deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 10:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merged PR 12750: from master

Browse Source
This commit is contained in:
Joey Caparas
2018-11-12 05:07:26 +00:00
parent 251963267f be6f09b7c3
commit 79e99b6ba5
11 changed files with 291 additions and 131 deletions
Download Patch File Download Diff File Expand all files Collapse all files

217
windows/application-management/apps-in-windows-10.md
View File

@ -18,124 +18,25 @@ The following types of apps run on Windows 10:
- "Win32" apps - traditional Windows applications.
Digging into the Windows apps, there are two categories:
- System apps - Apps that are installed in the c:\Windows\* directory. These apps are integral to the OS.
- Apps - All other apps, installed in c:\Program Files\WindowsApps. There are two classes of apps:
- Apps - All other apps, installed in C:\Program Files\WindowsApps. There are two classes of apps:
- Provisioned: Installed in user account the first time you sign in with a new user account.
- Installed: Installed as part of the OS.
- System apps - Apps that are installed in the C:\Windows\* directory. These apps are integral to the OS.
The following tables list the system apps, installed Windows apps, and provisioned Windows apps in a standard Windows 10 Enterprise installation. (If you have a custom image, your specific apps might differ.) The tables list the app, the full name, show the app's status in Windows 10 version 1607, 1703, and 1709, and indicate whether an app can be uninstalled through the UI.
Some of the apps show up in multiple tables - that's because their status changed between versions. Make sure to check the version column for the version you are currently running.
> [!TIP]
> Want to see a list of the apps installed on your specific image? You can run the following PowerShell cmdlet:
> ```powershell
> Get-AppxPackage | select Name,PackageFamilyName
> Get-AppxProvisionedPackage -Online | select DisplayName,PackageName
> ```
## System apps
System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1703, 1709, and 1803.
| Name | Full name |1703 | 1709 | 1803 |Uninstall through UI? |
|------------------|-------------------------------------------|:------:|:------:|:------:|-------------------------------------------------------|
| Cortana UI | CortanaListenUIApp | x | | |No |
| | Desktop Learning | x | | |No |
| | DesktopView | x | | |No |
| | EnvironmentsApp | x | | |No |
| Mixed Reality + | HoloCamera | x | | |No |
| Mixed Reality + | HoloItemPlayerApp | x | | |No |
| Mixed Reality + | HoloShell | x | | |No |
| | InputApp | | x | x |No |
| | Microsoft.AAD.Broker.Plugin | x | x | x |No |
| | Microsoft.AccountsControl | x | x | x |No |
| Hello setup UI | Microsoft.BioEnrollment | x | x | x |No |
| | Microsoft.CredDialogHost | x | x | x |No |
| | Microsoft.ECApp | | x | x |No |
| | Microsoft.LockApp | x | x | x |No |
| Microsoft Edge | Microsoft.Microsoft.Edge | x | x | x |No |
| | Microsoft.PPIProjection | x | x | x |No |
| | Microsoft.Windows. Apprep.ChxApp | x | x | x |No |
| | Microsoft.Windows. AssignedAccessLockApp | x | x | x |No |
| | Microsoft.Windows. CloudExperienceHost | x | x | x |No |
| | Microsoft.Windows. ContentDeliveryManager | x | x | x |No |
| Cortana | Microsoft.Windows.Cortana | x | x | x |No |
| | Microsoft.Windows. Holographic.FirstRun | x | x | x |No |
| | Microsoft.Windows. ModalSharePickerHost | x | | |No |
| | Microsoft.Windows. OOBENetworkCaptivePort | x | x | x |No |
| | Microsoft.Windows. OOBENetworkConnectionFlow | x | x | x |No |
| | Microsoft.Windows. ParentalControls | x | x | x |No |
| People Hub | Microsoft.Windows. PeopleExperienceHost | | x | x |No |
| | Microsoft.Windows. PinningConfirmationDialog | | x | x |No |
| | Microsoft.Windows. SecHealthUI | x | x | x |No |
| | Microsoft.Windows. SecondaryTileExperience | x | x | |No |
| | Microsoft.Windows. SecureAssessmentBrowser | x | x | x |No |
| Start | Microsoft.Windows. ShellExperienceHost | x | x | x |No |
| Windows Feedback | Microsoft.WindowsFeedback | * | * | |No |
| | Microsoft.XboxGameCallableUI | x | x | x |No |
| Contact Support* | Windows.ContactSupport | x | * | |Via Optional Features app |
| Settings | Windows.ImmersiveControlPanel | x | x | |No |
| Connect | Windows.MiracastView | x | | |No |
| Print 3D | Windows.Print3D | | x | |Yes |
| Print UI | Windows.PrintDialog | x | x | x |No |
| Purchase UI | Windows.PurchaseDialog | | | x |No |
| | Microsoft.AsyncTextService | | | x |No |
| | Microsoft.MicrosoftEdgeDevToolsClient | | | x |No |
| | Microsoft.Win32WebViewHost | | | x |No |
| | Microsoft.Windows.CapturePicker | | | x |No |
| | Windows.CBSPreview | | | x |No |
|File Picker | 1527c705-839a-4832-9118-54d4Bd6a0c89 | | | x |No |
|File Explorer | c5e2524a-ea46-4f67-841f-6a9465d9d515 | | | x |No |
|App Resolver | E2A4F912-2574-4A75-9BB0-0D023378592B | | | x |No |
|Add Suggested folder Dialog box| F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE|| | x |No |
> [!NOTE]
> - The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support).
