/2013/policy"&gt;&lt;Deny&gt;&lt;App ProductId="{a558feba-85d7-4665-b5d8-a2ff9c19799b}"/&gt;&lt;/Deny&gt;&lt;/AppPolicy&gt;
</Data>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
```
The following example blocks the usage of the map application.
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/AppLockerPhoneGroup0/StoreApps/Policy</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>
&lt;RuleCollection Type="Appx" EnforcementMode="Enabled"&gt;
&lt;FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed Appx packages" Description="Allows members of the Everyone group to run Appx packages that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"&gt;
&lt;Conditions&gt;
&lt;FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"&gt;
&lt;BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /&gt;
&lt;/FilePublisherCondition&gt;
&lt;/Conditions&gt;
&lt;/FilePublisherRule&gt;
&lt;FilePublisherRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="Deny Splash appmaps" Description="Deny members of the local Administrators group to run maps." UserOrGroupSid="S-1-1-0" Action="Deny"&gt;
&lt;Conditions&gt;
&lt;FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsMaps" BinaryName="*" /&gt;
&lt;/Conditions&gt;
&lt;/FilePublisherRule&gt;
&lt;/RuleCollection&gt;
</Data>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
```
The following example for Windows 10 Mobile denies all apps and allows the following apps:

3
windows/client-management/mdm/devdetail-csp.md
View File

@ -178,6 +178,9 @@ The following diagram shows the DevDetail configuration service provider managem
<a href="" id="devicehardwaredata"></a>**DeviceHardwareData**
<p style="margin-left: 20px">Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device.
> [!Note]
> This node contains a raw blob used to identify a device in the cloud. It's not meant to be human readable by design and you cannot parse the content to get any meaningful hardware information.
<p style="margin-left: 20px">Supported operation is Get.
## Related topics

22
windows/client-management/mdm/devicemanageability-csp.md
View File

@ -7,12 +7,15 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/19/2017
ms.date: 08/10/2017
---
# DeviceManageability CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The DeviceManageability configuration service provider (CSP) is used retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607.
For performance reasons DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that the both paths return the same information.
@ -30,11 +33,24 @@ Interior node.
<a href="" id="capabilities-cspversions"></a>**Capabilities/CSPVersions**
Returns the versions of all configuration service providers supported on the device for the MDM service.
<a href="" id="capabilities"></a>**Provider**
Added in Windows 10, version 1709. Interior node.
<a href="" id="capabilities-cspversions"></a>**Provider/_ProviderID_**
Added in Windows 10, version 1709. Provider ID of the configuration source.
 
<a href="" id="capabilities-cspversions"></a>**Provider/_ProviderID_/ConfigInfo**
Added in Windows 10, version 1709. Configuration information string value set by the configuration source. Recommended to be used during sync session.
The MDM server can query ConfigInfo to determine the settings of the traditional PC management system. The MDM can also configure ConfigInfo with its own device management information.
Data type is string. Supported operations are Add, Get, Delete, and Replace.
<a href="" id="capabilities-cspversions"></a>**Provider/_ProviderID_/EnrollmentInfo**
Added in Windows 10, version 1709. Enrollment information string value set by the configuration source. Recommended to send to server during MDM enrollment.
Data type is string. Supported operations are Add, Get, Delete, and Replace. 
 

