diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index 3b66180dfe..3766535880 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -27,10 +27,6 @@ Microsoft Edge works with the following Group Policy settings to help you manage Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge\ - - ## Allow Address bar drop-down list suggestions >*Supporteded versions: Windows 10, version 1703 or later* @@ -274,7 +270,7 @@ This policy setting specifies whether Do Not Track requests to websites is allow |Data type | Integer | |Allowed values | | - ## Configure Password Manager >*Supported versions: Windows 10* @@ -623,674 +612,6 @@ This policy setting specifies whether organizations should use a folder shared a |Data type | Integer | |Allowed values | | - ## Related topics * [Mobile Device Management (MDM) settings]( https://go.microsoft.com/fwlink/p/?LinkId=722885) diff --git a/browsers/edge/emie-to-improve-compatibility.md b/browsers/edge/emie-to-improve-compatibility.md index cffe549908..fc8a612b80 100644 --- a/browsers/edge/emie-to-improve-compatibility.md +++ b/browsers/edge/emie-to-improve-compatibility.md @@ -1,14 +1,15 @@ --- description: If you're having problems with Microsoft Edge, this topic tells how to use the Enterprise Mode site list to automatically open sites using IE11. ms.assetid: 89c75f7e-35ca-4ca8-96fa-b3b498b53bE4 -author: eross-msft +author: shortpatti +ms.author: pashort ms.prod: edge ms.mktglfcycl: support ms.sitesec: library ms.pagetype: appcompat title: Use Enterprise Mode to improve compatibility (Microsoft Edge for IT Pros) ms.localizationpriority: high -ms.date: 07/27/2017 +ms.date: 04/15/2018 --- # Use Enterprise Mode to improve compatibility @@ -19,8 +20,6 @@ If you have specific web sites and apps that you know have compatibility problem Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. - -[@Reviewer: will RS5 have the need for the following note?] >[!NOTE] >If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy]( https://go.microsoft.com/fwlink/p/?LinkId=620714). diff --git a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md index 8650b4702c..a607034785 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md @@ -3,19 +3,20 @@ ms.localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: security description: Enable and disable add-ons using administrative templates and group policy -author: eross-msft +ms.author: pashort +author: shortpatti ms.prod: ie11 ms.assetid: c6fe1cd3-0bfc-4d23-8016-c9601f674c0b title: Enable and disable add-ons using administrative templates and group policy (Internet Explorer 11 for IT Pros) ms.sitesec: library -ms.date: 07/27/2017 +ms.date: 4/12/2018 --- # Enable and disable add-ons using administrative templates and group policy Add-ons let your employees personalize Internet Explorer. You can manage IE add-ons using Group Policy and Group Policy templates. -There are 4 types of add-ons: +There are four types of add-ons: - **Search Providers.** Type a term and see suggestions provided by your search provider. @@ -57,7 +58,7 @@ You can use the Local Group Policy Editor to change how add-ons work in your org 5. Close the Local Group Policy Editor when you’re done. ## Using the CLSID and Administrative Templates to manage group policy objects -Because every add-on has a Class ID (CLSID), you can use it to enable and disable specific add-ons, using Group Policy and Administrative Templates. +Every add-on has a Class ID (CLSID) that you use to enable and disable specific add-ons, using Group Policy and Administrative Templates. **To manage add-ons** @@ -65,22 +66,30 @@ Because every add-on has a Class ID (CLSID), you can use it to enable and disabl 1. Open IE, click **Tools**, and then click **Manage Add-ons**. - 2. Pick the add-on you want to change, and then right-click **More Information**. - - 3. Click **Copy** and then close **Manage Add-ons** and IE. + 2. Double-click the add-on you want to change. + 3. In the More Information dialog, click **Copy** and then click **Close**. + + 4. Open Notepad and paste the information for the add-on. + + 5. On the Manage Add-ons windows, click **Close**. + + 6. On the Internet Options dialog, click **Close** and then close IE. + 2. From the copied information, select and copy just the **Class ID** value. -3. Open the Group Policy Management Editor and go to `Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management`. + >[!NOTE] + >You want to copy the curly brackets as well as the CLSID: **{47833539-D0C5-4125-9FA8-0819E2EAAC93}**. + +3. Open the Group Policy Management Editor and go to: Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management.
**-OR-**
-Open the Local Group Policy Editor and go to `Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management`. +Open the Local Group Policy Editor and go to: User Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management. -4. Open the **Add-on List** Group Policy Object, pick **Enabled**, and then click **Show**.
-**Show Contents** box appears. +4. Open the **Add-on List** Group Policy Object, select **Enabled**, and then click **Show**.
The Show Contents dialog appears. -5. In **Value Name**, put your copied Class ID. +6. In **Value Name**, paste the Class ID for your add-on, for example, **{47833539-D0C5-4125-9FA8-0819E2EAAC93}**. -6. In **Value**, put: +6. In **Value**, enter one of the following: - **0**. The add-on is disabled and your employees can’t change it. @@ -88,11 +97,12 @@ Open the Local Group Policy Editor and go to `Computer Configuration\Administrat - **2**. The add-on is enabled and your employees can change it. -7. Click **OK** and close the Group Policy editor. - -  - -  +7. Close the Show Contents dialog. +7. In the Group Policy editor, go to: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer. +8. Double-click **Automatically activate/enable newly installed add-ons** and select **Enabled**.