## Installed Windows apps
Here are the typical installed Windows apps in Windows 10 versions 1703, 1709, and 1803.
| Name | Full name | 1703 | 1709 | 1803 |Uninstall through UI? |
|--------------------|------------------------------------------|:----:|:----:|:----:|:----------------------:|
| Remote Desktop | Microsoft.RemoteDesktop | x | x | | Yes |
| PowerBI | Microsoft.Microsoft PowerBIforWindows | x | | | Yes |
| Code Writer | ActiproSoftwareLLC.562882FEEB491 | x | x | x | Yes |
| Eclipse Manager | 46928bounde.EclipseManager | x | x | x | Yes |
| Pandora | PandoraMediaInc.29680B314EFC2 | x | x | x | Yes |
| Photoshop Express | AdobeSystemIncorporated. AdobePhotoshop | x | x | x | Yes |
| Duolingo | D5EA27B7.Duolingo- LearnLanguagesforFree | x | x | x | Yes |
| Network Speed Test | Microsoft.NetworkSpeedTest | x | x | x | Yes |
| News | Microsoft.BingNews | x | x | x | Yes |
| Flipboard | | | | | Yes |
| | Microsoft.Advertising.Xaml | x | x | x | Yes |
| | Microsoft.NET.Native.Framework.1.2 | x | x | x | Yes |
| | Microsoft.NET.Native.Framework.1.3 | x | x | x | Yes |
| | Microsoft.NET.Native.Framework.1.6 | | x | x | Yes |
| | Microsoft.NET.Native.Framework.1.7 | | | x | Yes |
| | Microsoft.NET.Native.Framework.2.0 | | x | x | Yes |
| | Microsoft.NET.Native.Runtime.1.1 | | x | x | Yes |
| | Microsoft.NET.Native.Runtime.1.3 | x | x | | Yes |
| | Microsoft.NET.Native.Runtime.1.4 | x | x | x | Yes |
| | Microsoft.NET.Native.Runtime.1.6 | | x | x | Yes |
| | Microsoft.NET.Native.Runtime.1.7 | | | x | Yes |
| | Microsoft.NET.Native.Runtime.2.0 | | x | x | Yes |
| | Microsoft.Services.Store.Engagement | | x | x | Yes |
| | Microsoft.VCLibs.120.00 | x | x | x | Yes |
| | Microsoft.VCLibs.140.00 | x | x | x | Yes |
| | Microsoft.VCLibs.120.00.Universal | | x | | Yes |
| | Microsoft.VCLibs.140.00.UWPDesktop | | | x | Yes |
| | Microsoft.WinJS.2.0 | x | | | Yes |
---
## Provisioned Windows apps
Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 and 1809.
```
> Get-AppxProvisionedPackage -Online | Select-Object DisplayName, PackageName
```
> [!TIP]
> You can list all provisioned Windows apps with this PowerShell command:
> ```
> Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName
> ```
| Package name | App name | 1703 | 1709 | 1803 | 1809 | Uninstall through UI? |
|----------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:---------------------:|
@ -152,7 +53,7 @@ Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 an
| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | | | x | No |
| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.Office.OneNote | [OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes |
| Microsoft.Office.OneNote | [OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes |
| Microsoft.OneConnect | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | No |
| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | | x | x | x | No |
@ -185,4 +86,106 @@ Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 an
---
>[!NOTE]
>The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it.
---
## System apps
System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1703, 1709, and 1803.
> [!TIP]
> You can list all system apps with this PowerShell command:
> ```
> Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation
> ```
| Name | Package Name | 1703 | 1709 | 1803 | Uninstall through UI? |
|----------------------------------|---------------------------------------------|:-----:|:----:|:----:|-----------------------|
| File Picker | 1527c705-839a-4832-9118-54d4Bd6a0c89 | | | x | No |
| File Explorer | c5e2524a-ea46-4f67-841f-6a9465d9d515 | | | x | No |
| App Resolver UX | E2A4F912-2574-4A75-9BB0-0D023378592B | | | x | No |
| Add Suggested Folders To Library | F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE | | | x | No |
| | InputApp | | x | x | No |
| Cortana UI | CortanaListenUIApp | x | | | No |
| | Desktop Learning | x | | | No |
| | DesktopView | x | | | No |
| | EnvironmentsApp | x | | | No |
| Mixed Reality + | HoloCamera | x | | | No |
| Mixed Reality + | HoloItemPlayerApp | x | | | No |
| Mixed Reality + | HoloShell | x | | | No |
| | Microsoft.AAD.Broker.Plugin | x | x | x | No |
| | Microsoft.AccountsControl | x | x | x | No |
| | Microsoft.AsyncTextService | | | x | No |
| Hello setup UI | Microsoft.BioEnrollment | x | x | x | No |
| | Microsoft.CredDialogHost | x | x | x | No |
| | Microsoft.ECApp | | x | x | No |
| | Microsoft.LockApp | x | x | x | No |
| Microsoft Edge | Microsoft.MicrosoftEdge | x | x | x | No |
| | Microsoft.MicrosoftEdgeDevToolsClient | | | x | No |
| | Microsoft.PPIProjection | x | x | | No |
| | Microsoft.Win32WebViewHost | | | x | No |
| | Microsoft.Windows.Apprep.ChxApp | x | x | x | No |
| | Microsoft.Windows.AssignedAccessLockApp | x | x | x | No |
| | Microsoft.Windows.CapturePicker | | | x | No |
| | Microsoft.Windows.CloudExperienceHost | x | x | x | No |
| | Microsoft.Windows.ContentDeliveryManager | x | x | x | No |
| Cortana | Microsoft.Windows.Cortana | x | x | x | No |
| | Microsoft.Windows.Holographic.FirstRun | x | x | | No |
| | Microsoft.Windows.ModalSharePickerHost | x | | | No |
| | Microsoft.Windows.OOBENetworkCaptivePort | x | x | x | No |
| | Microsoft.Windows.OOBENetworkConnectionFlow | x | x | x | No |
| | Microsoft.Windows.ParentalControls | x | x | x | No |
| People Hub | Microsoft.Windows.PeopleExperienceHost | | x | x | No |
| | Microsoft.Windows.PinningConfirmationDialog | | x | x | No |
| | Microsoft.Windows.SecHealthUI | x | x | x | No |
| | Microsoft.Windows.SecondaryTileExperience | x | x | | No |
| | Microsoft.Windows.SecureAssessmentBrowser | x | x | x | No |
| Start | Microsoft.Windows.ShellExperienceHost | x | x | x | No |
| Windows Feedback | Microsoft.WindowsFeedback | * | * | | No |
| | Microsoft.XboxGameCallableUI | x | x | x | No |
| | Windows.CBSPreview | | | x | No |
| Contact Support* | Windows.ContactSupport | x | * | | Via Settings App |
| Settings | Windows.immersivecontrolpanel | x | x | x | No |
| Connect | Windows.MiracastView | x | | | No |
| Print 3D | Windows.Print3D | | x | | Yes |
| Print UI | Windows.PrintDialog | x | x | x | No |
| Purchase UI | Windows.PurchaseDialog | | | | No |
> [!NOTE]
> - The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support).
## Installed Windows apps
Here are the typical installed Windows apps in Windows 10 versions 1703, 1709, and 1803.
| Name | Full name | 1703 | 1709 | 1803 |Uninstall through UI? |
|--------------------|------------------------------------------|:----:|:----:|:----:|:---------------------:|
| Remote Desktop | Microsoft.RemoteDesktop | x | x | | Yes |
| PowerBI | Microsoft.Microsoft PowerBIforWindows | x | | | Yes |
| Code Writer | ActiproSoftwareLLC.562882FEEB491 | x | x | x | Yes |
| Eclipse Manager | 46928bounde.EclipseManager | x | x | x | Yes |
| Pandora | PandoraMediaInc.29680B314EFC2 | x | x | x | Yes |
| Photoshop Express | AdobeSystemIncorporated. AdobePhotoshop | x | x | x | Yes |
| Duolingo | D5EA27B7.Duolingo- LearnLanguagesforFree | x | x | x | Yes |
| Network Speed Test | Microsoft.NetworkSpeedTest | x | x | x | Yes |
| News | Microsoft.BingNews | x | x | x | Yes |
| Flipboard | | | | | Yes |
| | Microsoft.Advertising.Xaml | x | x | x | Yes |
| | Microsoft.NET.Native.Framework.1.2 | x | x | x | Yes |
| | Microsoft.NET.Native.Framework.1.3 | x | x | x | Yes |
| | Microsoft.NET.Native.Framework.1.6 | | x | x | Yes |
| | Microsoft.NET.Native.Framework.1.7 | | | x | Yes |
| | Microsoft.NET.Native.Framework.2.0 | | x | x | Yes |
| | Microsoft.NET.Native.Runtime.1.1 | | x | x | Yes |
| | Microsoft.NET.Native.Runtime.1.3 | x | x | | Yes |
| | Microsoft.NET.Native.Runtime.1.4 | x | x | x | Yes |
| | Microsoft.NET.Native.Runtime.1.6 | | x | x | Yes |
| | Microsoft.NET.Native.Runtime.1.7 | | | x | Yes |
| | Microsoft.NET.Native.Runtime.2.0 | | x | x | Yes |
| | Microsoft.Services.Store.Engagement | | x | x | Yes |
| | Microsoft.VCLibs.120.00 | x | x | x | Yes |
| | Microsoft.VCLibs.140.00 | x | x | x | Yes |
| | Microsoft.VCLibs.120.00.Universal | | x | | Yes |
| | Microsoft.VCLibs.140.00.UWPDesktop | | | x | Yes |
| | Microsoft.WinJS.2.0 | x | | | Yes |
---

6
windows/client-management/mdm/passportforwork-ddf.md
View File

@ -21,7 +21,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
The XML below is for Windows 10, version 1809.
``` syntax
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
@ -1262,7 +1262,7 @@ Note that enhanced anti-spoofing for Windows Hello face authentication is not re
<Replace />
</AccessType>
<DefaultValue>False</DefaultValue>
<Description>Enables/Disables Dyanamic Lock</Description>
<Description>Enables/Disables Dynamic Lock</Description>
<DFFormat>
<bool />
</DFFormat>
@ -1304,4 +1304,4 @@ Note that enhanced anti-spoofing for Windows Hello face authentication is not re
</Node>
</Node>
</MgmtTree>
```
```

1
windows/deployment/TOC.md
View File

@ -215,6 +215,7 @@
### [Quick guide to Windows as a service](update/waas-quick-start.md)
#### [Servicing stack updates](update/servicing-stack-updates.md)
### [Overview of Windows as a service](update/waas-overview.md)
### [Understand how servicing differs in Windows 10](update/waas-servicing-differences.md)
### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md)
### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md)
### [Assign devices to servicing channels for Windows 10 updates](update/waas-servicing-channels-windows-10-updates.md)

BIN
windows/deployment/update/images/servicing-cadence.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 53 KiB

BIN
windows/deployment/update/images/servicing-previews.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 76 KiB

106
windows/deployment/update/waas-servicing-differences.md Normal file
View File

@ -0,0 +1,106 @@
---
title: Servicing differences between Windows 10 and older operating systems
description: Learn the differences between servicing Windows 10 and servicing older operating systems.
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: KarenSimWindows
ms.localizationpriority: medium
ms.author: karensim
ms.date: 11/09/2018
---
# Understanding the differences between servicing Windows 10-era and legacy Windows operating systems
>Applies to: Windows 10
Today, many enterprise customers have a mix of modern and legacy client and server operating systems. Managing the servicing and updating differences between those legacy operating systems and Windows 10 versions adds a level of complexity that is not well understood. This can be confusing. With the end of support for legacy [Windows 7 SP1](https://support.microsoft.com/help/4057281/windows-7-support-will-end-on-january-14-2020) and Windows Server 2008 R2 variants on January 14, 2020, System Administrators have a critical need critical to understand how best to leverage a modern workplace to support system updates.
The following provides an initial overview of how updating client and server differs between the Windows 10-era operating systems (such as Windows 10 version 1709, Windows Server 2016) and legacy operating systems (such as Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2).
>[!NOTE]
> A note on naming convention in this article: For brevity, "Windows 10" refers to all operating systems across client, server and IoT released since July 2015, while "legacy" refers to all operating systems prior to that period for client and server, including Windows 7, Window 8.1, Windows Server 2008 R2, Windows Server 2012 R2, etc.
## Infinite fragmentation
Prior to Windows 10, all updates to operating system (OS) components were published individually. On "Update Tuesday," customers would pick and choose individual updates they wanted to apply. Most chose to update security fixes, while far fewer selected non-security fixes, updated drivers, or installed .NET Framework updates.
As a result, each environment with the global Windows ecosystem that had only a subset of security and non-security fixes installed had a different set of binaries and behaviors than those that consistently installed every available update as tested by Microsoft.
This resulted in a fragmented ecosystem that created diverse challenges in predictively testing interoperability, resulting in high update failure rates - which were subsequently mitigated by customers removing individual updates that were causing issues. Each customer that selectively removed individual updates amplified this fragmentation by creating more diverse environment permutations across the ecosystem. As an IT Administrator once quipped, "If youve seen one Windows 7 PC, you have seen one Windows 7 PC," suggesting no consistency or predictability across more than 250M commercial devices at the time.
## Windows 10 Next generation
Windows 10 provided an opportunity to end the era of infinite fragmentation. With Windows 10 and the Windows as a service model, updates came rolled together in the "latest cumulative update" (LCU) packages for both client and server. Every new update published includes all changes from previous updates, as well as new fixes. Since Windows client and server share the same code base, these LCUs This helps simplify servicing. Devices with the original Release to Market (RTM) version of a feature release installed could get up to date by installing the most recent LCU.
Windows publishes the new LCU packages for each Windows 10 version (1607, 1709, etc.) on the second Tuesday of each month. This package is classified as a required security update and contains contents from the previous LCU as well as new security, non-security and Internet Explorer 11 (IE11) fixes. The security classification, by definition, requires a reboot of the device to complete installation of the update.
![Servicing cadence](images/servicing-cadence.png)
Another benefit of the LCU model is fewer steps. Devices that have the original Release to Market (RTM) version of a release can install the most recent LCU to get up to date in one step, rather than having to install multiple updates with reboots after each.
This cumulative update model for Windows 10 has helped provide the Windows ecosystem with consistent update experiences that can be predicted by baseline testing before release. Even with highly complex updates with hundreds of fixes, the number of incidents with monthly security updates for Windows 10 have fallen month over month since the initial release of Windows 10.
### Points to consider
- Windows 10 does not have the concept of a Security-Only or Monthly Rollup for updates. All updates are an LCU package, which includes the last release plus anything new.
- Windows 10 no longer has the concept of a "hotfix" since all individual updates must be rolled into the cumulative packages. (Note: Any private fix is offered for customer validation only, and then rolled into an LCU.)
- [Updates for the .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in the Windows 10 LCU. They are separate packages with different behaviors depending on the version of .NET Framework being updated, and on which OS. As of October 2018, .NET Framework updates for Windows 10 will be separate and have their own cumulative update model.
- For Windows 10, available update types vary by publishing channel:
- For customers using Windows Server Update Services (WSUS) and for the Update Catalog, several different updates types for Windows 10 are rolled together for the core OS in a single LCU package, with exception of Servicing Stack Updates.
- Servicing Stack Updates (SSU) are available for download from the Update Catalog and can be imported through WSUS, but will not be automatically synced. (See this [example](https://support.microsoft.com/help/4132650/servicing-stack-update-for-windows-10-version-1709-may-21-2018) for Windows 10, version 1709). For more information on Servicing Stack Updates, please see this [blog](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-7-servicing-stack-updates-managing-change-and/ba-p/260434).
- For customers connecting to Windows Update, the new cloud update architecture uses a database of updates which break out all the different update types, including Servicing Stack Updates (SSU) and Dynamic Updates (DU). The update scanning in the Windows 10 servicing stack on the client automatically takes only the updates that are needed by the device to be completely up to date.
- Windows 7 and other legacy operating systems have cumulative updates that operate differently than in Windows 10 (see next section).
## Windows 7 and legacy OS versions
While Windows 10 updates could have been controlled as cumulative from "Day 1," the legacy OS ecosystem for both client and server was highly fragmented. Recognizing the challenges of update quality in aa fragmented environment, we moved Windows 7 to a cumulative update model in October 2016.
Customers saw the LCU model used for Windows 10 as having packages that were too large and represented too much of a change for legacy operating systems, so a different model was implemented. Windows instead offered two cumulative package types for all legacy operating systems: Monthly Rollups and Security-only updates.
The Monthly Rollup includes new non-security, security updates, Internet Explorer (IE) updates, and all updates from the previous month, similar to the Windows 10 model. The Security-only package includes new security updates and all security updates from the previous month. Additionally, a cumulative package is offered for IE, which can be tested and installed separately, reducing the total update package size. The IE cumulative update includes both security and non-security fixes following the same model as Windows 10.
Moving to the cumulative model for legacy OS versions continues to improve predictability of update quality. The Windows legacy environments have fully updated machines, which means that the baseline against which all legacy OS version updates are tested include all of the updates (security and non-security) prior to and after October 2016. Many customer environments do not have all updates prior to this change installed, which leaves some continued fragmentation in the ecosystem. This remaining fragmentation results in issues like those seen when the September 2016 Servicing Stack Update (SSU) was needed for smooth installation of the August 2018 security update. These environments did not have the SSU applied previously.
### Points to consider
- Windows 7 and Windows 8 legacy operating system updates [moved from individual to cumulative in October 2016](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783). Devices with updates missing prior to that point are still missing those updates, as they were not included in the subsequent cumulative packages.
- "Hotfixes" are no longer published for legacy OS versions. All updates are rolled into the appropriate package depending on their classification as either non-security, security, or Internet Explorer updates. (Note: any private fix is offered for customer validation only. Once validated they are then rolled into a Monthly Rollup or IE cumulative update, as appropriate.)
- Both Monthly Rollups and Security-only updates released on Update Tuesday for legacy OS versions are identified as "security, critical" updates, because both have the full set of security updates in them. The Monthly Rollup has additional non-security updates that are not included in the Security Only update. The "security" classification requires the device be rebooted so the update can be fully installed.
- Despite the cumulative nature of both Monthly Rollups and Security-only updates, switching between these update types is not advised. Small differences in the baselines of these packages may result in installation errors and conflicts. Choosing one and staying on that update type Monthly Rollup or Security-only is recommended.
- In [February 2017](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplified-servicing-for-Windows-7-and-Windows-8-1-the-latest/ba-p/166798), Windows pulled IE updates out of the legacy OS versions Security-only updates, while leaving them in the Monthly Rollup updates. This was done specifically to reduce package size based on customer feedback.
- The IE cumulative update includes both security and non-security updates and is also needed for to help secure the entire environment. This update can be installed separately or as part of the Monthly Rollup.
- [Updates for the .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in legacy Monthly Rollup or Security Only packages. They are separate packages with different behaviors depending on the version of the .NET Framework, and which legacy OS, being updated.
- For [Windows Server 2008 SP2](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/), cumulative updates began in October 2018, and follow the same model as Windows 7. Updates for IE9 are included in those packages, as the last supported version of Internet Explorer for that Legacy OS version.
## Public preview releases
Lastly, the cumulative update model directly impacts the public Preview releases offered in the 3rd and/or 4th weeks of the month. Update Tuesday, also referred to as the "B" week release occurs on the second Tuesday of the month. It is always a required security update across all operating systems. In addition to this monthly release, Windows also releases non-security update "previews" targeting the 3rd (C) and the 4th (D) weeks of the month. These preview releases include that months B-release plus a set of non-security updates for testing and validation as a cumulative package. We recommend IT Administrators uses the C/D previews to test the update in their environments. Any issues identified with the updates in the C/D releases are identified and then fixed or removed, prior to being rolled up in to the next months B release package together with new security updates.
### Examples
Windows 10 version 1709:
- (9B) September 11, 2018 Update Tuesday / B release - includes security, non-security and IE update. This update is categorized as "Required, Security" it requires a system reboot.
- (9C) September 26, 2018 Preview C release - includes everything from 9B PLUS some non-security updates for testing/validation. This update is qualified as not required, non-security. No system reboot is required.
- (10B) October 9, 2018 Update Tuesday / B release includes all fixes included in 9B, all fixes in 9C and introduces new security fixes and IE updates. This update is qualified as "Required, Security" and requires a system reboot.
All of these updates are cumulative and build on each other for Windows 10. This is in contrast to legacy OS versions, where the 9C release becomes part of the "Monthly Rollup," but not the "Security Only" update. In other words, a Window 7 SP1 9C update is part of the cumulative "Monthly Rollup" but not included in the "Security Only" update because the fixes are qualified as "non-security". This is an important variation to note on the two models.
![Servicing preview releases](images/servicing-previews.png)
### Previews vs. on-demand releases
In 2018, we experienced incidents that required urgent remediation that didnt map to the monthly update release cadence. These incidents were situations that required an immediate fix to an Update Tuesday release. While Windows engineering worked aggressively to respond within a week of the B-release, these "on-demand" releases created confusion with the C Preview releases.
#### Points to consider:
- When Windows identifies an issue with a Update Tuesday release, engineering teams work to remediate or fix the issue as quickly as possible. The outcome is often a new update which may be released at any time, including during the 3rd or 4th week of the month. Such updates are independent of the regularly scheduled "C" and "D" update previews. These updates are created on-demand to remediate a customer impacting issue. In most cases they are qualified as a "non-security" update, and do not require a system reboot.
- With the new Windows Update (WU) architecture, updates can be targeted to affected devices. This targeting is not available through the Update Catalog or WSUS channels, however.
- On-demand releases address a specific issue with an Update Tuesday release and are often qualified as "non-security" for one of two reasons. First, the fix may not be an additional security fix, but a non-security change to the update. Second, the "non-security" designation allows individuals or companies to choose when and how to reboot the devices, rather than forcing a system reboot on all Windows devices receiving the update globally. This trade-off is rarely a difficult choice as it has the potential to impact customer experience across client and server, across consumer and commercial customers for more than one billion devices.
- Because the cumulative model is used across Window 10 and legacy Windows OS versions, despite variations between these OS versions, an out of band release will include all of the changes from the Update Tuesday release plus the fix that addresses the issue. And since Windows no longer releases hotfixes, everything is cumulative in some way.
In closing, I hope this overview of the update model across current and legacy Windows OS versions highlights the benefits of the Windows 10 cumulative update model to help defragment the Windows ecosystem environments, simplify servicing and help make systems more secure.
## Resources
- [Simplifying updates for Windows 7 and 8.1](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplifying-updates-for-Windows-7-and-8-1/ba-p/166530)
- [Further simplifying servicing models for Windows 7 and Windows 8.1](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Further-simplifying-servicing-models-for-Windows-7-and-Windows-8/ba-p/166772)
- [More on Windows 7 and Windows 8.1 servicing changes](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783)
- [.NET Framework Monthly Rollups Explained](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/)
- [Simplified servicing for Windows 7 and Windows 8.1: the latest improvements](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplified-servicing-for-Windows-7-and-Windows-8-1-the-latest/ba-p/166798)
- [Windows Server 2008 SP2 servicing changes](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/)
- [Windows 10 update servicing cadence](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376)
- [Windows 7 servicing stack updates: managing change and appreciating cumulative updates](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-7-servicing-stack-updates-managing-change-and/ba-p/260434)

2
windows/privacy/TOC.md
View File

@ -1,6 +1,6 @@
# [Privacy](index.yml)
## [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md)
## [Windows 10 and the GDPR for IT Decision Makers](gdpr-it-guidance.md)
## [Windows and the GDPR: Information for IT Administrators and Decision Makers](gdpr-it-guidance.md)
## [Windows 10 personal data services configuration](windows-personal-data-services-configuration.md)
## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
## [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md)

81
windows/privacy/gdpr-it-guidance.md
View File

@ -1,5 +1,5 @@
---
title: Windows 10 and the GDPR for IT Decision Makers
title: Windows and the GDPR-Information for IT Administrators and Decision Makers
description: Use this topic to understand the relationship between users in your organization and Microsoft in the context of the GDPR (General Data Protection Regulation).
keywords: privacy, GDPR, windows, IT
ms.prod: w10
@ -11,12 +11,17 @@ author: danihalfin
ms.author: daniha
ms.date: 05/11/2018
---
# Windows 10 and the GDPR for IT Decision Makers
# Windows and the GDPR: Information for IT Administrators and Decision Makers
Applies to:
- Windows 10, version 1809
- Windows 10, version 1803
- Windows 10, version 1709
- Windows 10, version 1703
- Windows 10 Team Edition, version 1703 for Surface Hub
- Windows Server 2019
- Windows Server 2016
- Windows Analytics
This topic provides IT Decision Makers with a basic understanding of the relationship between users in an organization and Microsoft in the context of the GDPR (General Data Protection Regulation). You will also learn what role an IT organization plays for that relationship.
@ -35,7 +40,7 @@ Here are some GDPR fundamentals:
* The European law establishes strict global data privacy requirements governing how organizations manage and protect personal data while respecting individual choice no matter where data is sent, processed, or stored.
* A request by an individual to an organization to take an action on their personal data is referred to here as a *data subject request*, or *DSR*.
Microsoft believes data privacy is a fundamental right, and that the GDPR is an important step forward for clarifying and enabling individual privacy rights. We also recognize that the GDPR requires significant changes by organizations all over the world with regard to the discovery, management, protection, and reporting of personal data that is collected, processed, and stored within an organization.
Microsoft believes data privacy is a fundamental right, and that the GDPR is an important step forward for clarifying and enabling individual privacy rights. We also recognize that the GDPR required significant changes by organizations all over the world with regard to the discovery, management, protection, and reporting of personal data that is collected, processed, and stored within an organization.
### What is personal data under the GDPR?
@ -87,7 +92,7 @@ It is important to differentiate between two distinct types of data Windows serv
A user action, such as performing a Skype call, usually triggers the collection and transmission of Windows *functional data*. Some Windows components and applications connecting to Microsoft services also exchange Windows functional data to provide user functionality.
Some other examples of Windows functional data:
* The Weather app which uses the devices location to retrieve local weather or community news.
* The Weather app which can use the devices location to retrieve local weather or community news.
* Wallpaper and desktop settings that are synchronized across multiple devices.
For more info on how IT Professionals can manage Windows functional data sent from an organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
@ -100,10 +105,10 @@ Some examples of diagnostic data include:
* The type of hardware being used, information about installed apps and usage details, and reliability data on drivers running on the device.
* For users who have turned on “Tailored experiences”, it can be used to offer personalized tips, ads, and recommendations to enhance Microsoft products and services for the needs of the user.
To find more about what information is collected, how it is handled, and the available Windows diagnostic data levels, see [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data) and [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
Diagnostic data is categorized into the levels "Security", "Basic", "Enhanced", and "Full". For a detailed discussion about these diagnostic data levels please see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). To find more about what information is collected and how it is handled, see [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data).
>[!IMPORTANT]
>Other Microsoft services as well as 3rd party applications and drivers running on Windows devices may implement their own functionality, independently from Windows, to transport their diagnostic data to the respective publisher. Please contact them for further guidance on how to control the diagnostic data collection level and transmission of these publishers.
>Other Microsoft services as well as 3rd party applications and drivers running on Windows devices may implement their own functionality, independently from Windows, to transport their diagnostic data. Please contact the publisher for further guidance on how to control the diagnostic data collection level and transmission of these applications and services.
### Windows services where Microsoft is the processor under the GDPR
@ -123,7 +128,7 @@ As a result, in terms of the GDPR, the organization that has subscribed to Windo
>The IT organization must explicitly enable Windows Analytics for a device after the organization subscribes.
>[!IMPORTANT]
>Windows Analytics does not collect Windows Diagnostic data by itself. Instead, Windows Analytics only uses a subset of Windows Diagnostic data that is collected by Windows for a particular device. The Windows Diagnostic data collection is controlled by the IT department of an organization or the user of a device.
>Windows Analytics does not collect Windows Diagnostic data by itself. Instead, Windows Analytics only uses a subset of Windows Diagnostic data that is collected by Windows for an enrolled device. The Windows Diagnostic data collection is controlled by the IT department of an organization or the user of a device.
#### Windows Defender ATP
@ -140,27 +145,43 @@ The following table lists in what GDPR mode controller or processor Wind
| Service | Microsoft GDPR mode of operation |
| --- | --- |
| Windows Functional data | Controller |
| Windows Functional data | Controller or Processor* |
| Windows Diagnostic data | Controller |
| Windows Analytics | Processor |
| Windows Defender Advanced Threat Detection (ATP) | Processor |
*Table 1: Windows 10 GDPR modes of operations for different Windows 10 services*
## Recommended diagnostic data level settings
*/*Depending on which application/feature this is referring to.*
Windows diagnostic data collection level can be set by a user in Windows (*Start > Settings > Privacy > Diagnostics & feedback*) or by the IT department of an organization, using Group Policy or Mobile Device Management (MDM) techniques.
## Windows diagnostic data and Windows 10
* For Windows 10, version 1803, Microsoft recommends setting the Windows diagnostic level to “Enhanced”. This enables organizations to get the full functionality of [Windows Analytics](#windows-analytics). Those organizations who wish to share the smallest set of events for Windows Analytics can use the “Limit Enhanced diagnostic data to the minimum required by Windows Analytics” filtering mechanism that Microsoft introduced in Windows 10, version 1709. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by Windows Analytics.
### Recommended Windows 10 settings
Windows diagnostic data collection level for Windows 10 can be set by a user in Windows (*Start > Settings > Privacy > Diagnostics & feedback*) or by the IT department of an organization, using Group Policy or Mobile Device Management (MDM) techniques.
* For Windows 10, version 1803 and version 1809, Microsoft recommends setting the Windows diagnostic level to “Enhanced”. This enables organizations to get the full functionality of [Windows Analytics](#windows-analytics).
>[!NOTE]
>For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
* For Windows 10, version 1709, and Windows 10, version 1703, the recommended Windows diagnostic level configuration for EEA and Switzerland commercial users is “Basic”.
* For Windows 7, Microsoft recommends configuring enterprise devices for Windows Analytics to facilitate upgrade planning to Windows 10.
>[!NOTE]
>For Windows 7, Microsoft recommends [configuring enterprise devices for Windows Analytics](/windows/deployment/update/windows-analytics-get-started) to facilitate upgrade planning to Windows 10.
## Controlling the data collection and notification about it
### Additional information for Windows Analytics
Some Windows Analytics solutions and functionality, such as Update Compliance, works with “Basic” as minimum Windows diagnostic level. Other solutions and functionality of Windows Analytics, such as Device Health, require “Enhanced”.
Those organizations who wish to share the smallest set of events for Windows Analytics and have set the Windows diagnostic level to “Enhanced” can use the “Limit Enhanced diagnostic data to the minimum required by Windows Analytics” setting. This filtering mechanism was that Microsoft introduced in Windows 10, version 1709. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by Windows Analytics.
>[!NOTE]
>Additional information can be found at [Windows Analytics and privacy](/windows/deployment/update/windows-analytics-privacy
).
## Controlling Windows 10 data collection and notification about it
Windows 10 sends diagnostic data to Microsoft services, and some of that data can contain personal data. Both the user and the IT organization have the ability to control the transmission of that data to Microsoft.
@ -200,10 +221,38 @@ IT Professionals that are interested in this configuration, see [Windows 10 pers
To find out more about the network connections that Windows components make to Microsoft as well as the privacy settings that affect data shared with either Microsoft or apps, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) and [Manage Windows 10 connection endpoints](manage-windows-endpoints.md). These articles describe how these settings can be managed by an IT Professional.
## At-a-glance: the relationship between an IT organization and the GDPR
### At-a-glance: the relationship between an IT organization and the GDPR
Because Microsoft is a controller for data collected by Windows 10, the user can work with Microsoft to satisfy GDPR requirements. While this relationship between Microsoft and a user is evident in a consumer scenario, an IT organization can influence that relationship in an enterprise scenario. For example, the IT organization has the ability to centrally configure the Windows diagnostic data level by using Group Policy or MDM settings.
## Windows Server
Windows Server follows the same mechanisms as Windows 10 for handling of personal data for example, when collecting Windows diagnostic data.
More detailed information about Windows Server and the GDPR is available at Beginning your General Data Protection Regulation (GDPR) journey for Windows Server.
### Windows diagnostic data and Windows Server
The lowest diagnostic data setting level supported on Windows Server 2016 and Windows Server 2019 through management policies is “Security”. The lowest diagnostic data setting supported through the Settings UI is “Basic”. The default diagnostic data level for all Windows Server 2016 and Windows Server 2019 editions is “Enhanced”.
IT administrators can configure the Windows Server diagnostic data settings using familiar management tools, such as Group Policy, MDM, or Windows Provisioning. IT administrators can also manually change settings using Registry Editor. Setting the Windows Server diagnostic data levels through a management policy overrides any device-level settings.
### Backups and Windows Server
Backups, including live backups and backups that are stored locally within an organization or in the cloud, can contain personal data.
- Backups an organizations creates, for example by using Windows Server Backup (WSB), are under its control. For example, for exporting personal data contained in a backup, the organization needs to restore the appropriate backup sets to facilitate the respective data subject request (DSR).
- The GDPR also applies when storing backups in the cloud. For example, an organization can use Microsoft Azure Backup to backup files and folders from physical or virtual Windows Server machines (located on-premises or in Azure) to the cloud. The organization that is subscribed to this backup service also has the obligation to restore the data in order to exercise the respective DSR.
## Windows 10 Team Edition, Version 1703 for Surface Hub
Surface Hub is a shared device used within an organization. The device identifier collected as part of diagnostic data is not connected to a user. For removing Windows diagnostic data sent to Microsoft for a Surface Hub, Microsoft created the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store.
>[!NOTE]
>Additional apps running on the device, that are not delivered as part of the in-box experience of Surface Hub, may implement their own diagnostic data collection and transmission functionality independently to collect and process personal data. Please contact the app publisher for further guidance on how to control this.
An IT administrator can configure privacy- related settings, such as setting the Windows diagnostic data level to Basic. Surface Hub does not support group policy for centralized management; however, IT administrators can use MDM to apply these settings to Surface Hub. For more information about Surface Hub and MDM, please see [Manage settings with an MDM provider](https://docs.microsoft.com/surface-hub/manage-settings-with-mdm-for-surface-hub).
## Further reading
### Optional settings / features that further improve the protection of personal data
@ -215,11 +264,11 @@ Personal data protection is one of the goals of the GDPR. One way of improving p
### Windows Security Baselines
Microsoft has created Windows Security Baselines to efficiently configure Windows 10. For more information, please visit [Windows Security Baselines](/windows/security/threat-protection/windows-security-baselines).
Microsoft has created Windows Security Baselines to efficiently configure Windows 10 and Windows Server. For more information, please visit [Windows Security Baselines](/windows/security/threat-protection/windows-security-baselines).
### Windows Restricted Traffic Limited Functionality Baseline
To make it easier to deploy settings that restrict connections from Windows 10 to Microsoft, IT Professionals can apply the Windows Restricted Traffic Limited Functionality Baseline, available [here](https://go.microsoft.com/fwlink/?linkid=828887).
To make it easier to deploy settings that restrict connections from Windows 10 and Windows Server to Microsoft, IT Professionals can apply the Windows Restricted Traffic Limited Functionality Baseline, available [here](https://go.microsoft.com/fwlink/?linkid=828887).
>[!IMPORTANT]
>Some of the settings of the Windows Restricted Traffic Limited Functionality Baseline will reduce the functionality and security configuration of a device in the organization and are therefore not recommended.

2
windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
View File

@ -113,4 +113,4 @@ To effectively build queries that span multiple tables, you need to understand t
## Related topic
- [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md)
- [Advanced hunting query language best practices](/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
- [Advanced hunting query language best practices](advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)

7
windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 09/13/2018
ms.date: 11/09/2018
---
# Use basic permissions to access the portal
@ -79,9 +79,10 @@ For more information see, [Manage Azure AD group and role membership](https://te
6. Select **Manage** > **Directory role**.
7. Under **Directory role**, select **Limited administrator**, then **Security Reader** or **Security Administrator**.
7. Select **Add role** and choose the role you'd like to assign, then click **Select**.
![Image of Microsoft Azure portal](images/atp-azure-ui-user-access.png)
![Image of Microsoft Azure portal](images/atp-azure-assign-role.png)
## Related topic
- [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md)

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-azure-assign-role.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 103 KiB