107
windows/client-management/mdm/devicemanageability-ddf.md
View File

@ -7,12 +7,15 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/19/2017
ms.date: 08/10/2017
---
# DeviceManageability DDF
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the DeviceManageability configuration service provider. This CSP was added in Windows 10, version 1607.
You can download the DDF files from the links below:
@ -20,7 +23,7 @@ You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
The XML below is for Windows 10, version 1709.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
@ -46,7 +49,7 @@ The XML below is the current version for this CSP.
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/DeviceManageability</MIME>
<MIME>com.microsoft/1.1/MDM/DeviceManageability</MIME>
</DFType>
</DFProperties>
<Node>
@ -90,9 +93,105 @@ The XML below is the current version for this CSP.
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Provider</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Provider</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
</AccessType>
<Description>Provider ID String of the Configuration Source</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>ProviderID</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>ConfigInfo</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>Configuration Info string value set by the config source. Recommended to be used during sync session.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>ConfigInfo</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EnrollmentInfo</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>Enrollment Info string value set by the config source. Recommended to sent to server during MDM enrollment.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>EnrollmentInfo</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</MgmtTree>
```
 

300
windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md Normal file
View File

@ -0,0 +1,300 @@
---
title: Enable ADMX-backed policies in MDM
description: Guide to configuring ADMX-backed policies in MDM
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/11/2017
---
# Enable ADMX-backed policies in MDM
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This is a step-by-step guide to configuring ADMX-backed policies in MDM.
Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support expanded to allow access of select Group Policy administrative templates (ADMX-backed policies) for Windows PCs via the [Policy configuration service provider (CSP)](policy-configuration-service-provider.md). Configuring ADMX-backed policies in Policy CSP is different from the typical way you configure a traditional MDM policy.
Summary of steps to enable a policy:
- Find the policy from the list ADMX-backed policies.
- Find the Group Policy related information from the MDM policy description.
- Use the Group Policy Editor to determine whether there are parameters necessary to enable the policy.
- Create the data payload for the SyncML.
## Enable a policy
1. Find the policy from the list [ADMX-backed policies](policy-configuration-service-provider.md#admx-backed-policies). You need the following information listed in the policy description.
- GP English name
- GP name
- GP ADMX file name
- GP path
2. Use the Group Policy Editor to determine whether you need additional information to enable the policy. Run GPEdit.msc
1. Click **Start**, then in the text box type **gpedit**.
2. Under **Best match**, click **Edit group policy** to launch it.
![GPEdit search](images/admx-gpedit-search.png)
3. In **Local Computer Policy** navigate to the policy you want to configure.
In this example, navigate to **Administrative Templates > System > App-V**.
![App-V policies](images/admx-appv.png)
4. Double-click **Enable App-V Client**.
The **Options** section is empty, which means there are no parameters necessary to enable the policy. If the **Options** section is not empty, follow the procedure in [Enable a policy that requires parameters](#enable-a-policy-that-requires-parameters)
![Enable App-V client](images/admx-appv-enableapp-vclient.png)
3. Create the SyncML to enable the policy that does not require any parameter.
In this example you configure **Enable App-V Client** to **Enabled**.
> [!Note]
> The \<Data> payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type.
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowAppVClient </LocURI>
</Target>
<Data>&lt;Enabled/&gt;</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
## Enable a policy that requires parameters
1. Create the SyncML to enable the policy that requires parameters.
In this example, the policy is in **Administrative Templates > System > App-V > Publishing**.
1. Double-click **Publishing Server 2 Settings** to see the parameters you need to configure when you enable this policy.
![Enable publishing server 2 policy](images/admx-appv-publishingserver2.png)
![Enable publishing server 2 settings](images/admx-app-v-enablepublishingserver2settings.png)
2. Find the variable names of the parameters in the ADMX file.
You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](policy-configuration-service-provider.md#appvirtualization-publishingallowserver2).
![Publishing server 2 policy description](images/admx-appv-policy-description.png)
3. Navigate to **C:\Windows\PolicyDefinitions** (default location of the admx files) and open appv.admx.
4. Search for GP name **Publishing_Server2_policy**.
5. Under **policy name="Publishing_Server2_Policy"** you can see the \<elements> listed. The text id and enum id represents the data id you need to include in the SyncML data payload. They correspond to the fields you see in GP Editor.
Here is the snippet from appv.admx:
``` syntax
<!-- Publishing Server 2 -->
<policy name="Publishing_Server2_Policy" class="Machine" displayName="$(string.PublishingServer2)"
explainText="$(string.Publishing_Server_Help)" presentation="$(presentation.Publishing_Server2)"
key="SOFTWARE\Policies\Microsoft\AppV\Client\Publishing\Servers\2">
<parentCategory ref="CAT_Publishing" />
<supportedOn ref="windows:SUPPORTED_Windows7" />
<elements>
<text id="Publishing_Server2_Name_Prompt" valueName="Name" required="true"/>
<text id="Publishing_Server_URL_Prompt" valueName="URL" required="true"/>
<enum id="Global_Publishing_Refresh_Options" valueName="GlobalEnabled">
<item displayName="$(string.False)">
<value>
<decimal value="0"/>
</value>
</item>
<item displayName="$(string.True)">
<value>
<decimal value="1"/>
</value>
</item>
</enum>
<enum id="Global_Refresh_OnLogon_Options" valueName="GlobalLogonRefresh">
<item displayName="$(string.False)">
<value>
<decimal value="0"/>
</value>
</item>
<item displayName="$(string.True)">
<value>
<decimal value="1"/>
</value>
</item>
</enum>
<decimal id="Global_Refresh_Interval_Prompt" valueName="GlobalPeriodicRefreshInterval" minValue="0" maxValue="31"/>
<enum id="Global_Refresh_Unit_Options" valueName="GlobalPeriodicRefreshIntervalUnit">
<item displayName="$(string.Hour)">
<value>
<decimal value="0"/>
</value>
</item>
<item displayName="$(string.Day)">
<value>
<decimal value="1"/>
</value>
</item>
</enum>
<enum id="User_Publishing_Refresh_Options" valueName="UserEnabled">
<item displayName="$(string.False)">
<value>
<decimal value="0"/>
</value>
</item>
<item displayName="$(string.True)">
<value>
<decimal value="1"/>
</value>
</item>
</enum>
<enum id="User_Refresh_OnLogon_Options" valueName="UserLogonRefresh">
<item displayName="$(string.False)">
<value>
<decimal value="0"/>
</value>
</item>
<item displayName="$(string.True)">
<value>
<decimal value="1"/>
</value>
</item>
</enum>
<decimal id="User_Refresh_Interval_Prompt" valueName="UserPeriodicRefreshInterval" minValue="0" maxValue="31"/>
<enum id="User_Refresh_Unit_Options" valueName="UserPeriodicRefreshIntervalUnit">
<item displayName="$(string.Hour)">
<value>
<decimal value="0"/>
</value>
</item>
<item displayName="$(string.Day)">
<value>
<decimal value="1"/>
</value>
</item>
</enum>
</elements>
</policy>
```
6. From the \<elements> tag, copy all the text id and enum id and create an XML with data id and value fields. The value field contains the configuration settings you would enter in the GP Editor.
Here is the example XML for Publishing_Server2_Policy :
``` syntax
<data id="Publishing_Server2_Name_Prompt" value="Name"/>
<data id="Publishing_Server_URL_Prompt" value="http://someuri"/>
<data id="Global_Publishing_Refresh_Options" value="1"/>
<data id="Global_Refresh_OnLogon_Options" value="0"/>
<data id="Global_Refresh_Interval_Prompt" value="15"/>
<data id="Global_Refresh_Unit_Options" value="0"/>
<data id="User_Publishing_Refresh_Options" value="0"/>
<data id="User_Refresh_OnLogon_Options" value="0"/>
<data id="User_Refresh_Interval_Prompt" value="15"/>
<data id="User_Refresh_Unit_Options" value="1"/>
```
7. Create the SyncML to enable the policy. Payload contains \<enabled/> and name/value pairs.
Here is the example for **AppVirtualization/PublishingAllowServer2**:
> [!Note]
> The \<Data> payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type.
``` syntax
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2</LocURI>
</Target>
<![CDATA[<enabled/><data id="Publishing_Server2_Name_Prompt" value="name prompt"/><data
id="Publishing_Server_URL_Prompt" value="URL prompt"/><data
id="Global_Publishing_Refresh_Options" value="1"/><data
id="Global_Refresh_OnLogon_Options" value="0"/><data
id="Global_Refresh_Interval_Prompt" value="15"/><data
id="Global_Refresh_Unit_Options" value="0"/><data
id="User_Publishing_Refresh_Options" value="0"/><data
id="User_Refresh_OnLogon_Options" value="0"/><data
id="User_Refresh_Interval_Prompt" value="15"/><data
id="User_Refresh_Unit_Options" value="1"/>]]>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
## Disable a policy
The \<Data> payload is \<disabled/>. Here is an example to disable AppVirtualization/PublishingAllowServer2.
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2</LocURI>
</Target>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
## Setting a policy to not configured
The \<Data> payload is empty. Here an example to set AppVirtualization/PublishingAllowServer2 to "Not Configured."
``` syntax
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Delete>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2</LocURI>
</Target>
</Item>
</Delete>
<Final/>
</SyncBody>
</SyncML>
```

BIN
windows/client-management/mdm/images/admx-app-v-enablepublishingserver2settings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 45 KiB

BIN
windows/client-management/mdm/images/admx-appv-enableapp-vclient.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

BIN
windows/client-management/mdm/images/admx-appv-policy-description.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 85 KiB

BIN
windows/client-management/mdm/images/admx-appv-publishing.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
windows/client-management/mdm/images/admx-appv-publishingserver2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 62 KiB

BIN
windows/client-management/mdm/images/admx-appv.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 50 KiB

BIN
windows/client-management/mdm/images/admx-gpedit-search.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
windows/client-management/mdm/images/mdm-enrollment-disable-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 50 KiB

BIN
windows/client-management/mdm/images/provisioning-csp-devicemanageability.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 3.3 KiB

After

Width:  |  Height:  |  Size: 12 KiB

18
windows/client-management/mdm/mobile-device-enrollment.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/19/2017
ms.date: 08/11/2017
---
# Mobile device enrollment
@ -59,26 +59,30 @@ The following topics describe the end-to-end enrollment process using various au
> - Any fixed URIs that are passed during enrollment
> - Specific formatting of any value unless otherwise noted, such as the format of the device ID.
## Enrollment support for domain-joined devices
 
Devices that are joined to an on-premise Active Directory can enroll into MDM via the Work access page in **Settings**. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.
## Prevent MDM enrollments
## Disable MDM enrollments
Starting in Windows 10, version 1607, to prevent MDM enrollments for domain-joined PCs, you can set the following Group Policy:
Starting in Windows 10, version 1607, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **MDM** &gt; **Disable MDM Enrollment**.
![Disable MDM enrollment policy in GP Editor](images/mdm-enrollment-disable-policy.png)
Here is the corresponding registry key:
Key: \\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\MDM
Value: DisableRegistration
Using the GP editor, the path is Computer configuration &gt; Administrative Templates &gt; Windows Components &gt; MDM &gt; Disable MDM Enrollment.
## Enrollment scenarios not supported
The following scenarios do not allow MDM enrollments:
- Built-in administrator accounts on Windows desktop cannot enroll into MDM.
- Standard users on Windows desktop cannot enroll into MDM via the Work access page in **Settings**. To enroll a standard user into MDM, we recommend using a provisioning package or joining the device to Azure AD from **Settings** -&gt; **System** -&gt; **About**.
- Prior to Windows 10, version 1709, standard users on Windows desktop cannot enroll into MDM via the Work access page in **Settings**. Only admin users can enroll. To enroll a standard user into MDM, we recommend using a provisioning package or joining the device to Azure AD from **Settings** -&gt; **System** -&gt; **About**. Starting in Windows 10, version 1709, standard users can enroll in MDM.
- Windows 8.1 devices enrolled into MDM via enroll-on-behalf-of (EOBO) can upgrade to Windows 10, but the enrollment is not supported. We recommend performing a server initiated unenroll to remove these enrollments and then enrolling after the upgrade to Windows 10 is completed.
## Enrollment migration