Enabling turns off the message prompting you to Enable or Don't enable the add-on. +7. Click **OK** twice to close the Group Policy editor. + + \ No newline at end of file diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md index d0cb5eb932..c3ab437724 100644 --- a/devices/surface-hub/change-history-surface-hub.md +++ b/devices/surface-hub/change-history-surface-hub.md @@ -16,6 +16,12 @@ ms.localizationpriority: medium This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md). +## April 2018 + +New or changed topic | Description +--- | --- +[Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) | Updated instructions for Skype for Business Hybrid. + ## March 2018 New or changed topic | Description diff --git a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md index de3ffd59ee..b464e456dc 100644 --- a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md @@ -9,13 +9,17 @@ ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker -ms.date: 02/21/2018 +ms.date: 04/12/2018 ms.localizationpriority: medium --- # Hybrid deployment (Surface Hub) A hybrid deployment requires special processing to set up a device account for your Microsoft Surface Hub. If you’re using a hybrid deployment, in which your organization has a mix of services, with some hosted on-premises and some hosted online, then your configuration will depend on where each service is hosted. This topic covers hybrid deployments for [Exchange hosted on-premises](#exchange-on-prem), [Exchange hosted online](#exchange-online), Skype for Business on-premises, Skype for Business online, and Skype for Business hybrid. Because there are so many different variations in this type of deployment, it's not possible to provide detailed instructions for all of them. The following process will work for many configurations. If the process isn't right for your setup, we recommend that you use PowerShell (see [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)) to achieve the same end result as documented here, and for other deployment options. You should then use the provided Powershell script to verify your Surface Hub setup. (See [Account Verification Script](appendix-a-powershell-scripts-for-surface-hub.md#acct-verification-ps-scripts).) +>[!NOTE] +>In an Exchange hybrid environment, follow the steps for [Exchange on-premises](#exchange-on-prem). To move Exchange objects to Office 365, use the [New-MoveRequest](https://docs.microsoft.com/powershell/module/exchange/move-and-migration/new-moverequest?view=exchange-ps) cmdlet. + + ## Exchange on-premises Use this procedure if you use Exchange on-premises. @@ -210,15 +214,10 @@ If your organization has set up [hybrid connectivity between Skype for Business The Surface Hub requires a Skype account of the type `meetingroom`, while a normal user would use a user type account in Skype. If your Skype server is set up for hybrid where you might have users on the local Skype server as well as users hosted in Office 365, you might run into a few issues when trying to create a Surface Hub account. -In a hybrid Skype environment, you have to create the user on-premises first, then move the user to the cloud. This means that your user is present in both environments (which makes SIP routing possible). The move from on-premises to online is done via the [Move-CsUser](https://technet.microsoft.com/library/gg398528.aspx) cmdlet which can only be used against user type accounts, not meetingroom type accounts. Because of this, you will not be able to move a Surface Hub account that has a meetingroom type of account. You might think of using the [Move-CsMeetingRoom](https://technet.microsoft.com/library/jj204889.aspx?f=255&mspperror=-2147217396) cmdlet, unfortunately this will not work between the on-preisesm Skype server and Office 365 - it only works across on-premises Skype pools. +In Skype for Business Server 2015 hybrid environment, any user that you want in Skype for Business Online must first be created in the on-premises deployment, so that the user account is created in Active Directory Domain Services. You can then move the user to Skype for Business Online. The move of a user account from on-premises to online is done via the [Move-CsUser](https://technet.microsoft.com/library/gg398528.aspx) cmdlet. To move a Csmeetingroom object, use the [Move-CsMeetingRoom](https://technet.microsoft.com/library/jj204889.aspx?f=255&mspperror=-2147217396) cmdlet. -To have a functional Surface Hub account in a Skype hybrid configuration, create the Skype account as a normal user type account, instead of creating the account as a meetingroom. Enable the account on the on-premises Skype server first: - -``` -Enable-CsUser -Identity 'HUB01@contoso.com' -RegistrarPool "registrarpoolfqdn" -SipAddressType UserPrincipalName -``` - -After the Surface Hub account is enabled for Skype for Business on-premises, you can keep the account on-premises or you can move the Surface Hub account to Office 365, using the Move-CsUser cmdlet. [Learn more about moving a Skype user to Office 365.](https://technet.microsoft.com/library/jj204969.aspx) +>[!NOTE] +>To use the Move-CsMeetingRoom cmdlet, you must have installed [the May 2017 cumulative update 6.0.9319.281 for Skype for Business Server 2015](https://support.microsoft.com/help/4020991/enables-the-move-csmeetingroom-cmdlet-to-move-a-meeting-room-from-on-p) or [the July 2017 cumulative update 5.0.8308.992 for Lync Server 2013](https://support.microsoft.com/help/4034279/enables-the-move-csmeetingroom-cmdlet-to-move-a-meeting-room-from-on-p). ## Exchange online @@ -406,13 +405,8 @@ If your organization has set up [hybrid connectivity between Skype for Business The Surface Hub requires a Skype account of the type *meetingroom*, while a normal user would use a *user* type account in Skype. If your Skype server is set up for hybrid where you might have users on the local Skype server as well as users hosted in Office 365, you might run into a few issues when trying to create a Surface Hub account. -In a hybrid Skype environment, you have to create the user on-premises first, then move the user to the cloud. This means that your user is present in both environments (which makes SIP routing possible). The move from on-premises to online is done via the [Move-CsUser](https://technet.microsoft.com/library/gg398528.aspx) cmdlet which can only be used against user type accounts, not meetingroom type accounts. Because of this, you will not be able to move a Surface Hub account that has a meetingroom type of account. You might think of using the [Move-CsMeetingRoom](https://technet.microsoft.com/library/jj204889.aspx?f=255&MSPPError=-2147217396) cmdlet, unfortunately this will not work between the on-premises Skype server and Office 365 - it only works across on-premises Skype pools. - -In order to have a functional Surface Hub account in a Skype hybrid configuration, create the Skype account as a normal user type account, instead of creating the account as a meetingroom. First follow the Exchange steps - either [online](#exchange-online) or [on-premises](#exchange-on-premises) - and, instead of enabling the user for Skype for Business Online as described, [enable the account](https://technet.microsoft.com/library/gg398711.aspx) on the on-premises Skype server: +In Skype for Business Server 2015 hybrid environment, any user that you want in Skype for Business Online must first be created in the on-premises deployment, so that the user account is created in Active Directory Domain Services. You can then move the user to Skype for Business Online. The move of a user account from on-premises to online is done via the [Move-CsUser](https://technet.microsoft.com/library/gg398528.aspx) cmdlet. To move a Csmeetingroom object, use the [Move-CsMeetingRoom](https://technet.microsoft.com/library/jj204889.aspx?f=255&mspperror=-2147217396) cmdlet. -```PowerShell -Enable-CsUser -Identity 'HUB01@contoso.com' -RegistrarPool "registrarpoolfqdn" -SipAddressType UserPrincipalName -``` - -After the Surface Hub account is enabled for Skype for Business on-premises, you can keep the account on-premises or you can move the Surface Hub account to Office 365, using the Move-CsUser cmdlet. [Learn more about moving a Skype user to Office 365](https://technet.microsoft.com/library/jj204969.aspx). +>[!NOTE] +>To use the Move-CsMeetingRoom cmdlet, you must have installed [the May 2017 cumulative update 6.0.9319.281 for Skype for Business Server 2015](https://support.microsoft.com/help/4020991/enables-the-move-csmeetingroom-cmdlet-to-move-a-meeting-room-from-on-p) or [the July 2017 cumulative update 5.0.8308.992 for Lync Server 2013](https://support.microsoft.com/help/4034279/enables-the-move-csmeetingroom-cmdlet-to-move-a-meeting-room-from-on-p). diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md index 238158def7..dfed286bc9 100644 --- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md +++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md @@ -25,17 +25,7 @@ Surface Hub has been validated with Microsoft’s first-party MDM providers: You can also manage Surface Hubs using any third-party MDM provider that can communicate with Windows 10 using the MDM protocol. ## Enroll a Surface Hub into MDM -You can enroll your Surface Hubs using bulk or manual enrollment. - -> [!NOTE] -> You can join your Surface Hub to Azure Active Directory (Azure AD) to manage admin groups on the device. However, Surface Hub does not currently support automatic enrollment to Microsoft Intune through Azure AD join. If your organization automatically enrolls Azure AD-joined devices into Intune, you must disable this policy for Surface Hub before joining the device to Azure AD. -> -> **To enable automatic enrollment for Microsoft Intune** -> 1. In the [Azure classic portal](https://manage.windowsazure.com/), navigate to the **Active Directory** node and select your directory. -> 2. Click the **Applications** tab, then click **Microsoft Intune**. -> 3. Under **Manage devices for these users**, click **Groups**. -> 4. Click **Select Groups**, then select the groups of users you want to automatically enroll into Intune. **Do not include accounts that are used to enroll Surface Hubs into Intune.** -> 5. Click the checkmark button, then click **Save**. +You can enroll your Surface Hubs using bulk, manual, or automatic enrollment. ### Bulk enrollment **To configure bulk enrollment** @@ -51,6 +41,20 @@ You can enroll your Surface Hubs using bulk or manual enrollment. 4. Under **Device management**, select **+ Device management**. 5. Follow the instructions in the dialog to connect to your MDM provider. +### Automatic enrollment via Azure Active Directory join + +Surface Hub now supports the ability to automatically enroll in Intune by joining the device to Azure Active Directory. + +**To enable automatic enrollment for Microsoft Intune** +1. In the [Azure classic portal](https://manage.windowsazure.com/), navigate to the **Active Directory** node and select your directory. +2. Click the **Applications** tab, then click **Microsoft Intune**. +3. Under **Manage devices for these users**, click **Groups**. +4. Click **Select Groups**, then select the groups of users you want to automatically enroll into Intune. +5. Click the checkmark button, then click **Save**. + +For more information, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment). + + ## Manage Surface Hub settings with MDM You can use MDM to manage some [Surface Hub CSP settings](#supported-surface-hub-csp-settings), and some [Windows 10 settings](#supported-windows-10-settings). Depending on the MDM provider that you use, you may set these settings using a built-in user interface, or by deploying custom SyncML. Microsoft Intune and System Center Configuration Manager provide built-in experiences to help create policy templates for Surface Hub. Refer to documentation from your MDM provider to learn how to create and deploy SyncML. diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md index 7ef2ae24a6..7c6a90015d 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker -ms.date: 07/27/2017 +ms.date: 04/13/2018 ms.localizationpriority: medium --- @@ -100,13 +100,12 @@ If you have a single-forest on-premises deployment with Microsoft Exchange 2013 8. OPTIONAL: You can also allow your Surface Hub to make and receive public switched telephone network (PSTN) phone calls by enabling Enterprise Voice for your account. Enterprise Voice isn't a requirement for Surface Hub, but if you want PSTN dialing functionality for the Surface Hub client, here's how to enable it: - ```PowerShell - Set-CsMeetingRoom HUB01 -DomainController DC-ND-001.contoso.com - -LineURItel: +14255550555;ext=50555" Set-CsMeetingRoom -DomainController DC-ND-001.contoso.com - -Identity HUB01 -EnterpriseVoiceEnabled $true + ```PowerShell + Set-CsMeetingRoom -Identity HUB01 -DomainController DC-ND-001.contoso.com -LineURI “tel:+14255550555;ext=50555" -EnterpriseVoiceEnabled $true ``` Again, you'll need to replace the provided domain controller and phone number examples with your own information. The parameter value `$true` stays the same. +   diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index 077e16a6a5..cef7042de1 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -36,9 +36,10 @@ Additionally, note that Surface Hub requires the following open ports: - HTTP: 80 - NTP: 123 -Depending on your environment, access to additional ports may be needed: -- For online environments, see [Office 365 IP URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). -- For on-premises installations, see [Skype for Business Server: Ports and protocols for internal servers](https://technet.microsoft.com/library/gg398833.aspx). +If you are using Surface Hub with Skype for Business, you will need to open additional ports. Please follow the guidance below: +- If you use Skype for Business Online, see [Office 365 IP URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). +- If you use Skype for Business Server, see [Skype for Business Server: Ports and protocols for internal servers](https://technet.microsoft.com/library/gg398833.aspx). +- If you use a hybrid of Skype for Business Online and Skype for Business Server, you need to open all documented ports from [Office 365 IP URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) and [Skype for Business Server: Ports and protocols for internal servers](https://technet.microsoft.com/library/gg398833.aspx). Microsoft collects diagnostic data to help improve your Surface Hub experience. Add these sites to your allow list: - Diagnostic data client endpoint: `https://vortex.data.microsoft.com/` diff --git a/education/trial-in-a-box/index.md b/education/trial-in-a-box/index.md index 62510022e6..486c9358c7 100644 --- a/education/trial-in-a-box/index.md +++ b/education/trial-in-a-box/index.md @@ -28,7 +28,7 @@ Welcome to Microsoft Education Trial in a Box. We built this trial to make it ea
-| ![Get started for Educators](images/teacher_rotated_resized.png) | ![Get started for IT Admins](images/itadmin_rotated_resized.png) | +| [![Get started for Educators](images/teacher_rotated_resized.png)](educator-tib-get-started.md) | [![Get started for IT Admins](images/itadmin_rotated_resized.png)](itadmin-tib-get-started.md) | | :---: | :---: | | **Educator**
Enhance students of all abilities by unleashing their creativity, collaboration, and improving problem-solving skills.
[Get started](educator-tib-get-started.md) | **IT Admin**
Quickly implement and deploy a full cloud infrastructure that's secure and easy to manage.
[Get started](itadmin-tib-get-started.md) | diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index c4c3cbd233..8164b32aca 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -9,7 +9,7 @@ ms.pagetype: edu ms.localizationpriority: high author: CelesteDG ms.author: celested -ms.date: 03/12/2018 +ms.date: 04/04/2018 --- # Technical reference for the Set up School PCs app @@ -290,7 +290,8 @@ The Set up School PCs app produces a specialized provisioning package that makes

Accounts: Block Microsoft accounts

**Note** Microsoft accounts can still be used in apps.

Enabled

Interactive logon: Do not display last user name

Enabled

-

Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

Disabled

+

Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

Disabled

+

User Account Control: Behavior of the elevation prompt for standard users

Auto deny

diff --git a/mdop/mbam-v25/upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md b/mdop/mbam-v25/upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md index 7bb09bf7a9..52ef3ff163 100644 --- a/mdop/mbam-v25/upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md +++ b/mdop/mbam-v25/upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md @@ -130,7 +130,7 @@ Use the steps in the following sections to upgrade MBAM for the Stand-alone topo 6. Install and configure the MBAM 2.5 or 2.5 SP1 databases, reports, web applications, and Configuration Manager integration, in that order. The databases and Configuration Manager objects are upgraded in place. -7. Optionally, update the Group Policy Objects (GPOs), and edit the settings if you want to implement new features in MBAM, such as enforced encryption. If you do not update the GPOs, MBAM will continue to report against your current GPOs. See [How to Get MDOP Group Policy (.admx) Templates](http://www.microsoft.com/download/details.aspx?id=41183) to download the latest ADMX templates. +7. Optionally, update the Group Policy Objects (GPOs), and edit the settings if you want to implement new features in MBAM, such as enforced encryption. If you do not update the GPOs, MBAM will continue to report against your current GPOs. See [How to Get MDOP Group Policy (.admx) Templates](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates) to download the latest ADMX templates. After you upgrade the MBAM Server infrastructure, the existing client computers continue to successfully report to the MBAM 2.5 or 2.5 SP1 Server, and recovery data continues to be stored. diff --git a/mdop/uev-v2/manage-administrative-backup-and-restore-in-ue-v-2x-new-topic-for-21.md b/mdop/uev-v2/manage-administrative-backup-and-restore-in-ue-v-2x-new-topic-for-21.md index 18be63b57f..b0d0ef4e43 100644 --- a/mdop/uev-v2/manage-administrative-backup-and-restore-in-ue-v-2x-new-topic-for-21.md +++ b/mdop/uev-v2/manage-administrative-backup-and-restore-in-ue-v-2x-new-topic-for-21.md @@ -94,7 +94,7 @@ Restoring a user’s device restores the currently registered Template’s setti - **Manual Restore** - If you want to assist users by restoring a device during a refresh, you can choose to use the Restore-UevBackup cmdlet. This command ensures that the user’s current settings become the current state on the Settings Storage Location. + If you want to assist users by restoring a device during a refresh, you can choose to use the Restore-UevBackup cmdlet. This command causes the user’s settings to be downloaded from the Settings Storage Location. ## Restore Application and Windows Settings to Original State diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index dc568d07df..31bc357659 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -10,7 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 03/23/2018 +ms.date: 04/06/2018 --- # What's new in MDM enrollment and management @@ -1149,6 +1149,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • ApplicationDefaults/EnableAppUriHandlers
  • ApplicationManagement/MSIAllowUserControlOverInstall
  • ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges
    • +
  • Bluetooth/AllowPromptedProximalConnections
  • Browser/AllowConfigurationUpdateForBooksLibrary
  • Browser/AlwaysEnableBooksLibrary
  • Browser/EnableExtendedBooksTelemetry
    • @@ -1176,7 +1177,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon
  • LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia
  • LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters
    • -
  • LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly
    • +
  • LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly
    • +
  • LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
    • +
  • LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
    • +
  • LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges
  • LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior
  • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
  • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
    • @@ -1190,7 +1194,11 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
  • LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
  • LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
    • -
  • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers
  • LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile
  • LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems
  • LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation
    • @@ -1630,6 +1638,20 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
  • Settings/SaveFilesToHost
    • + +[Policy CSP](policy-configuration-service-provider.md) +

    Added the following new policies for Windows 10, version 1803:

    + + diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 3abd56fb99..d108e8bfc0 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -399,6 +399,9 @@ The following diagram shows the Policy configuration service provider in tree fo
    Bluetooth/AllowPrepairing
    +
    + Bluetooth/AllowPromptedProximalConnections +
    Bluetooth/LocalDeviceName
    diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index 7c004110fe..0205e259b0 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -6,11 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 03/12/2018 +ms.date: 04/06/2018 --- # Policy CSP - Bluetooth +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
    @@ -28,6 +30,9 @@ ms.date: 03/12/2018
    Bluetooth/AllowPrepairing
    +
    + Bluetooth/AllowPromptedProximalConnections +
    Bluetooth/LocalDeviceName
    @@ -197,6 +202,62 @@ The following list shows the supported values:
    + +**Bluetooth/AllowPromptedProximalConnections** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark4check mark4check mark4cross markcross markcross mark
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 10, version 1803. This policy allows the IT admin to block users on these managed devices from using Quick Pair and other proximity based scenarios. + + + +The following list shows the supported values: + +- 0 - Disallow. Block users on these managed devices from using Quick Pair and other proximity based scenarios +- 1 - Allow. Allow users on these managed devices to use Quick Pair and other proximity based scenarios + + + + + + + + + + +
    + **Bluetooth/LocalDeviceName** diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md index 6554f182c6..583d9b17cd 100644 --- a/windows/client-management/mdm/policy-csp-kioskbrowser.md +++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 04/03/2018 +ms.date: 04/06/2018 --- # Policy CSP - KioskBrowser @@ -14,7 +14,8 @@ ms.date: 04/03/2018 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -These policies only apply to kiosk browser. +These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Microsoft Store app, added in Windows 10 version 1803, that provides IT a way to customize the end user’s browsing experience to fulfill kiosk, signage, and shared device scenarios. Application developers can also create their own kiosk browser and read these policies using [NamedPolicy.GetPolicyFromPath(String, String) Method](https://docs.microsoft.com/en-us/uwp/api/windows.management.policies.namedpolicy.getpolicyfrompath#Windows_Management_Policies_NamedPolicy_GetPolicyFromPath_System_String_System_String_). +
    @@ -85,7 +86,7 @@ These policies only apply to kiosk browser. Added in Windows 10, version 1803. List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. > [!Note] -> This policy only applies to kiosk browser. +> This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -132,7 +133,7 @@ Added in Windows 10, version 1803. List of exceptions to the blocked website URL Added in Windows 10, version 1803. List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to. > [!Note] -> This policy only applies to kiosk browser. +> This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -179,7 +180,7 @@ Added in Windows 10, version 1803. List of blocked website URLs (with wildcard s Added in Windows 10, version 1803. Configures the default URL kiosk browsers to navigate on launch and restart. > [!Note] -> This policy only applies to kiosk browser. +> This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -226,7 +227,7 @@ Added in Windows 10, version 1803. Configures the default URL kiosk browsers to Added in Windows 10, version 1803. Enable/disable kiosk browser's home button. > [!Note] -> This policy only applies to kiosk browser. +> This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -273,7 +274,7 @@ Added in Windows 10, version 1803. Enable/disable kiosk browser's home button. Added in Windows 10, version 1803. Enable/disable kiosk browser's navigation buttons (forward/back). > [!Note] -> This policy only applies to kiosk browser. +> This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -322,7 +323,7 @@ Added in Windows 10, version 1803. Amount of time in minutes the session is idle The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser. > [!Note] -> This policy only applies to kiosk browser. +> This policy only applies to the Kiosk Browser app in Microsoft Store. diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 327397bc54..34c61a2c31 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 03/16/2018 +ms.date: 04/06/2018 --- # Policy CSP - LocalPoliciesSecurityOptions @@ -51,6 +51,15 @@ ms.date: 03/16/2018
    LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly
    +
    + LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways +
    +
    + LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible +
    +
    + LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges +
    LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
    @@ -117,6 +126,18 @@ ms.date: 03/16/2018
    LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
    +
    + LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication +
    +
    + LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic +
    +
    + LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic +
    +
    + LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers +
    LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon
    @@ -757,6 +778,220 @@ GP Info:
    + +**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark4check mark4check mark4check mark4cross markcross mark
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Domain member: Digitally encrypt or sign secure channel data (always) + +This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. + +When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc. + +This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies: + +Domain member: Digitally encrypt secure channel data (when possible) +Domain member: Digitally sign secure channel data (when possible) + +Default: Enabled. + +Notes: + +If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. +If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. +Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not. + + + +GP Info: +- GP English name: *Domain member: Digitally encrypt or sign secure channel data (always)* +- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + + + + + + + + + + + +
    + + +**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark4check mark4check mark4check mark4cross markcross mark
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Domain member: Digitally encrypt secure channel data (when possible) + +This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. + +When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc. + +This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption. + +Default: Enabled. + +Important + +There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted. + +Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains. + + + +GP Info: +- GP English name: *Domain member: Digitally encrypt secure channel data (when possible)* +- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + + + + + + + + + + + +
    + + +**LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark4check mark4check mark4check mark4cross markcross mark
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Domain member: Disable machine account password changes + +Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days. + +Default: Disabled. + +Notes + +This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions. +This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names. + + + +GP Info: +- GP English name: *Domain member: Disable machine account password changes* +- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + + + + + + + + + + + +
    + **LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked** @@ -2122,6 +2357,282 @@ GP Info:
    + +**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark4check mark4check mark4check mark4cross markcross mark
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication + +This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. + +If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication. + +If you do not configure this policy setting, no exceptions will be applied. + +The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats . A single asterisk (*) can be used anywhere in the string as a wildcard character. + + + +GP Info: +- GP English name: *Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication* +- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + + + + + + + + + + + +
    + + +**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark4check mark4check mark4check mark4cross markcross mark
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Network security: Restrict NTLM: Audit Incoming NTLM Traffic + +This policy setting allows you to audit incoming NTLM traffic. + +If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. + +If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. + +If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. + +This policy is supported on at least Windows 7 or Windows Server 2008 R2. + +Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. + + + +GP Info: +- GP English name: *Network security: Restrict NTLM: Audit Incoming NTLM Traffic* +- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + + + + + + + + + + + +
    + + +**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark4check mark4check mark4check mark4cross markcross mark
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Network security: Restrict NTLM: Incoming NTLM traffic + +This policy setting allows you to deny or allow incoming NTLM traffic. + +If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. + +If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. + +If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. + +This policy is supported on at least Windows 7 or Windows Server 2008 R2. + +Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. + + + +GP Info: +- GP English name: *Network security: Restrict NTLM: Incoming NTLM traffic* +- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + + + + + + + + + + + +
    + + +**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark4check mark4check mark4check mark4cross markcross mark
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers + +This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. + +If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. + +If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. + +If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. + +This policy is supported on at least Windows 7 or Windows Server 2008 R2. + +Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. + + + +GP Info: +- GP English name: *Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers* +- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + + + + + + + + + + + +
    + **LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon** diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index dfdf82afa1..12b9c8386e 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -834,7 +834,7 @@ The following list shows the supported values: > [!NOTE] -> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. Desktop users should use Search/DoNotUseWebResults. Specifies what level of safe search (filtering adult content) is required. diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md index 9768a7eb0b..94d5785c9f 100644 --- a/windows/configuration/TOC.md +++ b/windows/configuration/TOC.md @@ -3,9 +3,9 @@ ## [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md) ## [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) ## [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) -## [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) -## [Windows 10, version 1709 diagnostic data for the Full telemetry level](windows-diagnostic-data.md) -## [Windows 10, version 1703 diagnostic data for the Full telemetry level](windows-diagnostic-data-1703.md) +## [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) +## [Windows 10, version 1709 diagnostic data for the Full level](windows-diagnostic-data.md) +## [Windows 10, version 1703 diagnostic data for the Full level](windows-diagnostic-data-1703.md) ## [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md) ## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) ## [Manage Windows 10 connection endpoints](manage-windows-endpoints-version-1709.md) diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index b328c042ce..457c50223b 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: high author: jdeckerms -ms.date: 04/04/2018 +ms.date: 04/13/2018 --- # Change history for Configure Windows 10 @@ -20,6 +20,7 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md) New or changed topic | Description --- | --- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | Updated endpoints. +[Configure cellular settings for tablets and PCs](provisioning-apn.md) | Added instructions for confirming that the settings were applied. ## March 2018 diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md index f411b5bc5e..7e48ef64a7 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md @@ -26,7 +26,7 @@ ms.date: 10/05/2017 |None|System/AllowLocation|Specifies whether to allow app access to the Location service.