38
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -10,11 +10,12 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/04/2017
ms.date: 08/11/2017
---
# What's new in MDM enrollment and management
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@ -960,9 +961,17 @@ For details about Microsoft mobile device management protocols for Windows 10 s
</td></tr>
<tr class="even">
<td style="vertical-align:top">[AssignedAccess CSP](assignedaccess-csp.md)</td>
<td style="vertical-align:top"><p>Here are the changes in Windows 10, version 1709.</p>
<td style="vertical-align:top"><p>Added the following setting in Windows 10, version 1709.</p>
<ul>
<li>Added Configuration node</li>
<li>Configuration</li>
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[DeviceManageability CSP](devicemanageability-csp.md)</td>
<td style="vertical-align:top"><p>Added the following settings in Windows 10, version 1709:</p>
<ul>
<li>Provider/_ProviderID_/ConfigInfo</li>
<li> Provider/_ProviderID_/EnrollmentInfo</li>
</ul>
</td></tr>
<tr class="odd">
@ -1319,6 +1328,17 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top">[Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md)</td>
<td style="vertical-align:top"><p>Added new step-by-step guide to enable ADMX-backed policies.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[Mobile device enrollment](mobile-device-enrollment.md)</td>
<td style="vertical-align:top"><p>Added the following statement:</p>
<ul>
<li>Devices that are joined to an on-premise Active Directory can enroll into MDM via the Work access page in <strong>Settings</strong>. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.</li>
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[CM\_CellularEntries CSP](cm-cellularentries-csp.md)</td>
<td style="vertical-align:top"><p>Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.</p>
</td></tr>
@ -1332,6 +1352,18 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li> 3 Hides overrides (encrypt, prompt but hide overrides, and audit).</li>
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[AppLocker CSP](applocker-csp.md)</td>
<td style="vertical-align:top"><p>Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in [Whitelist examples](applocker-csp.md#whitelist-examples).</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[DeviceManageability CSP](devicemanageability-csp.md)</td>
<td style="vertical-align:top"><p>Added the following settings in Windows 10, version 1709:</p>
<ul>
<li>Provider/_ProviderID_/ConfigInfo</li>
<li> Provider/_ProviderID_/EnrollmentInfo</li>
</ul>
</td></tr>
<tr class="even">
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p>

30
windows/client-management/mdm/policy-csp-appvirtualization.md
View File

@ -60,6 +60,7 @@ This policy setting allows you to enable or disable Microsoft Application Virtua
ADMX Info:
- GP english name: *Enable App-V Client*
- GP name: *EnableAppV*
- GP path: *Administrative Templates/System/App-V*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -105,6 +106,7 @@ Enables Dynamic Virtualization of supported shell extensions, browser helper obj
ADMX Info:
- GP english name: *Enable Dynamic Virtualization*
- GP name: *Virtualization_JITVEnable*
- GP path: *Administrative Templates/System/App-V/Virtualization*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -150,6 +152,7 @@ Enables automatic cleanup of appv packages that were added after Windows10 anniv
ADMX Info:
- GP english name: *Enable automatic cleanup of unused appv packages*
- GP name: *PackageManagement_AutoCleanupEnable*
- GP path: *Administrative Templates/System/App-V/PackageManagement*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -195,6 +198,7 @@ Enables scripts defined in the package manifest of configuration files that shou
ADMX Info:
- GP english name: *Enable Package Scripts*
- GP name: *Scripting_Enable_Package_Scripts*
- GP path: *Administrative Templates/System/App-V/Scripting*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -240,6 +244,7 @@ Enables a UX to display to the user when a publishing refresh is performed on th
ADMX Info:
- GP english name: *Enable Publishing Refresh UX*
- GP name: *Enable_Publishing_Refresh_UX*
- GP path: *Administrative Templates/System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -295,6 +300,7 @@ Data Block Size: This value specifies the maximum size in bytes to transmit to t
ADMX Info:
- GP english name: *Reporting Server*
- GP name: *Reporting_Server_Policy*
- GP path: *Administrative Templates/System/App-V/Reporting*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -340,6 +346,7 @@ Specifies the file paths relative to %userprofile% that do not roam with a user'
ADMX Info:
- GP english name: *Roaming File Exclusions*
- GP name: *Integration_Roaming_File_Exclusions*
- GP path: *Administrative Templates/System/App-V/Integration*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -385,6 +392,7 @@ Specifies the registry paths that do not roam with a user profile. Example usage
ADMX Info:
- GP english name: *Roaming Registry Exclusions*
- GP name: *Integration_Roaming_Registry_Exclusions*
- GP path: *Administrative Templates/System/App-V/Integration*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -430,6 +438,7 @@ Specifies how new packages should be loaded automatically by App-V on a specific
ADMX Info:
- GP english name: *Specify what to load in background (aka AutoLoad)*
- GP name: *Steaming_Autoload*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -475,6 +484,7 @@ Migration mode allows the App-V client to modify shortcuts and FTA's for package
ADMX Info:
- GP english name: *Enable Migration Mode*
- GP name: *Client_Coexistence_Enable_Migration_mode*
- GP path: *Administrative Templates/System/App-V/Client Coexistence*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -520,6 +530,7 @@ Specifies the location where symbolic links are created to the current version o
ADMX Info:
- GP english name: *Integration Root User*
- GP name: *Integration_Root_User*
- GP path: *Administrative Templates/System/App-V/Integration*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -565,6 +576,7 @@ Specifies the location where symbolic links are created to the current version o
ADMX Info:
- GP english name: *Integration Root Global*
- GP name: *Integration_Root_Global*
- GP path: *Administrative Templates/System/App-V/Integration*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -628,6 +640,7 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
ADMX Info:
- GP english name: *Publishing Server 1 Settings*
- GP name: *Publishing_Server1_Policy*
- GP path: *Administrative Templates/System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -689,8 +702,9 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
<!--StartADMX-->
ADMX Info:
- GP english name: *Publishing Server 2 Settings*
- GP English name: *Publishing Server 2 Settings*
- GP name: *Publishing_Server2_Policy*
- GP path: *Administrative Templates/System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -754,6 +768,7 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
ADMX Info:
- GP english name: *Publishing Server 3 Settings*
- GP name: *Publishing_Server3_Policy*
- GP path: *Administrative Templates/System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -817,6 +832,7 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
ADMX Info:
- GP english name: *Publishing Server 4 Settings*
- GP name: *Publishing_Server4_Policy*
- GP path: *Administrative Templates/System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -880,6 +896,7 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
ADMX Info:
- GP english name: *Publishing Server 5 Settings*
- GP name: *Publishing_Server5_Policy*
- GP path: *Administrative Templates/System/App-V/Publishing*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -925,6 +942,7 @@ Specifies the path to a valid certificate in the certificate store.
ADMX Info:
- GP english name: *Certificate Filter For Client SSL*
- GP name: *Streaming_Certificate_Filter_For_Client_SSL*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -970,6 +988,7 @@ This setting controls whether virtualized applications are launched on Windows 8
ADMX Info:
- GP english name: *Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection*
- GP name: *Streaming_Allow_High_Cost_Launch*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -1015,6 +1034,7 @@ Specifies the CLSID for a compatible implementation of the IAppvPackageLocationP
ADMX Info:
- GP english name: *Location Provider*
- GP name: *Streaming_Location_Provider*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -1060,6 +1080,7 @@ Specifies directory where all new applications and updates will be installed.
ADMX Info:
- GP english name: *Package Installation Root*
- GP name: *Streaming_Package_Installation_Root*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -1105,6 +1126,7 @@ Overrides source location for downloading package content.
ADMX Info:
- GP english name: *Package Source Root*
- GP name: *Streaming_Package_Source_Root*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -1150,6 +1172,7 @@ Specifies the number of seconds between attempts to reestablish a dropped sessio
ADMX Info:
- GP english name: *Reestablishment Interval*
- GP name: *Streaming_Reestablishment_Interval*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -1195,6 +1218,7 @@ Specifies the number of times to retry a dropped session.
ADMX Info:
- GP english name: *Reestablishment Retries*
- GP name: *Streaming_Reestablishment_Retries*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -1240,6 +1264,7 @@ Specifies that streamed package contents will be not be saved to the local hard
ADMX Info:
- GP english name: *Shared Content Store (SCS) mode*
- GP name: *Streaming_Shared_Content_Store_Mode*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -1285,6 +1310,7 @@ If enabled, the App-V client will support BrancheCache compatible HTTP streaming
ADMX Info:
- GP english name: *Enable Support for BranchCache*
- GP name: *Streaming_Support_Branch_Cache*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -1330,6 +1356,7 @@ Verifies Server certificate revocation status before streaming using HTTPS.
ADMX Info:
- GP english name: *Verify certificate revocation list*
- GP name: *Streaming_Verify_Certificate_Revocation_List*
- GP path: *Administrative Templates/System/App-V/Streaming*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->
@ -1375,6 +1402,7 @@ Specifies a list of process paths (may contain wildcards) which are candidates f
ADMX Info:
- GP english name: *Virtual Component Process Allow List*
- GP name: *Virtualization_JITVAllowList*
- GP path: *Administrative Templates/System/App-V/Virtualization*
- GP ADMX file name: *appv.admx*
<!--EndADMX-->

22
windows/client-management/mdm/understanding-admx-backed-policies.md
View File

@ -97,7 +97,7 @@ Appv.admx file:
## <a href="" id="admx-backed-policy-examples"></a>ADMX-backed policy examples
The following SyncML examples describe how to set a MDM policy that is defined by an ADMX template, specifically the Publishing_Server2_Policy Group Policy description in the application virtualization ADMX file, appv.admx. Note that the functionality that this Group Policy manages is not important; it is used to illustrate only how an MDM ISV can set an ADMX-backed policy. These SyncML examples illustrate common options and the corresponding SyncML code that can be used for testing your policies. Note that the payload of the SyncML must be XML-encoded; for this XML encoding, you can use the [Coders Toolbox](http://coderstoolbox.net/string/#!encoding=xml&action=encode&charset=us_ascii) online tool. To avoid encoding the payload, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
The following SyncML examples describe how to set a MDM policy that is defined by an ADMX template, specifically the Publishing_Server2_Policy Group Policy description in the application virtualization ADMX file, appv.admx. Note that the functionality that this Group Policy manages is not important; it is used to illustrate only how an MDM ISV can set an ADMX-backed policy. These SyncML examples illustrate common options and the corresponding SyncML code that can be used for testing your policies. Note that the payload of the SyncML must be XML-encoded; for this XML encoding, you can use favorite online tool. To avoid encoding the payload, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
### <a href="" id="enabling-a-policy"></a>Enabling a policy
@ -119,7 +119,7 @@ The following SyncML examples describe how to set a MDM policy that is defined b
**Request SyncML**
```XML
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
@ -169,7 +169,7 @@ The following SyncML examples describe how to set a MDM policy that is defined b
**Request SyncML**
```XML
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
@ -209,7 +209,7 @@ The following SyncML examples describe how to set a MDM policy that is defined b
**Request SyncML**
```
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Delete>
<CmdID>1</CmdID>
@ -292,7 +292,7 @@ The `text` element simply corresponds to a string and correspondingly to an edit
```XML
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>$CmdId$</CmdID>
@ -333,7 +333,7 @@ The `multiText` element simply corresponds to a REG_MULTISZ registry string and
```XML
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
@ -377,7 +377,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
#### Corresponding SyncML:
```XML
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
@ -409,7 +409,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
#### Corresponding SyncML:
```XML
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
@ -466,7 +466,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
#### Corresponding SyncML:
```XML
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
@ -503,7 +503,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
#### Corresponding SyncML:
```XML
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
@ -552,7 +552,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
```XML
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>

4
windows/deployment/vda-subscription-activation.md
View File

@ -12,11 +12,7 @@ author: greg-lindsay
# Configure VDA for Windows 10 Subscription Activation
<<<<<<< HEAD
This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based license.
=======
This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops.
>>>>>>> 9cfade7b4735548209a42a177179689a7e522ec6
## Requirements

6
windows/device-security/change-history-for-device-security.md
View File

@ -14,14 +14,14 @@ This topic lists new and updated topics in the [Device security](index.md) docum
## August 2017
|New or changed topic |Description |
|---------------------|------------|
| [BitLocker: Management recommendations for enterprises](bitlocker/bitlocker-management-for-enterprises.md) | New BitLocker security topic. |
| [BitLocker: Management recommendations for enterprises](bitlocker/bitlocker-management-for-enterprises.md) | New BitLocker security topic. |
| [Accounts: Block Microsoft accounts](security-policy-settings/accounts-block-microsoft-accounts.md) | Revised description |
## July 2017
|New or changed topic |Description |
|---------------------|------------|
| [How Windows 10 uses the Trusted Platform Module](tpm/how-windows-uses-the-tpm.md) | New TPM security topic. |
| [How Windows 10 uses the Trusted Platform Module](tpm/how-windows-uses-the-tpm.md) | New TPM security topic. |
## May 2017

4
windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
View File

@ -46,6 +46,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
- mshta.exe
- ntsd.exe
- rcsi.exe
- SyncAppVPublishingServer.exe
- system.management.automation.dll
- windbg.exe
@ -64,6 +65,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
|Matt Nelson | @enigma0x3|
|Oddvar Moe |@Oddvarmoe|
|Alex Ionescu | @aionescu|
|Nick Landers | @monoxgas|
<br />
@ -116,6 +118,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
<Deny ID="ID_DENY_LXSS" FriendlyName="LxssManager.dll" FileName="LxssManager.dll" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_BASH" FriendlyName="bash.exe" FileName="bash.exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_FSI" FriendlyName="fsi.exe" FileName="fsi.exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_APPVPUBSRV" FriendlyName="SyncAppVPublishingServer.exe" FileName="SyncAppVPublishingServer.exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_FSI_ANYCPU" FriendlyName="fsiAnyCpu.exe" FileName="fsiAnyCpu.exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_MSHTA" FriendlyName="mshta.exe" FileName="mshta.exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_SMA" FriendlyName="System.Management.Automation.dll" FileName="System.Management.Automation.dll" MinimumFileVersion = "10.0.16215.999" />
@ -184,6 +187,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
<FileRuleRef RuleID="ID_DENY_BASH"/>
<FileRuleRef RuleID="ID_DENY_FSI"/>
<FileRuleRef RuleID="ID_DENY_FSI_ANYCPU"/>
<FileRuleRef RuleID="ID_DENY_APPVPUBSRV"/>
<FileRuleRef RuleID="ID_DENY_MSHTA"/>
<FileRuleRef RuleID="ID_DENY_SMA"/>
<FileRuleRef RuleID="ID_DENY_D_1" />

2
windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md
View File

@ -10,7 +10,7 @@ author: mdsakibMSFT
# Deploy Managed Installer for Device Guard
Creating and maintaining application execution control policies has always been challenging and options for addressing this has been a frequently cited request for customers of AppLocker and Device Guards [configurable code integrity (CI)](device-guard-deployment-guide.md).
Creating and maintaining application execution control policies has always been challenging, and finding ways to address this issue has been a frequently-cited request for customers of AppLocker and Device Guard [configurable code integrity (CI)](device-guard-deployment-guide.md).
This is especially true for enterprises with large, ever changing software catalogs.
Windows 10, version 1703 (also known as the Windows 10 Creators Update) provides a new option, known as a managed installer, that allows IT administrators to automatically authorize applications deployed and installed by a designated software distribution solution, such as System Center Configuration Manager.

10
windows/device-security/security-policy-settings/accounts-block-microsoft-accounts.md
View File

@ -18,11 +18,13 @@ Describes the best practices, location, values, management, and security conside
## Reference
This policy setting prevents users from adding new Microsoft accounts on a device.
This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services.
If you click the **Users cant add Microsoft accounts** setting option, users will not be able to switch a local account to a Microsoft account, or connect a domain account to a Microsoft account to drive sync, roaming, or other background services. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. Users will still be able to add app-specific Microsoft accounts for use with consumer apps. To block this use, turn off the ability to install consumer apps or the Store.
There are two options if this setting is enabled:
If you click the **Users cant add or log on with Microsoft accounts** setting option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator to log on to a computer and manage the system.
- **Users cant add Microsoft accounts** means that existing connected accounts can still sign in to the device (and appear on the Sign in screen). However, users cannot use the **Settings** app to add new connected accounts (or connect local accounts to Microsoft accounts).
- **Users cant add or log on with Microsoft accounts** means that users cannot add new connected accounts (or connect local accounts to Microsoft accounts) or use existing connected accounts through **Settings**.
If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
@ -36,7 +38,7 @@ By default, this setting is not defined on domain controllers and disabled on st
### Best practices
- By disabling or not configuring this policy setting on the client computer, users will be able to use their Microsoft account, local account, or domain account for their sign-in session to Windows. It also enables the user to connect a local or domain account to a Microsoft account. This provides a convenient option for your users.
- If you need to limit the use of Microsoft accounts in your organization, click the **Users cant add Microsoft accounts** setting option so that users will not be able to create new Microsoft accounts on a computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account.
- If you need to limit the use of Microsoft accounts in your organization, click the **Users cant add Microsoft accounts** setting option so that users will not be able to use the **Settings** app to add new connected accounts.
### Location

7
windows/threat-protection/TOC.md
View File

@ -147,6 +147,13 @@
### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen\windows-defender-smartscreen-available-settings.md)
### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen\windows-defender-smartscreen-set-individual-device.md)
##[Windows Defender Application Guard](windows-defender-application-guard\wd-app-guard-overview.md)
###[System requirements for Windows Defender Application Guard](windows-defender-application-guard\reqs-wd-app-guard.md)
###[Prepare and install Windows Defender Application Guard](windows-defender-application-guard\install-wd-app-guard.md)
###[Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard\configure-wd-app-guard.md)
###[Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard\test-scenarios-wd-app-guard.md)
###[Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard\faq-wd-app-guard.md)
## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md)
### [Create a Windows Information Protection (WIP) policy](windows-information-protection\overview-create-wip-policy.md)
#### [Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md)

90
windows/threat-protection/block-untrusted-fonts-in-enterprise.md
View File

@ -8,10 +8,13 @@ ms.mktglfcycl: deploy
ms.pagetype: security
ms.sitesec: library
author: eross-msft
ms.author: lizross
ms.date: 08/14/2017
ms.localizationpriority: high
---
# Block untrusted fonts in an enterprise
**Applies to:**
- Windows 10
@ -46,19 +49,44 @@ After you turn this feature on, your employees might experience reduced function
- Using desktop Office to look at documents with embedded fonts. In this situation, content shows up using a default font picked by Office.
## Turn on and use the Blocking Untrusted Fonts feature
Use Group Policy or the registry to turn this feature on, off, or to use audit mode.
**To turn on and use the Blocking Untrusted Fonts feature through Group Policy**
1. Open the Group Policy editor (gpedit.msc) and go to `Computer Configuration\Administrative Templates\System\Mitigation Options\Untrusted Font Blocking`.
2. Click **Enabled** to turn the feature on, and then click one of the following **Migitation Options**:
- **Block untrusted fonts and log events.** Turns the feature on, blocking untrusted fonts and logging installation attempts to the event log.
- **Do not block untrusted fonts.** Turns the feature on, but doesn't block untrusted fonts nor does it log installation attempts to the event log.
- **Log events without blocking untrusted fonts**. Turns the feature on, logging installation attempts to the event log, but not blocking untrusted fonts.
3. Click **OK**.
**To turn on and use the Blocking Untrusted Fonts feature through the registry**
To turn this feature on, off, or to use audit mode:
1. Open the registry editor (regedit.exe) and go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\`.
2. If the **MitigationOptions** key isn't there, right-click and add a new **QWORD (64-bit) Value**, renaming it to **MitigationOptions**.
3. Update the **Value data** of the **MitigationOptions** key, making sure you keep your existing value, like in the important note below:
3. Right click on the **MitigationOptions** key, and then click **Modify**.
The **Edit QWORD (64-bit) Value** box opens.
4. Make sure the **Base** option is **Hexadecimal**, and then update the **Value data**, making sure you keep your existing value, like in the important note below:
- **To turn this feature on.** Type **1000000000000**.
- **To turn this feature off.** Type **2000000000000**.
- **To audit with this feature.** Type **3000000000000**.<p>**Important**<br>Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*. 
4. Restart your computer.
- **To turn this feature off.** Type **2000000000000**.
- **To audit with this feature.** Type **3000000000000**.
>[!Important]
>Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*. 
4. Restart your computer.
## View the event log
After you turn this feature on, or start using Audit mode, you can look at your event logs for details.
@ -68,27 +96,33 @@ After you turn this feature on, or start using Audit mode, you can look at your
1. Open the event viewer (eventvwr.exe) and go to **Application and Service Logs/Microsoft/Windows/Win32k/Operational**.
2. Scroll down to **EventID: 260** and review the relevant events.
<p>
**Event Example 1 - MS Word**<br>
WINWORD.EXE attempted loading a font that is restricted by font loading policy.<br>
FontType: Memory<br>
FontPath:<br>
Blocked: true<p>
**Note**<br>Because the **FontType** is *Memory*, theres no associated **FontPath.**
<p>
**Event Example 2 - Winlogon**<br>
Winlogon.exe attempted loading a font that is restricted by font loading policy.<br>
FontType: File<br>
FontPath: `\??\C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF`<br>
Blocked: true<p>
**Note**<br>Because the **FontType** is *File*, theres also an associated **FontPath.**
<p>
**Event Example 3 - Internet Explorer running in Audit mode**<br>
Iexplore.exe attempted loading a font that is restricted by font loading policy.<br>
FontType: Memory<br>
FontPath:<br>
Blocked: false<p>
**Note**<br>In Audit mode, the problem is recorded, but the font isnt blocked.
**Event Example 1 - MS Word**<br>
WINWORD.EXE attempted loading a font that is restricted by font-loading policy.<br>
FontType: Memory<br>
FontPath:<br>
Blocked: true
>[!NOTE]
>Because the **FontType** is *Memory*, theres no associated **FontPath**.
**Event Example 2 - Winlogon**<br>
Winlogon.exe attempted loading a font that is restricted by font-loading policy.<br>
FontType: File<br>
FontPath: `\??\C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF`<br>
Blocked: true
>[!NOTE]
>Because the **FontType** is *File*, theres also an associated **FontPath**.
**Event Example 3 - Internet Explorer running in Audit mode**<br>
Iexplore.exe attempted loading a font that is restricted by font-loading policy.<br>
FontType: Memory<br>
FontPath:<br>
Blocked: false
>[!NOTE]
>In Audit mode, the problem is recorded, but the font isnt blocked.
## Fix apps having problems because of blocked fonts
Your company may still need apps that are having problems because of blocked fonts, so we suggest that you first run this feature in Audit mode to determine which fonts are causing the problems.
@ -101,12 +135,14 @@ After you figure out the problematic fonts, you can try to fix your apps in 2 wa
**To fix your apps by excluding processes**
1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<process_image_name>`. Like, if you want to exclude Microsoft Word processes, youd use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`.
1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<process_image_name>`.<br><br>For example, if you want to exclude Microsoft Word processes, youd use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`.
2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using steps 2 and 3 in [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature).
2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using the steps in the [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature) section of this topic.
 
## Related content
- [Dropping the “Untrusted Font Blocking” setting](https://blogs.technet.microsoft.com/secguide/2017/06/15/dropping-the-untrusted-font-blocking-setting/)
 

1
windows/threat-protection/index.md
View File

@ -17,6 +17,7 @@ Learn more about how to help protect against threats in Windows 10 and Windows
|[Windows Defender Security Center](windows-defender-security-center/windows-defender-security-center.md)|Learn about the easy-to-use app that brings together common Windows security features.|
|[Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)|Provides info about Windows Defender Advanced Threat Protection (Windows Defender ATP), an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.|
|[Windows Defender Antivirus in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)|Provides info about Windows Defender, a built-in antimalware solution that helps provide security and antimalware management for desktops, portable computers, and servers. Includes a list of system requirements and new features.|
|[Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md)|Provides info about Windows Defender Application Guard, the hardware-based virtualization solution that helps to isolate a device and operating system from an untrusted browser session.|
|[Windows Defender SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) |Learn more about Windows Defender SmartScreen.|
|[Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)|Provides info about how to create a Windows Information Protection policy that can help protect against potential corporate data leakage.|
|[Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) |Learn more about mitigating threats in Windows 10.|

1
windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
View File

@ -10,6 +10,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
---

3
windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
View File

@ -10,6 +10,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
---
# Manage updates and scans for endpoints that are out of date
@ -92,7 +93,7 @@ See the following for more information and allowed parameters:
## Set the number of days before protection is reported as out-of-date
You can also specify the number of days after which Windows Defender AV protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender AV to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)).
You can also specify the number of days after which Windows Defender AV protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender AV to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)), such as when using MMPC as a secondary source after setting WSUS or Microsoft Update as the first source.
**Use Group Policy to specify the number of days before protection is considered out-of-date:**

9
windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
View File

@ -10,6 +10,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
---
# Manage the sources for Windows Defender Antivirus protection updates
@ -63,7 +64,11 @@ The older the updates on an endpoint, the larger the download. However, you must
Microsoft Update allows for rapid releases, which means it will download small deltas on a frequent basis. This ensures the best protection, but may increase network bandwidth.
The WSUS, Configuration Manager and MMPC sources will deliver less frequent updates. The size of the updates may be slightly larger than the frequent release from Microsoft Update (as the delta, or differences between the latest version and what is on the endpoint will be larger). This ensures consistent protection without increasing ad hoc network usage (although the amount of data may be the same or increased as the updates will be fewer, but may be slightly larger).
The WSUS, Configuration Manager, and MMPC sources will deliver less frequent updates. The size of the updates may be slightly larger than the frequent release from Microsoft Update (as the delta, or differences between the latest version and what is on the endpoint will be larger). This ensures consistent protection without increasing ad hoc network usage (although the amount of data may be the same or increased as the updates will be fewer, but may be slightly larger).
> [!IMPORTANT]
> If you have set MMPC as a fallback source after WSUS or Microsoft Update, updates will only be downloaded from MMPC when the current update is considered to be out-of-date (by default, this is 2 consecutive days of not being able to apply updates from the WSUS or Microsoft Update services).
> You can, however, [set the number of days before protection is reported as out-of-date](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).
Each source has typical scenarios that depend on how your network is configured, in addition to how often they publish updates, as described in the following table:
@ -73,7 +78,7 @@ WSUS | You are using WSUS to manage updates for your network.
Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network, or if you do not use WSUS to manage your updates.
File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-windows-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.
Configuration Manager | You are using System Center Configuration Manager to update your endpoints.
MMPC | You need to download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source.
MMPC | You need to download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from WSUS or Microsoft Update for [a specified number of days](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).
You can manage the order in which update sources are used with Group Policy, System Center Configuration Manager, PowerShell cmdlets, and WMI.

46
windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md Normal file
View File

@ -0,0 +1,46 @@
---
title: Configure the Group Policy settings for Windows Defender Application Guard (Windows 10)
description: Learn about the available Group Policy settings for Windows Defender Application Guard.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.author: lizross
ms.date: 08/11/2017
localizationpriority: high
---
# Configure Windows Defender Application Guard policy settings
**Applies to:**
- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
Windows Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain.
Application Guard uses both network isolation and application-specific settings.
### Network isolation settings
These settings, located at **Computer Configuration\Administrative Templates\Network\Network Isolation**, help you define and manage your company's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container.
>[!NOTE]
>You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode.
|Policy name|Supported versions|Description|
|-----------|------------------|-----------|
|Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
### Application-specific settings
These settings, located at **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard**, can help you to manage your company's implementation of Application Guard.
|Name|Supported versions|Description|Options|
|-----------|------------------|-----------|-------|
|Configure Windows Defender Application Guard clipboard settings|At least Windows 10 Enterprise|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:<ul><li>Disable the clipboard functionality completely when Virtualization Security is enabled.</li><li>Enable copying of certain content from Application Guard into Microsoft Edge.</li><li>Enable copying of certain content from Microsoft Edge into Application Guard.<br><br>**Important**<br>Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.</li></ul>**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
|Configure Windows Defender Application Guard print settings|At least Windows 10 Enterprise|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:<ul><li>Enable Application Guard to print into the XPS format.</li><li>Enable Application Guard to print into the PDF format.</li><li>Enable Application Guard to print to locally attached printers.</li><li>Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.</ul>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
|Block enterprise websites to load non-enterprise content in IE and Edge|At least Windows 10 Enterprise|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.<br><br>**Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard.|
|Allow Persistence|At least Windows 10 Enterprise|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<br><br>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<br><br>**Note**<br>If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<br>**To reset the container:**<ol><li>Open a command-line program and navigate to Windows/System32.</li><li>Type `wdagtool.exe cleanup`.<br>The container environment is reset, retaining only the employee-generated data.</li><li>Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.<br>The container environment is reset, including discarding all employee-generated data.</li></ol>|
|Turn On/Off Windows Defender Application Guard (WDAG)|At least Windows 10 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.<br><br>**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.|

44
windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md Normal file
View File

@ -0,0 +1,44 @@
---
title: Frequently asked questions - Windows Defender Application Guard (Windows 10)
description: Learn about the commonly asked questions and answers for Windows Defender Application Guard.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.author: lizross
ms.date: 08/11/2017
localizationpriority: high
---
# Frequently asked questions - Windows Defender Application Guard
**Applies to:**
- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
Answering frequently asked questions about Windows Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration.
## Frequently Asked Questions
| | |
|---|----------------------------|
|**Q:** |Can employees download documents from the Application Guard Edge session onto host devices?|
|**A:** |It's not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.|
<br>
| | |
|---|----------------------------|
|**Q:** |Can employees copy and paste between the host device and the Application Guard Edge session?|
|**A:** |Depending on your organization's settings, employees can copy and paste images and text (.bmp) to and from the isolated container.|
<br>
| | |
|---|----------------------------|
|**Q:** |Why don't employees see their Favorites in the Application Guard Edge session?|
|**A:** |To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device.|
<br>
| | |
|---|----------------------------|
|**Q:** |Why arent employees able to see their Extensions in the Application Guard Edge session?|
|**A:** |Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this.|

BIN
windows/threat-protection/windows-defender-application-guard/images/appguard-gp-clipboard.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 126 KiB

BIN
windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation-neutral.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
windows/threat-protection/windows-defender-application-guard/images/appguard-gp-network-isolation.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 66 KiB

BIN
windows/threat-protection/windows-defender-application-guard/images/appguard-gp-persistence.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 135 KiB

BIN
windows/threat-protection/windows-defender-application-guard/images/appguard-gp-print.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 189 KiB

BIN
windows/threat-protection/windows-defender-application-guard/images/appguard-gp-turn-on.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
windows/threat-protection/windows-defender-application-guard/images/appguard-hardware-isolation.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 47 KiB

BIN
windows/threat-protection/windows-defender-application-guard/images/appguard-new-window.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 229 KiB

BIN
windows/threat-protection/windows-defender-application-guard/images/appguard-turned-on-with-trusted-site.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 431 KiB

BIN
windows/threat-protection/windows-defender-application-guard/images/appguard-visual-cues.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 897 KiB

BIN
windows/threat-protection/windows-defender-application-guard/images/application-guard-container-v-host.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
windows/threat-protection/windows-defender-application-guard/images/host-screen-no-application-guard.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 372 KiB

BIN
windows/threat-protection/windows-defender-application-guard/images/turn-windows-features-on.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 115 KiB

56
windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md Normal file
View File

@ -0,0 +1,56 @@
---
title: Prepare and install Windows Defender Application Guard (Windows 10)
description: Learn about the Windows Defender Application Guard modes (Standalone or Enterprise-managed) and how to install Application Guard in your enterprise.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.author: lizross
ms.date: 08/11/2017
localizationpriority: high
---
# Prepare and install Windows Defender Application Guard
**Applies to:**
- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
## Prepare to install Windows Defender Application Guard
Before you can install and use Windows Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode.
- **Standalone mode.** Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the Application Guard in standalone mode testing scenario. <!--Need link after topic is created-->
- **Enterprise-managed mode.** You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to load non-enterprise domain(s) in the container.
The following diagram shows the flow between the host PC and the isolated container.
![Flowchart for movement between Microsoft Edge and Application Guard](images/application-guard-container-v-host.png)
## Install Application Guard
Application Guard functionality is turned off by default. However, you can quickly install it on your employees devices through the Control Panel, PowerShell, or your mobile device management (MDM) solution.
**To install by using the Control Panel**
1. Open the **Control Panel**, click **Programs,** and then click **Turn Windows features on or off**.
![Windows Features, turning on Windows Defender Application Guard](images/turn-windows-features-on.png)
2. Select the check box next to **Windows Defender Application Guard** and then click **OK**.
Application Guard and its underlying dependencies are all installed.
**To install by using PowerShell**
1. Click the **Search** or **Cortana** icon in the Windows 10 taskbar and type **PowerShell**.
2. Right-click **Windows PowerShell**, and then click **Run as administrator**.
Windows PowerShell opens with administrator credentials.
3. Type the following command:
```
Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard
```
4. Restart the device.
Application Guard and its underlying dependencies are all installed.

37
windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md Normal file
View File

@ -0,0 +1,37 @@
---
title: System requirements for Windows Defender Application Guard (Windows 10)
description: Learn about the system requirements for installing and running Windows Defender Application Guard.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.author: lizross
ms.date: 08/11/2017
localizationpriority: high
---
# System requirements for Windows Defender Application Guard
**Applies to:**
- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Windows Defender Application Guard (Application Guard) is designed to help prevent old, and newly emerging attacks, to help keep employees productive.
## Hardware requirements
Your environment needs the following hardware to run Application Guard.
|Hardware|Description|
|--------|-----------|
|64-bit CPU|A 64-bit computer is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).|
|CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_<br><br>**-AND-**<br><br>One of the following virtualization extensions for VBS:<br><br>VT-x (Intel)<br><br>**-OR-**<br><br>AMD-V|
|Hardware memory|4 GB minimum, 8 GB recommended|
## Software requirements
Your environment needs the following hardware to run Application Guard.
|Software|Description|
|--------|-----------|
|Operating system|Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)|
|Browser|Microsoft Edge and Internet Explorer|
|Management system|[Microsoft Intune](https://docs.microsoft.com/en-us/intune/)<br><br>**-OR-**<br><br>[System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/)<br><br>**-OR-**<br><br>[Group Policy](https://technet.microsoft.com/en-us/library/cc753298(v=ws.11).aspx)<br><br>**-OR-**<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|

159
windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md Normal file
View File

@ -0,0 +1,159 @@
---
title: Testing scenarios using Windows Defender Application Guard in your business or organization (Windows 10)
description: Suggested testing scenarios for Windows Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.author: lizross
ms.date: 08/11/2017
localizationpriority: high
---
# Testing scenarios using Windows Defender Application Guard in your business or organization
**Applies to:**
- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
We've come up with a list of suggested testing scenarios that you can use to test Windows Defender Application Guard (Application Guard) in your organization.
## Application Guard in standalone mode
You can see how an employee would use standalone mode with Application Guard.
**To test Application Guard in Standalone mode**
1. Download the latest Windows Insider Program build (15257 or later).
2. Install Application Guard, using the [installation](#install-set-up-and-turn-on-application-guard) steps in this guide.
3. Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu.
![New Application Guard window setting option](images/appguard-new-window.png)
4. Wait for Application Guard to set up the isolated environment.
>[!NOTE]
>Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays.
5. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge window, making sure you see the Application Guard visual cues.
![Untrusted website running in Application Guard](images/appguard-visual-cues.png)
## Application Guard in Enterprise-managed mode
How to install, set up, turn on, and configure Application Guard for Enterprise-managed mode.
### Install, set up, and turn on Application Guard
Before you can use Application Guard in enterprise mode, you must install a version of Windows 10 that includes the functionality. Then, you must use Group Policy to set up the required settings.
1. Download the latest Windows Insider Program build (15257 or later).
2. Install Application Guard, using the [installation](#install-set-up-and-turn-on-application-guard) steps in this guide.
3. Restart the device and then start Microsoft Edge.
4. Set up the Network Isolation settings in Group Policy:
a. Click on the **Windows** icon, type _Group Policy_, and then click **Edit Group Policy**.
b. Go to the **Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud** setting.
c. For the purposes of this scenario, type _.microsoft.com_ into the **Enterprise cloud resources** box.
![Group Policy editor with Enterprise cloud resources setting](images/appguard-gp-network-isolation.png)
d. Go to the **Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal** setting.
e. For the purposes of this scenario, type _bing.com_ into the **Neutral resources** box.
![Group Policy editor with Neutral resources setting](images/appguard-gp-network-isolation-neutral.png)
5. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Turn On/Off Windows Defender Application Guard (WDAG)** setting.
6. Click **Enabled**.
![Group Policy editor with Turn On/Off setting](images/appguard-gp-turn-on.png)
>[!NOTE]
>Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario.
7. Start Microsoft Edge and type _www.microsoft.com_.
After you submit the URL, Application Guard determines the URL is trusted because it uses the domain youve marked as trusted and shows the site directly on the host PC instead of in Application Guard.
![Trusted website running on Microsoft Edge](images/appguard-turned-on-with-trusted-site.png)
8. In the same Microsoft Edge browser, type any URL that isnt part of your trusted or neutral site lists.
After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment.
![Untrusted website running in Application Guard](images/appguard-visual-cues.png)
### Customize Application Guard
Application Guard lets you specify your configuration, allowing you to create the proper balance between isolation-based security and productivity for your employees.
Application Guard provides the following default behavior for your employees:
- No copying and pasting between the host PC and the isolated container.
- No printing from the isolated container.
- No data persistence from one isolated container to another isolated container.
You have the option to change each of these settings to work with your enterprise from within Group Policy.
**To change the copy and paste options**
1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings**.
2. Click **Enabled**.
![Group Policy editor clipboard options](images/appguard-gp-clipboard.png)
3. Choose how the clipboard works:
- Copy and paste from the isolated session to the host PC
- Copy and paste from the host PC to the isolated session
- Copy and paste both directions
4. Choose what can be copied:
- **1.** Only text can be copied between the host PC and the isolated container.
- **2.** Only images can be copied between the host PC and the isolated container.
- **3.** Both text and images can be copied between the host PC and the isolated container.
5. Click **OK**.
**To change the print options**
1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard print** settings.
2. Click **Enabled**.
![Group Policy editor Print options](images/appguard-gp-print.png)
3. Based on the list provided in the setting, choose the number that best represents what type of printing should be available to your employees. You can allow any combination of local, network, PDF, and XPS printing.
4. Click **OK**.
**To change the data persistence options**
1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard** setting.
2. Click **Enabled**.
![Group Policy editor Data Persistence options](images/appguard-gp-persistence.png)
3. Open Microsoft Edge and browse to an untrusted, but safe URL.
The website opens in the isolated session.
4. Add the site to your **Favorites** list and then close the isolated session.
5. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
The previously added site should still appear in your **Favorites** list.
>[!NOTE]
>If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and arent shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.<br><br>If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<br><br>**To reset the container:**<ol><li>Open a command-line program and navigate to Windows/System32.</li><li>Type `wdagtool.exe cleanup`.<br>The container environment is reset, retaining only the employee-generated data.</li><li>Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.<br>The container environment is reset, including discarding all employee-generated data.</li></ol>

47
windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md Normal file
View File

@ -0,0 +1,47 @@
---
title: Windows Defender Application Guard (Windows 10)
description: Learn about Windows Defender Application Guard and how it helps to combat malicious content and malware out on the Internet.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.author: lizross
ms.date: 08/11/2017
localizationpriority: high
---
# Windows Defender Application Guard overview
**Applies to:**
- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks.
Windows Defender Application Guard (Application Guard) is designed to help prevent old, and newly emerging attacks, to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by rendering current attack methods obsolete.
## What is Application Guard and how does it work?
Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted.
If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from the host operating system. This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials.
![Hardware isolation diagram](images/appguard-hardware-isolation.png)
### What types of devices should use Application Guard?
Application Guard has been created to target 3 types of enterprise systems:
- **Enterprise desktops.** These desktops are domain-joined and managed by your organization. Configuration management is primarily done through System Center Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network.
- **Enterprise mobile laptops.** These laptops are domain-joined and managed by your organization. Configuration management is primarily done through System Center Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network.
- **Bring your own device (BYOD) mobile laptops.** These personally-owned laptops are not domain-joined, but are managed by your organization through tools like Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home.
## In this section
|Topic |Description |
|------|------------|
|[System requirements for Windows Defender Application Guard](reqs-wd-app-guard.md) |Specifies the pre-requisites necessary to install and use Application Guard. |
|[Prepare and install Windows Defender Application Guard](install-wd-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization. |
|[Configure the Group Policy settings for Windows Defender Application Guard](configure-wd-app-guard.md) |Provides info about the available Group Policy and MDM settings.|
|[Testing scenarios using Windows Defender Application Guard in your business or organization](test-scenarios-wd-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Windows Defender Application Guard (Application Guard) in your organization.|
|[Frequently Asked Questions - Windows Defender Application Guard](faq-wd-app-guard.md)|Common questions and answers around the features and functionality of Application Guard.|

8
windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
View File

@ -117,10 +117,12 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the
sc qc diagtrack
```
## Windows Defender signature updates are configured
The Windows Defender ATP agent depends on Windows Defenders ability to scan files and provide information about them. If Windows Defender is not the active antimalware in your organization, you may need to configure the signature updates. For more information see [Configure Windows Defender in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md).
## Windows Defender Antivirus signature updates are configured
The Windows Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them. If Windows Defender Antivirus is not the active antimalware in your organization, you may need to configure the signature updates. For more information see [Configure Windows Defender Antivirus in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md).
When Windows Defender is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender goes on passive mode. For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md).
When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows Defender ATP must be excluded from this group policy.
For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md).
## Windows Defender Early Launch Antimalware (ELAM) driver is enabled
If you're running Windows Defender as the primary antimalware product on your endpoints, the Windows Defender ATP agent will successfully onboard.

4
windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
View File

@ -342,14 +342,14 @@ If you're running into compatibility issues where your app is incompatible with
### Manage the WIP-protection level for your enterprise data
After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Hide Overrides**.
>[!NOTE]
>For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
|Mode |Description |
|-----|------------|
|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. |
|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that wouldve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isnt automatically reapplied if you turn WIP protection back on.|