    **In Windows 10, version 1511**
    Cortana won’t work if this setting is turned off (disabled).

    **In Windows 10, version 1607 and later**
    Cortana still works if this setting is turned off (disabled).| |None|Accounts/AllowMicrosoftAccountConnection|Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.

    Use this setting if you only want to support Azure AD in your organization.| |Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location|Search/AllowSearchToUseLocation|Specifies whether Cortana can use your current location during searches and for location reminders.| -|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search|Search/SafeSearchPermissions|Specifies what level of safe search (filtering adult content) is required.

    **Note**
    This setting only applies to Windows 10 Mobile.| +|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search|Search/SafeSearchPermissions|Specifies what level of safe search (filtering adult content) is required.

    **Note**
    This setting only applies to Windows 10 Mobile. Other versions of Windows should use Don't search the web or display web results. | |User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box|None|Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference.| |Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results|None|Specifies whether search can perform queries on the web and if the web results are displayed in search.

    **In Windows 10 Pro edition**
    This setting can’t be managed.

    **In Windows 10 Enterprise edition**
    Cortana won't work if this setting is turned off (disabled).| |Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana|Experience/AllowCortana|Specifies whether employees can use Cortana.

    **Important**
    Cortana won’t work if this setting is turned off (disabled). However, employees can still perform local searches even with Cortana turned off.| diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index 2a03f2bf72..751dcc8f7b 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -65,16 +65,17 @@ If you use a web browser as your assigned access app, consider the following tip ## Secure your information -Avoid selecting Windows apps that may expose the information you don’t want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting this type of apps if they provide unnecessary data access. +Avoid selecting Windows apps that may expose the information you don’t want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access. ## App configuration -Some apps may require additional configurations before they can be used appropriately in assigned access . For example, Microsoft OneNote requires you to set up a Microsoft account for the assigned access user account before OneNote will open in assigned access. -Check the guidelines published by your selected app and do the setup accordingly. +Some apps may require additional configurations before they can be used appropriately in assigned access. For example, Microsoft OneNote requires you to set up a Microsoft account for the assigned access user account before OneNote will open in assigned access. + +Check the guidelines published by your selected app and set up accordingly. ## Develop your kiosk app -Assigned access in Windows 10 leverages the new lock framework. When an assigned access user signs in, the selected kiosk app is launched above lock . The kiosk app is actually running as an above lock screen app. +Assigned access in Windows 10 leverages the new lock framework. When an assigned access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an above lock screen app. Follow the [best practices guidance for developing a kiosk app for assigned access](https://msdn.microsoft.com/library/windows/hardware/mt633799%28v=vs.85%29.aspx). @@ -82,7 +83,7 @@ Follow the [best practices guidance for developing a kiosk app for assigned acce The above guidelines may help you select or develop an appropriate Windows app for your assigned access experience. Once you have selected your app, we recommend that you thoroughly test the assigned access experience to ensure that your device provides a good customer experience. - ## Learn more +## Learn more [Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508) diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 94ac63a7a7..ef5ecb4d6b 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -18,7 +18,7 @@ ms.author: jdecker **Applies to** -- Windows 10 +- Windows 10 Pro, Enterprise, and Education A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) has been expanded to make it easy for administrators to create kiosks that run more than one app. diff --git a/windows/configuration/provisioning-apn.md b/windows/configuration/provisioning-apn.md index 20fc7040aa..96078d1791 100644 --- a/windows/configuration/provisioning-apn.md +++ b/windows/configuration/provisioning-apn.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerMS ms.localizationpriority: high -ms.date: 07/27/2017 +ms.date: 04/13/2018 --- # Configure cellular settings for tablets and PCs @@ -76,5 +76,39 @@ For users who work in different locations, you can configure one APN to connect 9. [Apply the package to devices.](provisioning-packages/provisioning-apply-package.md) +## Confirm the settings + +After you apply the provisioning package, you can confirm that the settings have been applied. + +1. On the configured device, open a command prompt as an administrator. + +2. Run the following command: + + ``` + netsh mbn show profiles + ``` + +3. The command will list the mobile broadband profiles. Using the "Name" for the listed mobile broadband profile, run: + + ``` + netsh mbn show profiles name="name" + ``` + + This command will list details for that profile, including Access Point Name. + + +Alternatively, you can also use the command: + +``` +netsh mbn show interface +``` + +From the results of that command, get the name of the cellular/mobile broadband interface and run: + +``` +netsh mbn show connection interface="name" +``` + +The result of that command will show details for the cellular interface, including Access Point Name. diff --git a/windows/configuration/setup-kiosk-digital-signage.md b/windows/configuration/setup-kiosk-digital-signage.md index c9b84f0646..f8b3502b6d 100644 --- a/windows/configuration/setup-kiosk-digital-signage.md +++ b/windows/configuration/setup-kiosk-digital-signage.md @@ -16,7 +16,7 @@ ms.date: 03/30/2018 **Applies to** -- Windows 10 +- Windows 10 Pro, Enterprise, and Education diff --git a/windows/configuration/ue-v/uev-getting-started.md b/windows/configuration/ue-v/uev-getting-started.md index 5ec8571305..301f4a7b07 100644 --- a/windows/configuration/ue-v/uev-getting-started.md +++ b/windows/configuration/ue-v/uev-getting-started.md @@ -16,8 +16,8 @@ ms.date: 03/08/2018 Follow the steps in this topic to deploy User Experience Virtualization (UE-V) for the first time in a test environment. Evaluate UE-V to determine whether it’s the right solution to manage user settings across multiple devices within your enterprise. ->**Note** -The information in this section is explained in greater detail throughout the rest of the documentation. If you’ve already determined that UE-V is the right solution and you don’t need to further evaluate it, see [Prepare a UE-V deployment](uev-prepare-for-deployment.md). +>[!NOTE] +>The information in this section is explained in greater detail throughout the rest of the documentation. If you’ve already determined that UE-V is the right solution and you don’t need to further evaluate it, see [Prepare a UE-V deployment](uev-prepare-for-deployment.md). The standard installation of UE-V synchronizes the default Microsoft Windows and Office settings and many Windows applications settings. For best results, ensure that your test environment includes two or more user computers that share network access. @@ -94,13 +94,13 @@ A storage path must be configured on the client-side to tell where the personali 4. Select **Enabled**, fill in the **Settings storage path**, and click **OK**. - - Ensure that the storage path ends with **%username%** to ensure that eah user gets a unique folder. + - Ensure that the storage path ends with **%username%** to ensure that each user gets a unique folder. **To set the storage path for UE-V with PowerShell** 1. In a PowerShell window, type **Set-uevConfiguration -SettingsStoragePath [StoragePath]** where **[StoragePath]** is the path to the location created in step 2 followed by **\%username%**. - - Ensure that the storage path ends with **%username%** to ensure that eah user gets a unique folder. + - Ensure that the storage path ends with **%username%** to ensure that each user gets a unique folder. With Windows 10, version 1607 and later, the UE-V service is installed on user devices when the operating system is installed. Enable the service to start using UE-V. You can enable the service with the Group Policy editor or with Windows PowerShell. diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index 6dc28869bf..b0f27ea80e 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -230,7 +230,7 @@ ### [Deploy Windows 10 updates using System Center Configuration Manager](update/waas-manage-updates-configuration-manager.md) ### [Manage device restarts after updates](update/waas-restart.md) ### [Manage additional Windows Update settings](update/waas-wu-settings.md) -### [Determining the source of Windows updates](update/windows-update-sources.md) +### [Determine the source of Windows updates](update/windows-update-sources.md) ### [Windows Insider Program for Business](update/waas-windows-insider-for-business.md) #### [Introduction to the Windows Insider Program for Business](update/WIP4Biz-intro.md) #### [Windows Insider Program for Business Frequently Asked Questions](update/waas-windows-insider-for-business-faq.md) diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md index a9805be280..0cd39373d7 100644 --- a/windows/deployment/update/index.md +++ b/windows/deployment/update/index.md @@ -1,16 +1,16 @@ --- -title: Update Windows 10 in the enterprise (Windows 10) +title: Update Windows 10 in enterprise deployments (Windows 10) description: Windows as a service provides an all-new way to think about building, deploying, and servicing Windows 10. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: DaniHalfin +author: Jaimeo ms.localizationpriority: high -ms.author: daniha -ms.date: 11/17/2017 +ms.author: jaimeo +ms.date: 04/06/2018 --- -# Update Windows 10 in the enterprise +# Update Windows 10 in enterprise deployments **Applies to** diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md index 92c577feea..dce1b56274 100644 --- a/windows/deployment/update/update-compliance-delivery-optimization.md +++ b/windows/deployment/update/update-compliance-delivery-optimization.md @@ -13,6 +13,10 @@ ms.date: 03/27/2018 # Delivery Optimization in Update Compliance The Update Compliance solution of Windows Analytics provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days. +>[!Note] +>Delivery Optimization Status is currently in development. See the [Known Issues](#known-issues) section for issues we are aware of and potential workarounds. + + ## Delivery Optimization Status The Delivery Optimization Status section includes three blades: @@ -40,3 +44,8 @@ The download sources that could be included are: - Group Bytes: Bytes downloaded from Group Peers which are other devices that belong to the same Group (available when the “Group” download mode is used) - HTTP Bytes: Non-peer bytes. The HTTP download source can be Microsoft Servers, Windows Update Servers, a WSUS server or an SCCM Distribution Point for Express Updates. +## Known Issues +Delivery Optimization is currently in development. The following issues are known: + +- DO Download Mode is not accurately portrayed in the Device Configuration blade. There is no workaround at this time. + diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md index 24c89c24be..0967178c16 100644 --- a/windows/deployment/update/waas-integrate-wufb.md +++ b/windows/deployment/update/waas-integrate-wufb.md @@ -90,7 +90,7 @@ For Windows 10, version 1607, organizations already managing their systems with ![Example of unknown devices](images/wufb-sccm.png) - +For more information, see [Integration with Windows Update for Business in Windows 10](https://docs.microsoft.com/en-us/sccm/sum/deploy-use/integrate-windows-update-for-business-windows-10). ## Related topics diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md index 14d7512550..0b01d6d615 100644 --- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md +++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md @@ -13,7 +13,7 @@ ms.date: 04/05/2018 # Frequently asked questions and troubleshooting Windows Analytics -This topic compiles the most common issues encountered with configuring and using Windows Analytics, as well as general questions. +This topic compiles the most common issues encountered with configuring and using Windows Analytics, as well as general questions. This FAQ, along with the [Windows Analytics Technical Community](https://techcommunity.microsoft.com/t5/Windows-Analytics/ct-p/WindowsAnalytics), are recommended resources to consult before contacting Microsoft support. ## Troubleshooting common problems diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md index 3775d77bac..cec30d4e05 100644 --- a/windows/deployment/update/windows-analytics-get-started.md +++ b/windows/deployment/update/windows-analytics-get-started.md @@ -127,7 +127,6 @@ Use a software distribution system such as System Center Configuration Manager t ### Distributing policies at scale There are a number of policies that can be centrally managed to control Windows Analytics device configuration. All of these policies have *preference* registry key equivalents that can be set by using the deployment script. Policy settings override preference settings if both are set. - >[!NOTE] >You can only set the diagnostic data level to Enhanced by using policy. For example, this is necessary for using Device Health. @@ -155,4 +154,10 @@ For more information about Internet Explorer Security Zones, see [About URL Secu ### Distribution at scale without using the deployment script -We recommend using the deployment script to configure devices. However if this is not an option, you can still manage settings by policy as described in the previous section. However, if you don't run the deployment script, you might have to wait a long time (possibly weeks) before devices send the initial full inventory scan. +We recommend using the deployment script to configure devices. However if this is not an option, you can still manage settings by policy as described in the previous section. However, if you don't run the deployment script, you won't benefit from its error checking, and you might have to wait a long time (possibly weeks) before devices send the initial full inventory scan. + +Note that it is possible to intiate a full inventory scan on a device by calling these commands: +- CompatTelRunner.exe -m:generaltel.dll -f:DoCensusRun +- CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun ent + +For details on how to run these and how to check results, see the deployment script. diff --git a/windows/deployment/update/windows-update-sources.md b/windows/deployment/update/windows-update-sources.md index c9b0be52ce..2fd8f9c79a 100644 --- a/windows/deployment/update/windows-update-sources.md +++ b/windows/deployment/update/windows-update-sources.md @@ -1,5 +1,5 @@ --- -title: Determining the source of Windows updates +title: Determine the source of Windows updates description: Determine the source that Windows Update service is currently using. ms.prod: w10 ms.mktglfcycl: @@ -10,7 +10,7 @@ ms.author: jaimeo ms.date: 04/05/2018 --- -# Determining the source of Windows updates +# Determine the source of Windows updates Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps:  diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index a460f3c8b5..32859c06fe 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: greg-lindsay -ms.date: 03/30/2018 +ms.date: 04/11/2018 ms.localizationpriority: high --- @@ -103,7 +103,7 @@ SetupDiag.exe /Output:C:\SetupDiag\Dumpdebug.log /Mode:Offline /LogsPath:D:\Dump ## Known issues -1. Some rules can take a long time to process if the log files involved as large. +1. Some rules can take a long time to process if the log files involved are large. 2. SetupDiag only outputs data in a text format. If another format is desired, please provide this [feedback](#feedback). 3. If the failing computer is opted into the Insider program and getting regular pre-release updates, or an update is already pending on the computer when SetupDiag is run, it can encounter problems trying to open these log files. This will likely cause a failure to determine a root cause. In this case, try gathering the log files and running SetupDiag in offline mode. diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md index 252ed481b1..2c73760c08 100644 --- a/windows/deployment/upgrade/upgrade-readiness-requirements.md +++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md @@ -31,7 +31,7 @@ See [Windows 10 Specifications](http://www.microsoft.com/en-US/windows/windows-1 Keeping Windows 10 up to date involves deploying a feature update, and Upgrade Readiness tools help you prepare and plan for these Windows updates. The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility updates are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com). -Windows 10 LTSB is not supported by Upgrade Readiness. The Long-Term Servicing Channel of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not compatible with Upgrade Readiness. See [Windows as a service overview](../update/waas-overview.md#long-term-servicing-channel) to understand more about LTSB. +While Upgrade Readiness can be used to assist with updating devices from Windows 10 Long-Term Servicing Channel (LTSC) to Windows 10 Semi-Annual Channel, Upgrade Readiness does not support updates to Windows 10 LTSC. The Long-Term Servicing Channel of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not a supported target with Upgrade Readiness. See [Windows as a service overview](../update/waas-overview.md#long-term-servicing-channel) to understand more about LTSC. ## Operations Management Suite diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md index 01dbef4001..8457313a96 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md @@ -24,7 +24,7 @@ Passwords are still weak. We recommend that in addition to deploying Windows Def Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, are not supported. ## Wi-fi and VPN Considerations -When you enable Windows Defender Credential Guard, you can no longer use NTLM classic deployment model authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. +When you enable Windows Defender Credential Guard, you can no longer use NTLM classic authentication for Single Sign-On. You will be forced to enter your credentials to use these protocols and cannot save the credentials for future use. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. ## Kerberos Considerations diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index bb2ff3ed96..bdeb514ae1 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -18,7 +18,7 @@ This topic explains how BitLocker Device Encryption can help protect data on de For an architectural overview about how BitLocker Device Encryption works with Secure Boot, see [Secure boot and BitLocker Device Encryption overview](https://docs.microsoft.com/windows-hardware/drivers/bringup/secure-boot-and-device-encryption-overview). For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md). -When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives; in Windows 10, BitLocker will even protect individual files, with data loss prevention capabilities. Windows consistently improves data protection by improving existing options and by providing new strategies. +When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and by providing new strategies. Table 2 lists specific data-protection concerns and how they are addressed in Windows 10 and Windows 7. diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md index b56af7542a..267a2e2428 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md +++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md @@ -336,7 +336,7 @@ To use Network Unlock you must also have a PIN configured for your computer. Whe BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before you can use it. Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN, whereas automatic unlock uses a single protector, the one stored in the TPM. If the computer is joined to a network without the key protector it will prompt you to enter your PIN. If the PIN is -not available you will need to use the recovery key to unlock the computer if it can ot be connected to the network. +not available you will need to use the recovery key to unlock the computer if it can not be connected to the network. For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index d5952e711b..961c0d224c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -108,7 +108,7 @@ For Azure AD-joined computers, including virtual machines, the recovery password ``` PS C:\>Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector -PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:” +PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:" PS C:\>BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId ``` @@ -118,7 +118,7 @@ For domain-joined computers, including servers, the recovery password should be ``` PS C:\>Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector -PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:” +PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:" PS C:\>Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId ``` diff --git a/windows/security/information-protection/windows-information-protection/images/robocopy-s-mode.png b/windows/security/information-protection/windows-information-protection/images/robocopy-s-mode.png new file mode 100644 index 0000000000..19fd27b480 Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/robocopy-s-mode.png differ diff --git a/windows/security/threat-protection/applocker/requirements-to-use-applocker.md b/windows/security/threat-protection/applocker/requirements-to-use-applocker.md index 96c05fcdee..846cc26a49 100644 --- a/windows/security/threat-protection/applocker/requirements-to-use-applocker.md +++ b/windows/security/threat-protection/applocker/requirements-to-use-applocker.md @@ -35,7 +35,7 @@ The following table show the on which operating systems AppLocker features are s | Version | Can be configured | Can be enforced | Available rules | Notes | | - | - | - | - | - | -| Windows 10| Yes| Yes| Packaged apps
    Executable
    Windows Installer
    Script
    DLL| You can use the [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016. | +| Windows 10| Yes| Yes| Packaged apps
    Executable
    Windows Installer
    Script
    DLL| You can use the [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10 supported by Mobile Device Management (MDM). You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016. | | Windows Server 2016
    Windows Server 2012 R2
    Windows Server 2012| Yes| Yes| Packaged apps
    Executable
    Windows Installer
    Script
    DLL| | | Windows 8.1 Pro| Yes| No| N/A|| | Windows 8.1 Enterprise| Yes| Yes| Packaged apps
    Executable
    Windows Installer
    Script
    DLL| | diff --git a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md index f2d774c843..0c5a957bec 100644 --- a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md +++ b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md @@ -15,18 +15,7 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -This reference topic for the IT professional describes which versions of the Windows operating systems support advanced security auditing policies. +Advanced audit policy configuration is supported on all versions of Windows since it was introduced in Windows Vista. +There is no difference in security auditing support between 32-bit and 64-bit versions. +Windows editions that cannot join a domain, such as Windows 10 Home edition, do not have access to these features. -Versions of the Windows operating system that cannot join a domain do not have access to these features. There is no difference in security auditing support between 32-bit and 64-bit versions. - -## Are there any special considerations? - -In addition, the following special considerations apply to the various tasks associated with advanced security auditing enhancements: - -- **Creating an audit policy.** To create an advanced security auditing policy, you must use a computer running any supported version of Windows. You can use the Group Policy Management Console (GPMC) on a computer running a supported version of the Windows client operating system after installing the Remote Server Administration Tools. -- **Applying audit policy settings.** If you are using Group Policy to apply the advanced audit policy settings and global object access settings, client computers must be running any supported version of the Windows server operating system or Windows client operating system. In addition, only computers running any of these supported operating systems can provide "reason for access" reporting data. -- **Developing an audit policy model.** To plan advanced security audit settings and global object access settings, you must use the GPMC that targets a domain controller running a supported version of the Windows server operating system. -- **Distributing the audit policy.** After a Group Policy Object (GPO) that includes advanced security auditing settings is developed, it can be distributed by using domain controllers running any Windows Server operating system. -However, if you cannot put client computers running a supported version of the Windows client operating system into a separate organizational unit (OU), you should use Windows Management Instrumentation (WMI) filtering to ensure that the advanced security auditing policy settings are applied only to client computers running a supported version of the Windows client operating system. - ->**Important:**  Using both the basic auditing policy settings under **Local Policies\\Audit Policy** and the advanced auditing policy settings under **Advanced Audit Policy Configuration** can cause unexpected results in audit reporting. Therefore, the two sets of audit policy settings should not be combined. If you use advanced audit policy configuration settings, you should enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.   diff --git a/windows/security/threat-protection/device-guard/deploy-device-guard-enable-virtualization-based-security.md b/windows/security/threat-protection/device-guard/deploy-device-guard-enable-virtualization-based-security.md index ab3baf28eb..400d1f0540 100644 --- a/windows/security/threat-protection/device-guard/deploy-device-guard-enable-virtualization-based-security.md +++ b/windows/security/threat-protection/device-guard/deploy-device-guard-enable-virtualization-based-security.md @@ -22,30 +22,9 @@ Virtualization-based protection of code integrity (herein referred to as Hypervi Use the following procedure to enable virtualization-based protection of code integrity: -1. **Decide whether to use the procedures in this topic, or to use the Windows Defender Device Guard readiness tool**. To enable HVCI, you can use [the Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337) or follow the procedures in this topic. +1. Decide whether to use the procedures in this topic, or to use [the Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337). -2. **Verify that hardware and firmware requirements are met**. Verify that your client computers have the hardware and firmware to run HVCI. For a list of requirements, see [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard). - -3. **Enable the necessary Windows features**. You can use the [hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337) or see [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-protection-of-code-integrity). - -4. **Enable additional features as desired**. You can use the [hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337) or see [Enable virtualization-based protection of code integrity](#enable-virtualization-based-protection-of-code-integrity). - -## Windows feature requirements for virtualization-based protection of code integrity - -Make sure these operating system features are enabled before you can enable HVCI: - -- Beginning with Windows 10, version 1607 or Windows Server 2016:
    -Hyper-V Hypervisor, which is enabled automatically. No further action is needed. - -- With an earlier version of Windows 10:
    -Hyper-V Hypervisor and Isolated User Mode (shown in Figure 1). -  -![Turn Windows features on or off](images/dg-fig1-enableos.png) - -**Figure 1. Enable operating system features for HVCI, Windows 10, version 1511** - -> [!NOTE] -> You can configure these features by using Group Policy or Dism.exe, or manually by using Windows PowerShell or the Windows Features dialog box. +2. Verify that [hardware and firmware requirements](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard) are met. ## Enable virtualization-based protection of code integrity @@ -57,16 +36,12 @@ If you don't want to use the [hardware readiness tool](https://www.microsoft.com ![Group Policy Management, create a GPO](images/dg-fig2-createou.png) - Figure 2. Create a new OU-linked GPO - 2. Give the new GPO a name, then right-click the new GPO, and click **Edit**. 4. Within the selected GPO, navigate to Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**. ![Edit the group policy for Virtualization Based Security](images/dg-fig3-enablevbs.png) - Figure 3. Enable virtualization-based security (VBS) - 5. Select the **Enabled** button. For **Select Platform Security Level**: - **Secure Boot** provides as much protection as a computer’s hardware can support. If the computer does not have input/output memory management units (IOMMUs), enable **Secure Boot**. @@ -78,9 +53,7 @@ If you don't want to use the [hardware readiness tool](https://www.microsoft.com - With earlier versions of Windows 10:
    Select the **Enable Virtualization Based Protection of Code Integrity** check box. - ![Group Policy, Turn On Virtualization Based Security](images/dg-fig7-enablevbsofkmci.png) - - Figure 5. Configure HVCI, Lock setting (in Windows 10, version 1607) + ![Group Policy, Turn On Virtualization Based Security](images/dg-fig7-enablevbsofkmci.png) 7. Close the Group Policy Management Editor, and then restart the Windows 10 test computer. The settings will take effect upon restart. @@ -281,12 +254,10 @@ This field indicates whether VBS is enabled and running. This field lists the computer name. All valid values for computer name. -Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the **System Summary** section, as shown in Figure 6. +Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the **System Summary** section. ![Windows Defender Device Guard properties in the System Summary](images/dg-fig11-dgproperties.png) -Figure 6. Windows Defender Device Guard properties in the System Summary - ## Related topics - [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md index 75dda71497..8e5b6d0232 100644 --- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md +++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md @@ -175,7 +175,7 @@ To gain the most value out of the baseline subscription we recommend to have the - Enable disabled event channels and set the minimum size for modern event files. - Currently, there is no GPO template for enabling or setting the maximum size for the modern event files. This must be done by using a GPO. For more info, see [Appendix C – Event Channel Settings (enable and Channel Access) methods](#bkmk-appendixc). -The annotated event query can be found in the following. For more info, see [Appendix F – Annotated Baseline Subscription Event Query](#bkmk-appendixf). +The annotated event query can be found in the following. For more info, see [Appendix F – Annotated Suspect Subscription Event Query](#bkmk-appendixf). - Anti-malware events from Microsoft Antimalware or Windows Defender. This can be configured for any given anti-malware product easily if it writes to the Windows event log. - Security event log Process Create events. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md index 8bfa75ff42..39660adda8 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md @@ -82,7 +82,7 @@ Hiding notifications can be useful in situations where you cannot hide the entir > [!NOTE] > Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [System Center Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection). -See the [Customize the Windows Defender Security Center app for your organization](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center-antivirus) topic for instructions to add custom contact information to the notifications that users see on their machines. +See the [Customize the Windows Defender Security Center app for your organization](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md) topic for instructions to add custom contact information to the notifications that users see on their machines. **Use Group Policy to hide notifications:** diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md index 3ccb022cec..f8fb6d41ba 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 10/12/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/11/2018 --- @@ -59,6 +59,9 @@ This topic includes the following instructions for setting up and running Window ## Enable or disable the interface on Windows Server 2016 By default, Windows Defender AV is installed and functional on Windows Server 2016. The user interface is installed by default on some SKUs, but is not required. +>[!NOTE] +>You can't uninstall the Windows Defender Security Center app, but you can disable the interface with these instructions. + If the interface is not installed, you can add it in the **Add Roles and Features Wizard** at the **Features** step, under **Windows Defender Features** by selecting the **GUI for Windows Defender** option. ![Add roles and feature wizard showing the GUI for Windows Defender option](images/server-add-gui.png) diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md index 5ed68d6744..5f5563cbb6 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md @@ -30,7 +30,7 @@ These settings, located at **Computer Configuration\Administrative Templates\Net |-----------|------------------|-----------| |Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.| |Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) Please include a full domain name (www.contoso.com) in the configuration 2) You may optionally use "." as a wildcard character to automatically trust subdomains. Configuring ".constoso.com" will automatically trust "subdomain1.contoso.com", "subdomain2.contoso.com" etc. | -|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.| +|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment.| ### Application-specific settings These settings, located at **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard**, can help you to manage your company's implementation of Application Guard. diff --git a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md index a9148f2252..7e437ce4b1 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md +++ b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md @@ -13,7 +13,8 @@ ms.date: 10/23/2017 # Windows Defender Application Guard overview **Applies to:** -- Windows 10 Enterprise edition, version 1709 +- Windows 10 Enterprise edition, version 1709 or higher +- Windows 10 Professional edition, version 1803 The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. @@ -27,7 +28,7 @@ If an employee goes to an untrusted site through either Microsoft Edge or Intern ![Hardware isolation diagram](images/appguard-hardware-isolation.png) ### What types of devices should use Application Guard? -Application Guard has been created to target 3 types of enterprise systems: +Application Guard has been created to target several types of systems: - **Enterprise desktops.** These desktops are domain-joined and managed by your organization. Configuration management is primarily done through System Center Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network. @@ -35,6 +36,8 @@ Application Guard has been created to target 3 types of enterprise systems: - **Bring your own device (BYOD) mobile laptops.** These personally-owned laptops are not domain-joined, but are managed by your organization through tools like Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home. +- **Personal devices.** These personally-owned desktops or mobile laptops are not domain-joined or managed by an organization. The user is an admin on the device and uses a high-bandwidth wireless personal network while at home or a comparable public network while outside. + ## In this section |Topic |Description | |------|------------| @@ -42,4 +45,4 @@ Application Guard has been created to target 3 types of enterprise systems: |[Prepare and install Windows Defender Application Guard](install-wd-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.| |[Configure the Group Policy settings for Windows Defender Application Guard](configure-wd-app-guard.md) |Provides info about the available Group Policy and MDM settings.| |[Testing scenarios using Windows Defender Application Guard in your business or organization](test-scenarios-wd-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Windows Defender Application Guard (Application Guard) in your organization.| -|[Frequently Asked Questions - Windows Defender Application Guard](faq-wd-app-guard.md)|Common questions and answers around the features and functionality of Application Guard.| \ No newline at end of file +|[Frequently Asked Questions - Windows Defender Application Guard](faq-wd-app-guard.md)|Common questions and answers around the features and functionality of Application Guard.| diff --git a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md index 82d802c5f9..412d63e5fe 100644 --- a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md @@ -67,18 +67,18 @@ POST /72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/token HTTP/1.1 Host: login.microsoftonline.com Content-Type: application/x-www-form-urlencoded -resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com&client_id=35e0f735-5fe4-4693-9e68-3de80f1d3745&client_secret=IKXc6PxB2eoFNJ%2FIT%2Bl2JZZD9d9032VXz6Ul3D2WyUQ%3D&grant_type=client_credentials +resource=https%3A%2F%2Fgraph.windows.net&client_id=35e0f735-5fe4-4693-9e68-3de80f1d3745&client_secret=IKXc6PxB2eoFNJ%2FIT%2Bl2JZZD9d9032VXz6Ul3D2WyUQ%3D&grant_type=client_credentials ``` The response will include an access token and expiry information. ```json { - "token type": "Bearer", - "expires in": "3599" + "token_type": "Bearer", + "expires_in": "3599", "ext_expires_in": "0", "expires_on": "1488720683", "not_before": "1488720683", - "resource": "https://WDATPAlertExport.Seville.onmicrosoft.com", + "resource": "https://graph.windows.net", "access_token":"eyJ0eXaioJJOIneiowiouqSuzNiZ345FYOVkaJL0625TueyaJasjhIjEnbMlWqP..." } ``` @@ -117,7 +117,7 @@ Authorization: Bearer The following example demonstrates a request to get the last 20 alerts since 2016-09-12 00:00:00. ```syntax -GET https://wdatp-alertexporter-eu.windows.com/api/alerts?limit=20&sinceTimeUtc="2016-09-12 00:00:00" +GET https://wdatp-alertexporter-eu.windows.com/api/alerts?limit=20&sinceTimeUtc=2016-09-12T00:00:00.000 Authorization: Bearer ``` diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md index 8c998be64f..75d70268f2 100644 --- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md +++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md @@ -9,9 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: iaanw -ms.author: iawilt -ms.date: 10/17/2017 +author: andreabichsel +ms.author: v-anbic +ms.date: 04/11/2018 --- @@ -39,12 +39,18 @@ In Windows 10, version 1709, we increased the scope of the app to also show info >[!NOTE] >The Windows Defender Security Center app is a client interface on Windows 10, version 1703 and later. It is not the Windows Defender Security Center web portal console that is used to review and manage [Windows Defender Advanced Threat Protection](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). -This library describes the Windows defender Security Center app, and provides information on configuring certain features, inlcuding: +This library describes the Windows Defender Security Center app, and provides information on configuring certain features, including: - [Showing and customizing contact information on the app and in notifications](wdsc-customize-contact-information.md) - [Hiding notifications](wdsc-hide-notifications.md) +You can't uninstall the Windows Defender Security Center app, but you can do one of the following: + +- Disable the interface on Windows Server 2016. See [Windows Defender Antivirus on Windows Server 2016](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016). +- Hide all of the sections on client computers (see below). +- Disable Windows Defender Antivirus, if needed. See [Enable and configure Windows Defender AV always-on protection and monitoring](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). + You can find more information about each section, including options for configuring the sections - such as hiding each of the sections - at the following topics: