diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index c1e7bc502b..96e3566542 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -466,8 +466,7 @@ "branches_to_filter": [ "" ], - "git_repository_url_open_to_public_contributors": "https://github.com/MicrosoftDocs/windows-itpro-docs", - "git_repository_branch_open_to_public_contributors": "master", + "git_repository_url_open_to_public_contributors": "https://cpubwin.visualstudio.com/_git/it-client", "skip_source_output_uploading": false, "need_preview_pull_request": true, "resolve_user_profile_using_github": true, diff --git a/bcs/TOC.md b/bcs/TOC.md index ec9e79cbfc..1b161ed802 100644 --- a/bcs/TOC.md +++ b/bcs/TOC.md @@ -1 +1,4 @@ -# [Microsoft 365 Business FAQ](support/microsoft-365-business-faqs.md) \ No newline at end of file +# [Microsoft 365 Business documentation and resources](index.md) +# [Support]() +## [Microsoft 365 Business FAQ](support/microsoft-365-business-faqs.md) +## [Transition a Microsoft 365 Business CSP subscription](support/transition-csp-subscription.md) \ No newline at end of file diff --git a/bcs/index.md b/bcs/index.md index 3d22fb24c7..dd287d45da 100644 --- a/bcs/index.md +++ b/bcs/index.md @@ -3,7 +3,7 @@ layout: HubPage hide_bc: true author: CelesteDG ms.author: celested -keywords: Microsoft 365 Business, Microsoft 365, business, Microsoft 365 Business documentation, docs, documentation +keywords: Microsoft 365 Business, Microsoft 365, business, SMB, small to midsize business, Microsoft 365 Business documentation, docs, documentation, technical information ms.topic: hub-page ms.localizationpriority: high audience: microsoft-business  @@ -14,7 +14,7 @@ description: Learn about the product documentation and resources available for M
- + +
  • + +
    +
    +
    +
    +
    + Billing +
    +
    +
    +

    Transition a Microsoft 365 Business CSP subscription

    +

    Find out how you can transition a Microsoft 365 Business CSP subscription from preview to GA.

    +
    +
    +
    +
    +     +
    • ## Kept files diff --git a/mdop/agpm/index.md b/mdop/agpm/index.md index cc29f75805..d4a053a9f6 100644 --- a/mdop/agpm/index.md +++ b/mdop/agpm/index.md @@ -41,10 +41,6 @@ In addition to the product documentation available online, supplemental product - -

    MDOP Videos

    -

    For a list of available MDOP videos, go to [Microsoft Desktop Optimization Pack Technologies Videos](https://go.microsoft.com/fwlink/?LinkId=234275) (https://go.microsoft.com/fwlink/?LinkId=234275).

    -

    MDOP Virtual Labs

    For a list of available MDOP virtual labs, go to [Microsoft Desktop Optimization Pack (MDOP) Virtual Labs](https://go.microsoft.com/fwlink/?LinkId=234276) (https://go.microsoft.com/fwlink/?LinkId=234276).

    diff --git a/smb/cloud-mode-business-setup.md b/smb/cloud-mode-business-setup.md index 56b9a46258..1658370c2e 100644 --- a/smb/cloud-mode-business-setup.md +++ b/smb/cloud-mode-business-setup.md @@ -30,7 +30,7 @@ In this walkthrough, we'll show you how to deploy and manage a full cloud IT sol - Create policies and app deployment rules - Log in as a user and start using your Windows device -Go to the Microsoft Business site and select **Products** to learn more about pricing and purchasing options for your business. +Go to the Microsoft Business site and select **Products** to learn more about pricing and purchasing options for your business. ## Prerequisites Here's a few things to keep in mind before you get started: @@ -53,7 +53,7 @@ To set up your Office 365 business tenant, see Office 365 page in the Microsoft Business site. Select **Try now** to use the Office 365 Business Premium Trial or select **Buy now** to sign up for Office 365 Business Premium. In this walkthrough, we'll select **Try now**. +1. Go to the Office 365 page in the Microsoft Business site. Select **Try now** to use the Office 365 Business Premium Trial or select **Buy now** to sign up for Office 365 Business Premium. In this walkthrough, we'll select **Try now**. **Figure 1** - Try or buy Office 365 @@ -568,7 +568,7 @@ To learn more about the services and tools mentioned in this walkthrough, and le - Set up Office 365 for business - Common admin tasks in Office 365 including email and OneDrive in Manage Office 365 - More info about managing devices, apps, data, troubleshooting, and more in Intune documentation -- Learn more about Windows 10 in Windows 10 guide for IT pros +- Learn more about Windows 10 in Windows 10 guide for IT pros - Info about distributing apps to your employees, managing apps, managing settings, and more in Microsoft Store for Business ### For information workers diff --git a/store-for-business/acquire-apps-microsoft-store-for-business.md b/store-for-business/acquire-apps-microsoft-store-for-business.md index b750ec2e50..b0f2d72736 100644 --- a/store-for-business/acquire-apps-microsoft-store-for-business.md +++ b/store-for-business/acquire-apps-microsoft-store-for-business.md @@ -11,7 +11,7 @@ ms.localizationpriority: high --- # Acquire apps in Microsoft Store for Business and Education -As an admin, you can acquire apps from the Microsoft Store for Business and Education for your employees. Some apps are free, and some have a price. For info on app types that are supported, see [Apps in the Microsoft Store for Business](apps-in-microsoft-store-for-business.md). +As an admin, you can acquire apps from the Microsoft Store for Business and Education for your employees. Some apps are free, and some have a price. For info on app types that are supported, see [Apps in the Microsoft Store for Business](apps-in-microsoft-store-for-business.md). The following sections explain some of the settings for shopping. ## App licensing model The Microsoft Store supports two options to license apps: online and offline. **Online** licensing is the default licensing model. Online licensed apps require users and devices to connect to the Microsoft Store services to acquire an app and its license. **Offline** licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Admins control whether or not offline apps are available in Microsoft Store with an offline app visibility setting. For more information, see [offline license visibility](https://docs.microsoft.com/microsoft-store/update-microsoft-store-for-business-account-settings#offline-licensing). @@ -31,6 +31,21 @@ There are a couple of things we need to know when you pay for apps. You can add - Legal business address - Payment option (credit card) +## Allow users to shop + +**Allow users to shop** controls the shopping experience in Microsoft Store for Education. When this setting is on, **Purchasers** and **Basic Purchasers** can purchase products and services from Microsoft Store for Education. If your school chooses to closely control how purchases are made, admins can turn off **Allow users to shop**. When the setting is off: +- The shopping experience is not availalbe +- **Purchasers** and **Basic Purchasers** can't purchase products and services from Microsoft Store for Education +- Admins can't assign shopping roles to users +- Products and services previously purchased by **Basic Purchasers** can be managed by admins. + +**To manage Allow users to shop setting** +1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com) +2. Click **Manage**, and then click **Settings**. +3. On **Shop**, turn on or turn off **Allow users to shop**. + +![manage settings to control Basic Purchaser role assignment](images/sfb-allow-shop-setting.png) + ## Acquire apps **To acquire an app** 1. Sign in to http://businessstore.microsoft.com diff --git a/store-for-business/education/TOC.md b/store-for-business/education/TOC.md index 4b919e4cfe..43f7ab7345 100644 --- a/store-for-business/education/TOC.md +++ b/store-for-business/education/TOC.md @@ -1,5 +1,5 @@ # [Microsoft Store for Education](/microsoft-store/index?toc=/microsoft-store/education/toc.json) -## [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education?toc=/microsoft-store/education/toc.json +## [What's new in Microsoft Store for Business and Education](/microsoft-store/whats-new-microsoft-store-business-education?toc=/microsoft-store/education/toc.json) ## [Sign up and get started](/microsoft-store/sign-up-microsoft-store-for-business-overview?toc=/microsoft-store/education/toc.json) ###[Microsoft Store for Business and Education overview](/microsoft-store/windows-store-for-business-overview?toc=/microsoft-store/education/toc.json) ### [Prerequisites for Microsoft Store for Business and Education](/microsoft-store/prerequisites-microsoft-store-for-business?toc=/microsoft-store/education/toc.json) diff --git a/store-for-business/images/msfb-add-collection.PNG b/store-for-business/images/msfb-add-collection.PNG new file mode 100644 index 0000000000..0cf1a7d0af Binary files /dev/null and b/store-for-business/images/msfb-add-collection.PNG differ diff --git a/store-for-business/images/msfb-click-private-store.png b/store-for-business/images/msfb-click-private-store.png new file mode 100644 index 0000000000..35642c740e Binary files /dev/null and b/store-for-business/images/msfb-click-private-store.png differ diff --git a/store-for-business/images/msfb-wn-1711-export-user.png b/store-for-business/images/msfb-wn-1711-export-user.png new file mode 100644 index 0000000000..61efc7307e Binary files /dev/null and b/store-for-business/images/msfb-wn-1711-export-user.png differ diff --git a/store-for-business/images/sfb-allow-shop-setting.png b/store-for-business/images/sfb-allow-shop-setting.png new file mode 100644 index 0000000000..52320751ac Binary files /dev/null and b/store-for-business/images/sfb-allow-shop-setting.png differ diff --git a/store-for-business/manage-orders-microsoft-store-for-business.md b/store-for-business/manage-orders-microsoft-store-for-business.md index 08da797130..5ff6a0ebc6 100644 --- a/store-for-business/manage-orders-microsoft-store-for-business.md +++ b/store-for-business/manage-orders-microsoft-store-for-business.md @@ -43,7 +43,7 @@ Refunds work a little differently for free apps, and apps that have a price. In There are a few requirements for apps that have a price: - **Timing** - Refunds are available for the first 30 days after you place your order. For example, if your order is placed on June 1, you can self-refund through June 30. - - **Avaialable licenses** - You need to have enough available licenses to cover the number of licenses in the order you are refunding. For example, if you purchased 10 copies of an app and you want to request a refund, you must have at least 10 licenses of the app available in your inventory -- those 10 licenses can't be assigned to people in your organization. + - **Available licenses** - You need to have enough available licenses to cover the number of licenses in the order you are refunding. For example, if you purchased 10 copies of an app and you want to request a refund, you must have at least 10 licenses of the app available in your inventory -- those 10 licenses can't be assigned to people in your organization. - **Whole order refunds only** - You must refund the complete amount of apps in an order. You can't refund a part of an order. For example, if you purchased 10 copies of an app, but later found you only needed 5 copies, you'll need to request a refund for the 10 apps, and then make a separate order for 5 apps. If you have had multiple orders of the same app, you can refund one order but still keep the rest of the inventory. **To refund an order** diff --git a/store-for-business/manage-private-store-settings.md b/store-for-business/manage-private-store-settings.md index 8ad01a972f..e49b08b046 100644 --- a/store-for-business/manage-private-store-settings.md +++ b/store-for-business/manage-private-store-settings.md @@ -7,6 +7,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa +ms.date: 11/28/2017 ms.localizationpriority: high --- @@ -24,13 +25,31 @@ The name of your private store is shown on a tab in Microsoft Store app, or on [ ![Image showing Microsoft Store app with private store tab highlighted.](images/wsfb-wsappprivatestore.png) You can change the name of your private store in Microsoft Store. - + \ No newline at end of file diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md index 869d8d89db..6f1400e394 100644 --- a/store-for-business/release-history-microsoft-store-business-education.md +++ b/store-for-business/release-history-microsoft-store-business-education.md @@ -6,7 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.date: 09/21/2017 +ms.date: 11/30/2017 --- # Microsoft Store for Business and Education release history @@ -15,8 +15,16 @@ Microsoft Store for Business and Education regularly releases new and improved f Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) -## August 2017 -These items were released or updated in August, 2017. +## October 2017 -- **Pellentesque habitant morbi tristique** - Lorem ipsum dolor sit amet, consectetuer adipiscing elit. [Learn more](distribute-apps-from-your-private-store.md) -- **Aenean nec lorem** - Lorem ipsum dolor sit amet, consectetuer adipiscing elit. [Learn more](distribute-apps-from-your-private-store.md) \ No newline at end of file +- Bug fixes and permformance improvements. + +## September 2017 + +- **Manage Windows device deployment with Windows AutoPilot Deployment** - In Microsoft Store for Business, you can manage devices for your organization and apply an AutoPilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the AutoPilot deployment profile you applied to the device. [Get more info](add-profile-to-devices.md) +- **Request an app** - People in your organization can reqest additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases. [Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#request-apps) +- **My organization** - **My organization** shows you all Agreements that apply to your organization. You can also update profile info for you org, such as mailing address and email associated with your account. +- **Manage prepaid Office 365 subscriptions** - Office 365 prepaid subscriptions can be redeemed using a prepaid token. Tokens are available through 3rd-party businesses, outside of Microsoft Store for Business or the Office 365 Admin portal. After redemming prepaid subscriptions, Admins can add more licenses or extend the subscription's expiration date. +- **Manage Office 365 subscriptions acquired by partners** - Office 365 subscriptions purchased for your organization by a partner or reseller can be managed in Microsoft Store for Business. Admins can assign and manage licenses for these subscriptions. +- **Edge extensions in Microsoft Store** - Edge Extensions are now available from Microsoft Store! You can acquire and distribute them from Microsoft Store for Business just like any other app. +- **Search results in Microsoft Store for Business** - Search results now have sub categories to help you refine search results. \ No newline at end of file diff --git a/store-for-business/settings-reference-microsoft-store-for-business.md b/store-for-business/settings-reference-microsoft-store-for-business.md index a0c708802f..b949eced52 100644 --- a/store-for-business/settings-reference-microsoft-store-for-business.md +++ b/store-for-business/settings-reference-microsoft-store-for-business.md @@ -26,22 +26,10 @@ The Microsoft Store for Business and Education has a group of settings that admi | Payment options | Manage payment options. For more information, see [Manage settings for the Microsoft Store for Business and Education](update-microsoft-store-for-business-account-settings.md#payment-options).| **Billing - Payment methods** | | Private store | Update the name for your private store. The new name will be displayed on a tab in the Store. For more information, see [Manage private store settings](manage-private-store-settings.md). | **Settings - Distribute** | | Offline licensing | Configure whether or not to make offline-licensed apps available in the Microsoft Store for Business and Education. For more information, see [Distribute offline apps](distribute-offline-apps.md). | **Settings - Shop** | +| Allow users to shop | Configure whether or not people in your organization or school can see and use the shop function in Store for Business or Store for Education. For more information, see [Allow users to shop](acquire-apps-microsoft-store-for-business.md#allow-users-to-shop). | **Settings - Shop** | +| Make everyone a Basic Purchaser | Allow everyone in your organization to automatically become a Basic Purchaser. This allows them to purchase apps and manage them. For more information, see [Make everyone a Basic Purchaser](https://docs.microsoft.com/en-us/education/windows/education-scenarios-store-for-business#basic-purchaser-role).
    **Make everyone a Basic Purchaser** is only available in Microsoft Store for Education. | **Settings - Shop** | | App request | Configure whether or not people in your organization can request apps for admins to purchase. For more information, see [Distribute offline apps](acquire-apps-microsoft-store-for-business.md). | **Settings - Distribute** | | Management tools | Management tools that are synced with Azure AD are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md). | **Settings - Distribute** | | Device Guard signing | Use the Device Guard signing portal to add unsigned apps to a code integrity policy, or to sign code integrity policies. For more information, see [Device Guard signing portal](device-guard-signing-portal.md). | **Settings - Devices** | | Permissions | Manage permissions for your employees. For more information, see [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-microsoft-store-for-business.md). | **Permissions - Roles** and **Permissions - Blocked basic purchasers** | | Line-of-business (LOB) publishers | Invite devs to become LOB publishers for your organization. Existing LOB publishers are listed on the page, and you can deactivate or invite them again. For more information, see [Work with line-of-business apps](working-with-line-of-business-apps.md). | **Permissions - Line-of-business apps** | - - - - -  - -  - -  - - - - - diff --git a/store-for-business/sfb-change-history.md b/store-for-business/sfb-change-history.md index bcb10ea479..3fd8e7b79e 100644 --- a/store-for-business/sfb-change-history.md +++ b/store-for-business/sfb-change-history.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: store author: TrudyHa ms.author: TrudyHa -ms.date: 07/12/2107 +ms.date: 10/31/2107 ms.localizationpriority: high --- @@ -23,6 +23,7 @@ ms.localizationpriority: high | New or changed topic | Description | | --- | --- | | [Manage Windows device deployment with Windows AutoPilot Deployment](add-profile-to-devices.md) | Update. Add profile settings with supported build info. | +| [What's New in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) | Update. | ## September 2017 diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md index 14bce10791..a5f0578801 100644 --- a/store-for-business/whats-new-microsoft-store-business-education.md +++ b/store-for-business/whats-new-microsoft-store-business-education.md @@ -6,30 +6,41 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa -ms.date: 10/04/2017 +ms.date: 11/30/2017 --- # What's new in Microsoft Store for Business and Education -Microsoft Store for Business and Education regularly releases new and improved feaures. Take a look below to see what's available to you today. +Microsoft Store for Business and Education regularly releases new and improved feaures. ## Latest updates for Store for Business and Education +**November 2017** + +| | | +|-----------------------|---------------------------------| +| ![Microsoft Store for Business Edcucation, Export users link.](images/msfb-wn-1711-export-user.png) |**Export list of Minecraft: Education Edition users**

    Admins and teachers can now export a list of users who have Minecraft: Education Edition licenses assigned to them. Click **Export users**, and Store for Education creates an Excel spreadsheet for you, and saves it as a .csv file.

    **Applies to**:
    Microsoft Store for Education | + + - \ No newline at end of file +[October 2017](release-history-microsoft-store-business-education.md#october-2017) +- Bug fixes and permformance improvements. + +[September 2017](release-history-microsoft-store-business-education.md#september-2017) +- Manage Windows device deployment with Windows AutoPilot Deployment +- Request an app +- My organization +- Manage prepaid Office 365 subscriptions +- Manage Office 365 subscriptions acquired by partners +- Edge extensions in Microsoft Store +- Search results in Microsoft Store for Business + diff --git a/windows/access-protection/hello-for-business/hello-deployment-guide.md b/windows/access-protection/hello-for-business/hello-deployment-guide.md index c202596cd4..35ca37be84 100644 --- a/windows/access-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/access-protection/hello-for-business/hello-deployment-guide.md @@ -28,7 +28,7 @@ This deployment guide is to guide you through deploying Windows Hello for Busine This guide assumes a baseline infrastructure exists that meets the requirements for your deployment. For either hybrid or on-premises deployments, it is expected that you have: * A well-connected, working network * Internet access - * Multifactor Authentication Server to support MFA during Windows Hello for Business provisioning +* Multifactor Authentication Server to support MFA during Windows Hello for Business provisioning * Proper name resolution, both internal and external names * Active Directory and an adequate number of domain controllers per site to support authentication * Active Directory Certificate Services 2012 or later diff --git a/windows/access-protection/hello-for-business/hello-features.md b/windows/access-protection/hello-for-business/hello-features.md index 2e4ae4c446..e89b3407a1 100644 --- a/windows/access-protection/hello-for-business/hello-features.md +++ b/windows/access-protection/hello-for-business/hello-features.md @@ -2,7 +2,7 @@ title: Windows Hello for Business Features description: Windows Hello for Business Features ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E -keywords: identity, PIN, biometric, Hello, passport, WHFB, Windows Hello, PIN Reset, Dynamic Lock, Multifactor Unlock, Forgot PIN, Privileged Workstation +keywords: identity, PIN, biometric, Hello, passport, WHFB, Windows Hello, PIN Reset, Dynamic Lock, Multifactor Unlock, Forgot PIN, Privileged credentials ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,7 +10,7 @@ ms.pagetype: security, mobile author: mikestephens-MS ms.author: mstephen localizationpriority: high -ms.date: 10/20/2017 +ms.date: 12/04/2017 --- # Windows Hello for Business Features @@ -18,9 +18,9 @@ Consider these additional features you can use after your organization deploys W * [Conditional access](#conditional-access) * [Dynamic lock](#dynamic-lock) -* [PIN reset](#PIN-reset) -* [Privileged workstation](#Priveleged-workstation) -* [Mulitfactor Unlock](#Multifactor-unlock) +* [PIN reset](#pin-reset) +* [Privileged credentials](#privileged-credentials) +* [Mulitfactor Unlock](#multifactor-unlock) ## Conditional access @@ -142,14 +142,14 @@ On-premises deployments provide users with the ability to reset forgotton PINs e >[!NOTE] > Visit the [Frequently Asked Questions](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-identity-verification#frequently-asked-questions) section of the Windows Hello for Business page and watch the **What happens when the user forgets their PIN?** video. -## Privileged Workstation +## Privileged Credentials **Requirements** * Hybrid and On-premises Windows Hello for Business deployments * Domain Joined or Hybird Azure joined devices * Windows 10, version 1709 -The privileged workstation scenario enables administrators to perform elevated, admistrative funcions by enrolling both their non-privileged and privileged credentials on their device. +The privileged credentials scenario enables administrators to perform elevated, admistrative funcions by enrolling both their non-privileged and privileged credentials on their device. By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session. Using the computer Group Policy setting, Allow enumeration of emulated smartd card for all users, you can configure a device to all this enumeration on selected devices. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 7c56e7ded8..0aafbf488a 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -23,7 +23,7 @@ Hybrid environments are distributed systems that enable organizations to use on- The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: * [Directories](#directories) -* [Public Key Infrastucture](#public-key-infastructure) +* [Public Key Infrastucture](#public-key-infrastructure) * [Directory Synchronization](#directory-synchronization) * [Federation](#federation) * [MultiFactor Authetication](#multifactor-authentication) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index d7f825257f..6c59f37b66 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -133,7 +133,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin eq 9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. 10. On the **Request Handling** tab, select the **Renew with same key** check box. 11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**. -12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Enroll** permission. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. +12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Read**, **Enroll**, and **AutoEnroll** permissions. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. 13. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template. 14. Click on the **Apply** to save changes and close the console. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md index 342e42b0d0..5b1f2a3188 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -108,7 +108,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv 3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. 4. In the navigation pane, expand **Policies** under **User Configuration**. 5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**. -6. In the details pane, right-click **Certificate Services Client � Auto-Enrollment** and select **Properties**. +6. In the details pane, right-click **Certificate Services Client - Auto-Enrollment** and select **Properties**. 7. Select **Enabled** from the **Configuration Model** list. 8. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. 9. Select the **Update certificates that use certificate templates** check box. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index d31a4393af..552c519832 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -11,7 +11,7 @@ ms.author: mstephen localizationpriority: high ms.date: 10/20/2017 --- -# Hybrid Key tust Windows Hello for Business Prerequisites +# Hybrid Key trust Windows Hello for Business Prerequisites **Applies to** - Windows 10 @@ -64,7 +64,6 @@ The minimum required enterprise certificate authority that can be used with Wind ### Section Review > [!div class="checklist"] > * Windows Server 2012 Issuing Certificate Authority -> * Windows Server 2016 Active Directory Federation Services
    @@ -82,7 +81,7 @@ Organizations using older directory synchronization technology, such as DirSync
    ## Federation with Azure ## -You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated envionments, key trust deployments work in environments that have deployed [Password Syncrhonization with Azure AD Connect](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated envirnonments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later. +You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later. ### Section Review ### > [!div class="checklist"] @@ -92,15 +91,15 @@ You can deploy Windows Hello for Business key trust in non-federated and federat
    ## Multifactor Authentication ## -Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their username and password as one factor. but needs a second factor of authentication. +Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their username and password as one factor, but needs a second factor of authentication. Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication service or they can use multifactor authentication provides by Windows Server 2012 R2 or later Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multifactor authentication into AD FS. ### Section Review > [!div class="checklist"] > * Azure MFA Service -> * Windows Server 2016 AD FS and Azure -> * Windows Server 2016 AD FS and third party MFA Adapter +> * Windows Server 2016 AD FS and Azure (optional, if federated) +> * Windows Server 2016 AD FS and third party MFA Adapter (optiona, if federated)
    diff --git a/windows/access-protection/hello-for-business/hello-identity-verification.md b/windows/access-protection/hello-for-business/hello-identity-verification.md index dbe821c879..b0e4a403a4 100644 --- a/windows/access-protection/hello-for-business/hello-identity-verification.md +++ b/windows/access-protection/hello-for-business/hello-identity-verification.md @@ -10,7 +10,7 @@ ms.pagetype: security, mobile author: mikestephens-MS ms.author: mstephen localizationpriority: high -ms.date: 10/20/2017 +ms.date: 12/04/2017 --- # Windows Hello for Business @@ -104,7 +104,7 @@ There are many deployment options from which to choose. Some of those options re Windows Hello for Business is two-factor authentication based the observed authentication factors of: something you have, something you know, and something part of you. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. Using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor". ### Can I use PIN and biometrics to unlock my device? -No. Windows Hello for Business provides two-factor authentication. However, we are investigating the ability to unlock the desktop with additional factors. +Starting in Windows 10, version 1709, you can use multifactor unlock to require the user to provide an additional factor to unlock the device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. Read more about [multifactor unlock](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-features#multifactor-unlock) in [Windows Hello for Business Features](#hello-features.md) ### What is the difference between Windows Hello and Windows Hello for Business Windows Hello represents the biometric framework provided in Windows 10. Windows Hello enables users to use biometrics to sign into their devices by securely storing their username and password and releasing it for authentication when the user successfully identifies themselves using biometrics. Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate. diff --git a/windows/access-protection/hello-for-business/toc.md b/windows/access-protection/hello-for-business/toc.md index 5a8d5dd5c3..81267549c1 100644 --- a/windows/access-protection/hello-for-business/toc.md +++ b/windows/access-protection/hello-for-business/toc.md @@ -43,4 +43,4 @@ ##### [Configure or Deploy Multifactor Authentication Services](hello-cert-trust-deploy-mfa.md) #### [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) -## [Windows Hello for Businesss Feature](hello-features.md) \ No newline at end of file +## [Windows Hello for Business Features](hello-features.md) \ No newline at end of file diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index cc3105a21f..d69d0aca40 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -65,22 +65,22 @@ In the following example, the **Id** can be any generated GUID and the **Name** text/plain - <RuleCollection Type="Appx" EnforcementMode="Enabled"> - <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> - <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> - <FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*"> - <BinaryVersionRange LowSection="*" HighSection="*" /> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> - </RuleCollection>> + <RuleCollection Type="Appx" EnforcementMode="Enabled"> + <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> + <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + <FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*" /> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + </RuleCollection>> diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 6b56d24b8f..d25e2670b7 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -9,7 +9,7 @@ ms.pagetype: devices author: jdeckerms ms.localizationpriority: medium ms.author: jdecker -ms.date: 10/17/2017 +ms.date: 11/28/2017 --- # Connect to remote Azure Active Directory-joined PC @@ -19,7 +19,7 @@ ms.date: 10/17/2017 - Windows 10 -From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD). +From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup). ![Remote Desktop Connection client](images/rdp.png) diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index 34b1af8c9f..88ce730964 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -45,7 +45,7 @@ As indicated in the diagram, Microsoft continues to provide support for deep man With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully-configured, fully-managed devices, you can: -- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services like [Microsoft Intune](https://docs.microsoft.com/intune/understand-explore/introduction-to-microsoft-intune). +- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot] (https://docs.microsoft.com/en-us/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](https://docs.microsoft.com/intune/understand-explore/introduction-to-microsoft-intune). - Create self-contained provisioning packages built with the [Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/deploy/provisioning-packages). diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 623210a376..46ae254e64 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -18,9 +18,9 @@ ## [Enterprise app management](enterprise-app-management.md) ## [Device update management](device-update-management.md) ## [Bulk enrollment](bulk-enrollment-using-windows-provisioning-tool.md) -## [Management tool for the Micosoft Store for Business](management-tool-for-windows-store-for-business.md) -### [REST API reference for Micosoft Store for Business](rest-api-reference-windows-store-for-business.md) -#### [Data structures for Micosoft Store for Business](data-structures-windows-store-for-business.md) +## [Management tool for the Microsoft Store for Business](management-tool-for-windows-store-for-business.md) +### [REST API reference for Microsoft Store for Business](rest-api-reference-windows-store-for-business.md) +#### [Data structures for Microsoft Store for Business](data-structures-windows-store-for-business.md) #### [Get Inventory](get-inventory.md) #### [Get product details](get-product-details.md) #### [Get localized product details](get-localized-product-details.md) @@ -142,6 +142,8 @@ ### [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) #### [EnterpriseModernAppManagement DDF](enterprisemodernappmanagement-ddf.md) #### [EnterpriseModernAppManagement XSD](enterprisemodernappmanagement-xsd.md) +### [eUICCs CSP](euiccs-csp.md) +#### [eUICCs DDF file](euiccs-ddf-file.md) ### [FileSystem CSP](filesystem-csp.md) ### [Firewall CSP](firewall-csp.md) #### [Firewall DDF file](firewall-ddf-file.md) diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 5ab0e0ff0b..c9a7ca2be4 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -876,29 +876,28 @@ The following example disables the Mixed Reality Portal. In the example, the **I text/plain - <RuleCollection Type="Appx" EnforcementMode="Enabled"> - <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> - <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> - <FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*"> - <BinaryVersionRange LowSection="*" HighSection="*" /> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> - </RuleCollection>> + <RuleCollection Type="Appx" EnforcementMode="Enabled"> + <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> + <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + <FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*" /> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + </RuleCollection>> - ``` The following example for Windows 10 Mobile denies all apps and allows the following apps: diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index bd4a538872..be06a10c27 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -7,17 +7,17 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 10/03/2017 +ms.date: 11/01/2017 --- # AssignedAccess CSP -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The AssignedAccess configuration service provider (CSP) is used set the device to run in kiosk mode. Once the CSP has been executed, then the next user login that is associated with the kiosk mode puts the device in the kiosk mode running the application specified in the CSP configuration. -For step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](http://go.microsoft.com/fwlink/p/?LinkID=722211) +For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](http://go.microsoft.com/fwlink/p/?LinkID=722211) + + In Windows 10, version 1709, the AssignedAccess configuration service provider (CSP) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For a step-by-step guide, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps). > [!Note] > The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting in Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S. @@ -32,6 +32,9 @@ Root node for the CSP. **./Device/Vendor/MSFT/AssignedAccess/KioskModeApp** A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, follow the information in [this Microsoft website](http://go.microsoft.com/fwlink/p/?LinkId=404220). +> [!Note] +> You cannot set both KioskModeApp and Configuration at the same time in the device in Windows 10, version 1709. + In Windows 10, version 1607, you can use a provisioned app to configure the kiosk mode. For more information about how to remotely provision an app, see [Enterprise app management](enterprise-app-management.md). Here's an example: @@ -40,10 +43,15 @@ Here's an example: {"Account":"contoso\\kioskuser","AUMID":"Microsoft.Windows.Contoso_cw5n1h2txyewy!Microsoft.ContosoApp.ContosoApp"} ``` +> [!Tip] +> In this example the double \\\ is only required because it's in json and json escapes \ into \\\\. If MDM server uses json parser\composer, they should only ask customer to type one \\, which will be \\\ in the json. If user types \\\\, it'll be \\\\\\\ in json, which is wrong. For the same reason, domain\account used in Configuration xml does not need \\\ but only one \\, because xml does not (require) escape \\. +> +> This comment applies to both domain\account, AzureAD\someone@contoso.onmicrosoft.com, i.e. as long as a \ used in json string.  + When configuring the kiosk mode app, the account name will be used to find the target user. The account name includes domain name and user name. -> **Note**  The domain name can be optional if the user name is unique across the system. - +> [!Note] +> The domain name can be optional if the user name is unique across the system. For a local account, the domain name should be the device name. When Get is executed on this node, the domain name is always returned in the output. @@ -51,7 +59,10 @@ For a local account, the domain name should be the device name. When Get is exec The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same. **./Device/Vendor/MSFT/AssignedAccess/Configuration** -Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Overview of the AssignedAccessConfiguration XML](#overview-of-the-assignedaccessconfiguration-xml). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). +Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps).Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). + +> [!Note] +> You cannot set both KioskModeApp and Configuration at the same time in the device in Windows 10, version 1709. Enterprises can use this to easily configure and manage the curated lockdown experience. @@ -59,7 +70,7 @@ Supported operations are Add, Get, Delete, and Replace. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies back (e.g. Start Layout). -## Examples +## KioskModeApp examples KioskModeApp Add @@ -242,170 +253,7 @@ KioskModeApp Replace ``` -## Overview of the AssignedAccessConfiguration XML - -Let's start by looking at the basic structure of the XML file.  - -- A configuration xml can define multiple profiles, each profile has a unique Id and defines a curated set of applications that are allowed to run.  -- A configuration xml can have multiple configs, each config associates a non-admin user account to a default profile Id. -- A profile has no effect if it’s not associated to a user account.  -  -A profile node has below information:  - -- Id: a GUID attribute to uniquely identify the Profile. -- AllowedApps: a node with a list of allowed to run applications, could be UWP apps or desktop apps.  -- StartLayout: a node for startlayout policy xml.  -- Taskbar: a node with a Boolean attribute ShowTaskbar to indicate whether to show taskbar.  - -You can start your file by pasting the following XML (or any other examples in this doc) into a XML editor, and saving the file as filename.xml. - -``` syntax - - -    -        -            -                -                      -            -            -        -    -    -        -            -            -        -    - -``` -  -### Allowed apps - -Based on the purpose of the kiosk device, define the list of applications that are allowed to run. This list can contain both UWP apps and desktop apps, which is used to generate the assigned access AppLocker rules.  - -- For Windows apps, you need to provide the App User Model ID (AUMID).  - - [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867), or  - - Get the AUMID via the [Start Layout XML](#start-layout).  -- For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%). - -Here are the predefined assigned access AppLocker rules:  - -**For UWP apps** -    -1. Default rule is to allow all users to launch the signed package apps.  -2. The package app deny list is generated at run time when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the deny list. This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed package apps enterprises defined in the assigned access configuration. This deny list will be used to prevent the user from accessing the apps which are available for the user but not in the allowed list.  -  -> [!Note] -> Assigned access multi-app mode doesn’t block the enterprises or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in back next time, it will be included in the deny list. If this is an enterprise deployed LoB app and you want to allow it running, make sure update the assigned access configuration to include it in the allowed app list.  -  -**For Win32 apps** - -1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. Also the rule allows admin user group to launch all desktop programs.  -2. There is a predefined inbox desktop app deny list for the assigned access user account, and this deny list is adjusted based on the desktop app allow list you defined in the multi-app configuration.  -3. Enterprise defined allowed desktop apps are added in the AppLocker allow list.  - -The following example makes Groove Music, Movies & TV, Photos, Weather, Calculator, Paint and Notepad apps allowed to run on the device. - -``` syntax -      -        -          -          -          -          -          -          -          -        -      -``` - -### Start layout - -Once you have defined the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset depending on whether you want the end user to directly access them on the Start.  -  -The easiest way for creating a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test device and then export the layout.  - -A few things to note here: - -- The test device on which you customize the Start layout should have the same OS version that is installed on the device you plan to deploy the multi-app assigned access configuration.  -- Since the multi-app assigned access experience is intended for fixed purpose devices, to ensure the device experiences are consistent and predictable, use the full Start layout option instead of the partial Start layout.  -- There are no apps pinned on the taskbar in the multi-app mode, and it is not supported to configure Taskbar layout using the CustomTaskbarLayoutCollection tag in a layout modification XML as part of the assigned access configuration. - -The following example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint and Notepad apps on Start. - -```syntax -      -        -                      -                      -                        -                          -                            -                              -                              -                              -                              -                              -                            -                            -                              -                              -                            -                          -                        -                      -                    -                ]]> -      -``` - -For additional information, see [Customize and export Start layout](https://docs.microsoft.com/en-us/windows/configuration/customize-and-export-start-layout) - -### Taskbar - -Define whether you want to have the taskbar present in the kiosk device. For tablet based or touch enabled All-In-One kiosks, when you don’t attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want.  -The following example exposes the taskbar to the end user: - -``` syntax -      -``` -The following example hides the taskbar: - -``` syntax -      -``` - -> [!Note] -> This is different with the “Automatically hide the taskbar” option in tablet mode which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting “ShowTaskbar” as “false” will always hide the taskbar.  - -### Profiles and configs - -In the XML file, you define each profile with a GUID. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file.  - -``` syntax -  -    -``` - -Under Configs, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced, including the allowed apps, start layout, taskbar configuration as well as other local group policies/MDM policies set as part of the multi-app experience.  - -``` syntax -  -    -      MultiAppKioskUser -      -      -``` - -> [!Note] -> - The full multi-app assigned access experience can only work for non-admin users. It’s not supported to associate an admin user with the assigned access profile, doing this in the XML file will result unexpected/unsupported experiences when this admin user signs in.   -> - Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail. - -### Example AssignedAccessConfiguration XML +## Example AssignedAccessConfiguration XML ``` syntax @@ -457,3 +305,258 @@ Under Configs, define which user account will be associated with the profile. Wh   ``` + +## Configuration examples + +XML encoding (escaped) and CDATA of the XML in the Data node both ensure that DM client can properly interpret the SyncML and send the configuration xml as string (in original format, unescaped) to AssignedAccess CSP to handle. + +Similarly, the StartLayout xml inside the configuration xml is using the same format, xml inside xml as string. In the sample Configuration xml provided above, CDATA is used to embed the StartLayout xml. If you use CDATA to embed configuration xml in SyncML as well, you’ll have nested CDATA so pay attention to how CDATA is used in the provided CDATA sample. With that being said, when the Configuration xml is being constructed, MDM server can either escape start layout xml or put startlayout xml inside CDATA, when MDM server puts configuration xml inside SyncML, MDM server can also either escape it or wrap with CDATA. + +Escape and CDATA are mechanisms when handling xml in xml. Consider it’s a transportation channel to send the configuration xml as payload from server to client. It’s transparent to both end user who configures the CSP and transparent to our CSP. Both the customer on the server side and our CSP must only see the original configuration XML. + +This example shows escaped XML of the Data node. + +``` + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/Configuration + + + chr + + + <?xml version="1.0" encoding="utf-8" ?> +<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"> + <Profiles> + <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"> + <AllAppsList> + <AllowedApps> + <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> + <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> + <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> + <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> + <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> + <App DesktopAppPath="%windir%\system32\mspaint.exe" /> + <App DesktopAppPath="C:\Windows\System32\notepad.exe" /> + </AllowedApps> + </AllAppsList> + <StartLayout> + <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> + <LayoutOptions StartTileGroupCellWidth="6" /> + <DefaultLayoutOverride> + <StartLayoutCollection> + <defaultlayout:StartLayout GroupCellWidth="6"> + <start:Group Name="Group1"> + <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> + <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> + <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> + <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> + <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> + </start:Group> + <start:Group Name="Group2"> + <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" /> + <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" /> + </start:Group> + </defaultlayout:StartLayout> + </StartLayoutCollection> + </DefaultLayoutOverride> + </LayoutModificationTemplate> + ]]> + </StartLayout> + <Taskbar ShowTaskbar="true"/> + </Profile> + </Profiles> + <Configs> + <Config> + <Account>MultiAppKioskUser</Account> + <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> + </Config> + </Configs> +</AssignedAccessConfiguration> + + + + + + + +``` +This example shows escaped XML of the Data node. +``` + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/Configuration + + + chr + + + <?xml version="1.0" encoding="utf-8" ?> +<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"> + <Profiles> + <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"> + <AllAppsList> + <AllowedApps> + <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> + <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> + <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> + <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> + <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> + <App DesktopAppPath="%windir%\system32\mspaint.exe" /> + <App DesktopAppPath="C:\Windows\System32\notepad.exe" /> + </AllowedApps> + </AllAppsList> + <StartLayout> + <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> + <LayoutOptions StartTileGroupCellWidth="6" /> + <DefaultLayoutOverride> + <StartLayoutCollection> + <defaultlayout:StartLayout GroupCellWidth="6"> + <start:Group Name="Group1"> + <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> + <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> + <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> + <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> + <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> + </start:Group> + <start:Group Name="Group2"> + <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" /> + <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" /> + </start:Group> + </defaultlayout:StartLayout> + </StartLayoutCollection> + </DefaultLayoutOverride> + </LayoutModificationTemplate> + ]]> + </StartLayout> + <Taskbar ShowTaskbar="true"/> + </Profile> + </Profiles> + <Configs> + <Config> + <Account>MultiAppKioskUser</Account> + <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> + </Config> + </Configs> +</AssignedAccessConfiguration> + + + + + + + +``` + +This example uses CData for the XML. +``` + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/Configuration + + + chr + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]]]> + + + + + + + MultiAppKioskUser + + + + +]]> + + + + + + +``` + +Example of Get command that returns the configuration in the device. +``` + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/Configuration + + + + + + +``` + +Example of the Delete command. +``` + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/Configuration + + + + + + +``` diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md index a5f029da79..564378ac63 100644 --- a/windows/client-management/mdm/assignedaccess-ddf.md +++ b/windows/client-management/mdm/assignedaccess-ddf.md @@ -7,13 +7,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/27/2017 +ms.date: 11/01/2017 --- # AssignedAccess DDF -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **AssignedAccess** configuration service provider. DDF files are used only with OMA DM provisioning XML. diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 6b49909e86..9cfb6cc0bb 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/28/2017 +ms.date: 10/16/2017 --- # BitLocker CSP @@ -32,6 +32,27 @@ The following diagram shows the BitLocker configuration service provider in tree **RequireStorageCardEncryption**

    Allows the administrator to require storage card encryption on the device. This policy is valid only for a mobile SKU.

    + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcross markcross markcross markcross markcheck markcheck mark
    +

    Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the storage card, but the user will no longer be prompted to turn it on.

    - 0 (default) – Storage cards do not need to be encrypted. @@ -66,6 +87,27 @@ The following diagram shows the BitLocker configuration service provider in tree

    Allows the administrator to require encryption to be turned on by using BitLocker\Device Encryption.

    + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcross markcheck markcheck markcheck markcheck markcheck mark
    +

    Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the system card, but the user will no longer be prompted to turn it on.

    If you want to disable this policy use the following SyncML:

    @@ -105,7 +147,7 @@ The following diagram shows the BitLocker configuration service provider in tree cross mark - check mark + cross mark check mark check mark check mark @@ -183,7 +225,7 @@ The following diagram shows the BitLocker configuration service provider in tree cross mark - check mark + cross mark check mark check mark check mark @@ -280,7 +322,7 @@ The following diagram shows the BitLocker configuration service provider in tree cross mark - check mark + cross mark check mark check mark check mark @@ -349,7 +391,7 @@ The following diagram shows the BitLocker configuration service provider in tree cross mark - check mark + cross mark check mark check mark check mark @@ -430,7 +472,7 @@ The following diagram shows the BitLocker configuration service provider in tree cross mark - check mark + cross mark check mark check mark check mark @@ -528,7 +570,7 @@ The following diagram shows the BitLocker configuration service provider in tree cross mark - check mark + cross mark check mark check mark check mark @@ -627,7 +669,7 @@ The following diagram shows the BitLocker configuration service provider in tree cross mark - check mark + cross mark check mark check mark check mark @@ -689,7 +731,7 @@ The following diagram shows the BitLocker configuration service provider in tree cross mark - check mark + cross mark check mark check mark check mark @@ -752,6 +794,27 @@ The following diagram shows the BitLocker configuration service provider in tree

    Allows the Admin to disable the warning prompt for other disk encryption on the user machines.

    + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcross markcheck markcheck markcheck markcross markcross mark
    +

    The following list shows the supported values:

    - 0 – Disables the warning prompt. diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index 587a1318fc..31a0842f21 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -43,7 +43,7 @@ The following image shows the ClientCertificateInstall configuration service pro

    The data type format is node. -

    Supported operations are Get, Add, and Delete . +

    Supported operations are Get, Add, and Replace.

    Calling Delete on this node should delete the certificates and the keys that were installed by the corresponding PFX blob. @@ -67,7 +67,7 @@ The following image shows the ClientCertificateInstall configuration service pro

    Date type is string. -

    Supported operations are Get, Add, and Replace. +

    Supported operations are Get, Add, Delete, and Replace. **ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertBlob**

    CRYPT\_DATA\_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. The Add operation triggers the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, KeyExportable) are present before this is called. This also sets the Status node to the current Status of the operation. @@ -142,7 +142,6 @@ The following image shows the ClientCertificateInstall configuration service pro **ClientCertificateInstall/SCEP/****_UniqueID_**

    A unique ID to differentiate different certificate installation requests. -

    Supported operations are Get, Add, Replace, and Delete. **ClientCertificateInstall/SCEP/*UniqueID*/Install**

    A node required for SCEP certificate enrollment. Parent node to group SCEP cert installation related requests. @@ -157,14 +156,14 @@ The following image shows the ClientCertificateInstall configuration service pro

    Data type is string. -

    Supported operations are Get, Add, and Replace. +

    Supported operations are Get, Add, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/Challenge**

    Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge is deleted shortly after the Exec command is accepted.

    Data type is string. -

    Supported operations are Add, Get, and Replace. +

    Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/EKUMapping**

    Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs are separated by a plus **+**. For example, *OID1*+*OID2*+*OID3*. @@ -174,7 +173,7 @@ Data type is string.

    Data type is int. -

    Supported operations are Add, Get, and Replace. +

    Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName**

    Required. Specifies the subject name. @@ -199,7 +198,12 @@ Data type is string. | 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specifed, otherwise enrollment will fail. |   -

    Supported operations are Add, Get, and Replace. +

    Supported operations are Add, Get, Delete, and Replace. + +**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage** +

    Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn’t have those bits set, configuration will fail. + +

    Supported operations are Add, Get, Delete, and Replace. Value type is integer. **ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryDelay**

    Optional. When the SCEP server sends a pending status, this value specifies the device retry waiting time in minutes. @@ -210,7 +214,7 @@ Data type is string.

    The minimum value is 1. -

    Supported operations are Add, Get, and Replace. +

    Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryCount**

    Optional. Unique to SCEP. Specifies the device retry times when the SCEP server sends a pending status. @@ -223,7 +227,7 @@ Data type is string.

    Minimum value is 0, which indicates no retry. -

    Supported operations are Add, Get, and Replace. +

    Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName**

    Optional. OID of certificate template name. @@ -233,7 +237,7 @@ Data type is string.  

    Data type is string. -

    Supported operations are Add, Get, and Replace. +

    Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyLength**

    Required for enrollment. Specify private key length (RSA). @@ -244,7 +248,7 @@ Data type is string.

    For Windows Hello for Business (formerly known as Microsoft Passport for Work) , only 2048 is the supported key length. -

    Supported operations are Add, Get, and Replace. +

    Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/HashAlgorithm**

    Required. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated with **+**. @@ -253,14 +257,14 @@ Data type is string.

    Data type is string. -

    Supported operations are Add, Get, and Replace. +

    Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/CAThumbprint**

    Required. Specifies Root CA thumbprint. This is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks the CA certificate from the SCEP server to verify a match with this certificate. If it is not a match, the authentication will fail.

    Data type is string. -

    Supported operations are Add, Get, and Replace. +

    Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectAlternativeNames**

    Optional. Specifies subject alternative names (SAN). Multiple alternative names can be specified by this node. Each name is the combination of name format+actual name. Refer to the name type definitions in MSDN for more information. @@ -269,7 +273,7 @@ Data type is string.

    Data type is string. -

    Supported operations are Add, Get, and Replace. +

    Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriod**

    Optional. Specifies the units for the valid certificate period. @@ -285,7 +289,7 @@ Data type is string. > **Note**  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.   -

    Supported operations are Add, Get, and Replace. +

    Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits**

    Optional. Specifies the desired number of units used in the validity period. This is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) are defined in the ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in the certificate template. For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. @@ -295,21 +299,21 @@ Data type is string. >**Note**  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.   -

    Supported operations are Add, Get, and Replace. +

    Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName**

    Optional. Specifies the Windows Hello for Business container name (if Windows Hello for Business KSP is chosen for the node). If this node is not specified when Windows Hello for Business KSP is chosen, the enrollment will fail.

    Data type is string. -

    Supported operations are Add, Get, and Replace. +

    Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/CustomTextToShowInPrompt**

    Optional. Specifies the custom text to show on the Windows Hello for Business PIN prompt during certificate enrollment. The admin can choose to provide more contextual information in this field for why the user needs to enter the PIN and what the certificate will be used for.

    Data type is string. -

    Supported operations are Add, Get, and Replace. +

    Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/Enroll**

    Required. Triggers the device to start the certificate enrollment. The device will not notify MDM server after certificate enrollment is done. The MDM server could later query the device to find out whether new certificate is added. diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index fd5460395b..5ebdcca10d 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -7,13 +7,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/19/2017 +ms.date: 11/01/2017 --- # Configuration service provider reference -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. Some configuration service providers support the WAP format, some support SyncML, and some support both. SyncML is only used over–the–air for Open Mobile Alliance Device Management (OMA DM), whereas WAP can be used over–the–air for OMA Client Provisioning, or it can be included in the phone image as a .provxml file that is installed during boot. diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index 68de7f9bb2..f5b94518b9 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -54,7 +54,7 @@ This section describes how this is done. The following diagram shows the server- MSDN provides much information about the Server-Server sync protocol. In particular: - It is a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](http://go.microsoft.com/fwlink/p/?LinkId=526727). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development. -- You can find code samples in [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720). The sample code shows raw SOAP commands, which can be used. Although it’s even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to https://sws.update.microsoft.com/ServerSyncWebService/serversyncwebservice.asmx. +- You can find code samples in [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720). The sample code shows raw SOAP commands, which can be used. Although it’s even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx. Some important highlights: diff --git a/windows/client-management/mdm/devicemanageability-csp.md b/windows/client-management/mdm/devicemanageability-csp.md index 684988216b..3ddbb3dcaa 100644 --- a/windows/client-management/mdm/devicemanageability-csp.md +++ b/windows/client-management/mdm/devicemanageability-csp.md @@ -7,15 +7,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/10/2017 +ms.date: 11/01/2017 --- # DeviceManageability CSP -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - The DeviceManageability configuration service provider (CSP) is used retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607. For performance reasons DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that the both paths return the same information. diff --git a/windows/client-management/mdm/devicemanageability-ddf.md b/windows/client-management/mdm/devicemanageability-ddf.md index a1f646623e..fa092bca10 100644 --- a/windows/client-management/mdm/devicemanageability-ddf.md +++ b/windows/client-management/mdm/devicemanageability-ddf.md @@ -7,15 +7,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/10/2017 +ms.date: 11/01/2017 --- # DeviceManageability DDF -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - This topic shows the OMA DM device description framework (DDF) for the DeviceManageability configuration service provider. This CSP was added in Windows 10, version 1607. You can download the DDF files from the links below: diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index 2d8c6f0b32..df99bcf53d 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -7,13 +7,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/19/2017 +ms.date: 11/01/2017 --- # DeviceStatus CSP -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies. diff --git a/windows/client-management/mdm/devicestatus-ddf.md b/windows/client-management/mdm/devicestatus-ddf.md index b9e8608716..d9d8d40156 100644 --- a/windows/client-management/mdm/devicestatus-ddf.md +++ b/windows/client-management/mdm/devicestatus-ddf.md @@ -7,13 +7,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/24/2017 +ms.date: 11/01/2017 --- # DeviceStatus DDF -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **DeviceStatus** configuration service provider. DDF files are used only with OMA DM provisioning XML. diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index e0b8f44952..ea3c312239 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/19/2017 +ms.date: 10/30/2017 --- # DMClient CSP @@ -252,6 +252,11 @@ Optional. Added in Windows 10, version 1703. Specify the Discovery server URL o Supported operations are Add, Delete, Get, and Replace. Value type is string. +**Provider/*ProviderID*/NumberOfDaysAfterLostContactToUnenroll** +Optional. Number of days after last sucessful sync to unenroll. + +Supported operations are Add, Delete, Get, and Replace. Value type is integer. + **Provider/*ProviderID*/Poll** Optional. Polling schedules must utilize the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated. @@ -639,6 +644,90 @@ Optional. Added in Windows 10, version 1703. Specifies the display text for the Supported operations are Add, Delete, Get, and Replace. Value type is string. +**Provider/*ProviderID*/FirstSyncStatus** +Optional node. Added in Windows 10, version 1709. + +**Provider/*ProviderID*/FirstSyncStatus/ExpectedPolicies** +Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to policies the management service provider expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). + +Supported operations are Add, Delete, Get, and Replace. Value type is string. + +**Provider/*ProviderID*/FirstSyncStatus/ExpectedNetworkProfiles** +Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the the management service provider expects to provision, delimited by the character L"\xF000". + +Supported operations are Add, Delete, Get, and Replace. Value type is string. + +**Provider/*ProviderID*/FirstSyncStatus/ExpectedMSIAppPackages** +Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` This represents App Package ProductID1 containing 4 apps, and ProductID2 containing 2 apps. + +Supported operations are Add, Delete, Get, and Replace. Value type is string. + +**Provider/*ProviderID*/FirstSyncStatus/ExpectedModernAppPackages** +Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. For example, + +``` syntax +./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" +./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 +``` + +This represents App Package PackageFullName containing 4 apps, and PackageFullName2 containing 2 apps. + +Supported operations are Add, Delete, Get, and Replace. Value type is string. + +**Provider/*ProviderID*/FirstSyncStatus/ExpectedPFXCerts** +Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to certs the management service provider expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). + +Supported operations are Add, Delete, Get, and Replace. Value type is string. + +**Provider/*ProviderID*/FirstSyncStatus/ExpectedSCEPCerts** +Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to SCEP certs the management service provider expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). + +Supported operations are Add, Delete, Get, and Replace. Value type is string. + +**Provider/*ProviderID*/FirstSyncStatus/TimeOutUntilSyncFailure** +Required. Added in Windows 10, version 1709. This node determines how long we will poll until we surface an error message to the user. The unit of measurement is minutes. Default value will be 60, while maximum value will be 1,440 (one day). + +Supported operations are Get and Replace. Value type is integer. + +**Provider/*ProviderID*/FirstSyncStatus/ServerHasFinishedProvisioning** +Required. Added in Windows 10, version 1709. This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. + +Supported operations are Get and Replace. Value type is boolean. + +**Provider/*ProviderID*/FirstSyncStatus/IsSyncDone**Required. Added in Windows 10, version 1709. This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). + +Supported operations are Get and Replace. Value type is boolean. + +**Provider/*ProviderID*/FirstSyncStatus/WasDeviceSuccessfullyProvisioned** +Required. Added in Windows 10, version 1709. Integer node determining if a device was successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. + +Supported operations are Get and Replace. Value type is integer. + +**Provider/*ProviderID*/EnhancedAppLayerSecurity** +Required node. Added in Windows 10, version 1709. + +Supported operation is Get. + +**Provider/*ProviderID*/EnhancedAppLayerSecurity/SecurityMode** +Required. Added in Windows 10, version 1709. This node specifies how the client will perform the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0. + +Supported operations are Add, Get, Replace, and Delete. Value type is integer. + +**Provider/*ProviderID*/EnhancedAppLayerSecurity/UseCertIfRevocationCheckOffline** +Required. Added in Windows 10, version 1709. This node, when it is set, tells the client to use the certificate even when the client cannot check the certificate's revocation status because the device is offline. The default value is set. + +Supported operations are Add, Get, Replace, and Delete. Value type is boolean. + +**Provider/*ProviderID*/EnhancedAppLayerSecurity/Cert0** +Required. Added in Windows 10, version 1709. The node contains the primary certificate - the public key to use. + +Supported operations are Add, Get, Replace, and Delete. Value type is string. + +**Provider/*ProviderID*/EnhancedAppLayerSecurity/Cert1** +Required. Added in Windows 10, version 1709. The node contains the secondary certificate - the public key to use. + +Supported operations are Add, Get, Replace, and Delete. Value type is string. + **Provider/*ProviderID*/Unenroll** Required. The node accepts unenrollment requests by way of the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the `` tag under the `` element. Scope is permanent. diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md index f328b3861d..9e03082567 100644 --- a/windows/client-management/mdm/dmclient-ddf-file.md +++ b/windows/client-management/mdm/dmclient-ddf-file.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/19/2017 +ms.date: 10/30/2017 --- # DMClient DDF file @@ -20,1071 +20,1450 @@ You can download the DDF files from the links below: - [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) - [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) -The XML below is the current version for this CSP. +The XML below is for Windows 10, version 1907. ``` syntax -]> - - 1.2 - + + 1.2 + DMClient ./Vendor/MSFT - - - - - - - - - - - - - - com.microsoft/1.3/MDM/DMClient - + + + + + + + + + + + + + + com.microsoft/1.4/MDM/DMClient + - Provider + Provider + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + text/plain + - - - - - - - - - - - - - - - - - - text/plain - - - - EntDeviceName - - - - - - - - - - - - - - - - - - text/plain - - - - - ExchangeID - - - - - - - - - - - - - - - - - - text/plain - - - - - EntDMID - - - - - - - - - - - - - - - - - - text/plain - - - - - SignedEntDMID - - - - - - - - - - - - - - - - - - text/plain - - - - - CertRenewTimeStamp - - - - - - - - - - - - - - - - - - text/plain - - - - - - PublisherDeviceID - - - - - - - - - - - - - - - - - - text/plain - - - - - - ManagementServiceAddress - - - - - - - - - - - - - - - - text/plain - - - - - UPN - - - - - - - - - - - - - - - - - text/plain - - - - - HelpPhoneNumber - - - - - - - - - - - - - - - - - - text/plain - - - - - HelpWebsite - - - - - - - - - - - - - - - - - - text/plain - - - - - HelpEmailAddress - - - - - - - - - - - - - - - - - - text/plain - - - - - RequireMessageSigning - - - - - - - - - - - - - - - - - - text/plain - - - - - SyncApplicationVersion - - - - - - - - - - - - - - - - - - text/plain - - - - - MaxSyncApplicationVersion - - - - - - - - - - - - - - - text/plain - - - - - Unenroll - - - - - - - - - - - - - - - - text/plain - - - - - AADResourceID - - - - - - - - - - - - - - - - - text/plain - - - - - AADDeviceID - - - - - Device ID used for AAD device registration - - - - - - - - - - - text/plain - - - - - EnrollmentType - - - - - Type of MDM enrollment - - - - - - - - - - - text/plain - - - - - EnableOmaDmKeepAliveMessage - - - - - - - - - - - - - - - - text/plain - - - - - HWDevID - - - - - - - - - - - - - - - text/plain - - - - - ManagementServerAddressList - - - - - - - - - - - - - - - - text/plain - - - - - CommercialID - - - - - - - - - - - - - - - - - - text/plain - - - - - ManagementServerToUpgradeTo - - - - - - - - Specify the Discovery server URL of the MDM server to upgrade to for a MAM enrolled device - - - - - - - - - - - text/plain - - - - - Push - - - - - - - - - - - - - - - - - - - - - PFN - - - - - - - - - - - - - - - - - - text/plain - - - - - ChannelURI - - - - - - - - - - - - - - - text/plain - - - - - Status - - - - - - - - - - - - - - - text/plain - - - - - - Poll - - - - - - - - - - - - - - - - - - - - - IntervalForFirstSetOfRetries - - - - - - - - - - - - - - - - - - text/plain - - - - - NumberOfFirstRetries - - - - - - - - - - - - - - - - - - text/plain - - - - - IntervalForSecondSetOfRetries - - - - - - - - - - - - - - - - - - text/plain - - - - - NumberOfSecondRetries - - - - - - - - - - - - - - - - - - text/plain - - - - - IntervalForRemainingScheduledRetries - - - - - - - - - - - - - - - - - - text/plain - - - - - NumberOfRemainingScheduledRetries - - - - - - - - - - - - - - - - - - text/plain - - - - - PollOnLogin - - - - - - - - - - - - - - - - - - text/plain - - - - - AllUsersPollOnFirstLogin - - - - - - - - - - - - - - - - - - text/plain - - - - - - CustomEnrollmentCompletePage - - - - - - - - - - - - - - - - - - - - - Title - - - - - - - - - - - - - - - - - - text/plain - - - - - BodyText - - - - - - - - - - - - - - - - - - text/plain - - - - - HyperlinkHref - - - - - - - - - - - - - - - - - - text/plain - - - - - HyperlinkText - - - - - - - - - - - - - - - - - - text/plain - - - - - - - - Unenroll - + EntDeviceName + - - + + + + - + - + - + - text/plain + text/plain - - - - UpdateManagementServiceAddress - + + + + ExchangeID + + + + + + + + + + + + + + + + + text/plain + + + + + EntDMID + + + + + + + + + + + + + + + + + + text/plain + + + + + SignedEntDMID + + + + + + + + + + + + + + + + + + text/plain + + + + + CertRenewTimeStamp + + + + + + + + + + + + + + + + + + text/plain + + + + + + PublisherDeviceID + + + + + + + + + + + + + + + + + + text/plain + + + + + + ManagementServiceAddress + + + + + + + + + + + + + + + + text/plain + + + + + UPN + + + + + + + + + + + + + + + + + text/plain + + + + + HelpPhoneNumber + + + + + + + + + + + + + + + + + + text/plain + + + + + HelpWebsite + + + + + + + + + + + + + + + + + + text/plain + + + + + HelpEmailAddress + + + + + + + + + + + + + + + + + + text/plain + + + + + RequireMessageSigning + + + + + + + + + + + + + + + + + + text/plain + + + + + SyncApplicationVersion + + + + + + + + + + + + + + + + + + text/plain + + + + + MaxSyncApplicationVersion + + + + + + + + + + + + + + + text/plain + + + + + Unenroll + + + + + + + + + + + + + + + + text/plain + + + + + AADResourceID + + + + + + + + + + + + + + + + + text/plain + + + + + AADDeviceID + + + + + Device ID used for AAD device registration + + + + + + + + + + + text/plain + + + + + EnrollmentType + + + + + Type of MDM enrollment + + + + + + + + + + + text/plain + + + + + EnableOmaDmKeepAliveMessage + + + + + + + + + + + + + + + + text/plain + + + + + HWDevID + + + + + + + + + + + + + + + text/plain + + + + + ManagementServerAddressList + + + + + + + + + + + + + + + + text/plain + + + + + CommercialID + + + + + + + + + + + + + + + + + + text/plain + + + + + ManagementServerToUpgradeTo + + + + + + + + Specify the Discovery server URL of the MDM server to upgrade to for a MAM enrolled device + + + + + + + + + + + text/plain + + + + + NumberOfDaysAfterLostContactToUnenroll + + + + + + + + Number of days after last sucessful sync to unenroll + + + + + + + + + + + text/plain + + + + + Push + + + + + + + + + + + + + + + + + + + + + PFN + + + + + + + + + + + + + + + + text/plain + + + + + ChannelURI + + + + + + + + + + + + + + + text/plain + + + + + Status + + + + + + + + + + + + + + + text/plain + + + + + + Poll + + + + + - + - + - + - text/plain + - + + + IntervalForFirstSetOfRetries + + + + + + + + + + + + + + + + + + text/plain + + + + + NumberOfFirstRetries + + + + + + + + + + + + + + + + + + text/plain + + + + + IntervalForSecondSetOfRetries + + + + + + + + + + + + + + + + + + text/plain + + + + + NumberOfSecondRetries + + + + + + + + + + + + + + + + + + text/plain + + + + + IntervalForRemainingScheduledRetries + + + + + + + + + + + + + + + + + + text/plain + + + + + NumberOfRemainingScheduledRetries + + + + + + + + + + + + + + + + + + text/plain + + + + + PollOnLogin + + + + + + + + + + + + + + + + + + text/plain + + + + + AllUsersPollOnFirstLogin + + + + + + + + + + + + + + + + + + text/plain + + + + + + CustomEnrollmentCompletePage + + + + + + + + + + + + + + + + + + + + + Title + + + + + + + + + + + + + + + + + + text/plain + + + + + BodyText + + + + + + + + + + + + + + + + + + text/plain + + + + + HyperlinkHref + + + + + + + + + + + + + + + + + + text/plain + + + + + HyperlinkText + + + + + + + + + + + + + + + + + + text/plain + + + + + + FirstSyncStatus + + + + + + + + + + + + + + + + + + + + + ExpectedPolicies + + + + + + + + This node contains a list of LocURIs that refer to Policies the ISV expects to provision, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). + + + + + + + + + + + text/plain + + + + + ExpectedNetworkProfiles + + + + + + + + This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the ISV expects to provision, delimited by the character L"\xF000". + + + + + + + + + + + text/plain + + + + + ExpectedMSIAppPackages + + + + + + + + This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. + + + + + + + + + + + text/plain + + + + + ExpectedModernAppPackages + + + + + + + + This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. E.G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. + + + + + + + + + + + text/plain + + + + + ExpectedPFXCerts + + + + + + + + This node contains a list of LocURIs that refer to certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). + + + + + + + + + + + text/plain + + + + + ExpectedSCEPCerts + + + + + + + + This node contains a list of LocURIs that refer to SCEP certs the ISV expects to provision via ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER). + + + + + + + + + + + text/plain + + + + + TimeOutUntilSyncFailure + + + + + + This node determines how long we will poll until we surface an error message to the user. The unit of measurement is minutes. Default value will be 60, while maximum value will be 1,440 (one day). + + + + + + + + + + + text/plain + + + + + ServerHasFinishedProvisioning + + + + + + This node is set by the server to inform the UX that the server has finished provisioning the device. This was added so that the server can “change its mind" about what it needs to provision on the device. When this node is set, many other DM Client nodes will no longer be able to be changed. If this node is not True, the UX will consider the provisioning a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. + + + + + + + + + + + text/plain + + + + + IsSyncDone + + + + + + This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully provisioned. When doing a Set, this triggers the UX to override whatever state it is in and tell the user that the device is provisioned. It cannot be set from True to False (it will not change its mind on whether or not the sync is done), and it cannot be set from True to True (to prevent notifications from firing multiple times). + + + + + + + + + + + text/plain + + + + + WasDeviceSuccessfullyProvisioned + + + + + + Integer node determining if a Device was Successfully provisioned. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value cannot be changed again. The client will change the value of success or failure and update the node. The server can, however, force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. + + + + + + + + + + + text/plain + + + + + + EnhancedAppLayerSecurity + + + + + + + + + + + + + + + + + + + SecurityMode + + + + + + + + This node specifies how the client will perform the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0. + + + + + + + + + + + text/plain + + + + + UseCertIfRevocationCheckOffline + + + + + + + + This node, when it is set, tells the client to use the certificate even when the client cannot check the certificate's revocation status because the device is offline. The default value is set. + + + + + + + + + + + text/plain + + + + + Cert0 + + + + + + + + The node contains the primary certificate - the public key to use. + + + + + + + + + + + text/plain + + + + + Cert1 + + + + + + + + The node contains the secondary certificate - the public key to use. + + + + + + + + + + + text/plain + + + + + - HWDevID - - - - - - - - - - - - - - - text/plain - - + Unenroll + + + + + + + + + + + + + + + + text/plain + + - + + UpdateManagementServiceAddress + + + + + + + + + + + + + + + + text/plain + + + + + HWDevID + + + + + + + + + + + + + + + text/plain + + + + -``` - -## Related topics - - -[DMClient configuration service provider](dmclient-csp.md) - -  - -  - - - - - - +``` \ No newline at end of file diff --git a/windows/client-management/mdm/dmsessionactions-ddf.md b/windows/client-management/mdm/dmsessionactions-ddf.md index 045b3e71e8..6f2d084195 100644 --- a/windows/client-management/mdm/dmsessionactions-ddf.md +++ b/windows/client-management/mdm/dmsessionactions-ddf.md @@ -6,15 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/19/2017 +ms.date: 11/01/2017 --- # DMSessionActions DDF file -> [!WARNING] -> Some information relates to prereleased product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - This topic shows the OMA DM device description framework (DDF) for the **DMSessionActions** configuration service provider. You can download the DDF files from the links below: diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md index f7e605575a..e08fe3e40d 100644 --- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md @@ -6,13 +6,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/11/2017 +ms.date: 11/01/2017 --- # Enable ADMX-backed policies in MDM -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This is a step-by-step guide to configuring ADMX-backed policies in MDM. diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md new file mode 100644 index 0000000000..1ea5fdf102 --- /dev/null +++ b/windows/client-management/mdm/euiccs-csp.md @@ -0,0 +1,87 @@ +--- +title: eUICCs CSP +description: eUICCs CSP +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +ms.date: 11/01/2017 +--- + +# eUICCs CSP + + +The eUICCs configuration service provider is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, re-assign, remove) subscriptions to employees. This CSP was added in windows 10, version 1709. + +The following diagram shows the eUICCs configuration service provider in tree format. + +![euiccs csp](images/provisioning-csp-euiccs.png) + +**./Vendor/MSFT/eUICCs** +Root node. + +**_eUICC_** +Interior node. Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is meaningful only to the LPA (which associates it with an eUICC ID (EID) in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID). The node name "Default" represents the currently active eUICC. + +Supported operation is Get. + +**_eUICC_/Identifier** +Required. Identifies an eUICC in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID. + +Supported operation is Get. Value type is string. + +**_eUICC_/IsActive** +Required. Indicates whether this eUICC is physically present and active. Updated only by the LPA. + +Supported operation is Get. Value type is boolean. + +**_eUICC_/Profiles** +Interior node. Required. Represents all enterprise-owned profiles. + +Supported operation is Get. + +**_eUICC_/Profiles/_ICCID_** +Interior node. Optional. Node representing an enterprise-owned eUICC profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC). + +Supported operations are Add, Get, and Delete. + +**_eUICC_/Profiles/_ICCID_/ServerName** +Required. Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created. + +Supported operations are Add and Get. Value type is string. + +**_eUICC_/Profiles/_ICCID_/MatchingID** +Required. Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created. + +Supported operations are Add and Get. Value type is string. + +**_eUICC_/Profiles/_ICCID_/State** +Required. Current state of the profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4). Queried by the CSP and only updated by the LPA. + +Supported operation is Get. Value type is integer. Default value is 1. + +**_eUICC_/Policies** +Interior node. Required. Device policies associated with the eUICC as a whole (not per-profile). + +Supported operation is Get. + +**_eUICC_/Policies/LocalUIEnabled** +Required. Determines whether the local user interface of the LUI is available (true if available, false otherwise). Initially populated by the LPA when the eUICC tree is created, can be queried and changed by the MDM server. + +Supported operations are Get and Replace. Value type is boolean. Default value is true. + +**_eUICC_/Actions** +Interior node. Required. Actions that can be performed on the eUICC as a whole (when it is active). + +Supported operation is Get. + +**_eUICC_/Actions/ResetToFactoryState** +Required. An EXECUTE on this node triggers the LPA to perform an eUICC Memory Reset. + +Supported operation is Execute. Value type is string. + +**_eUICC_/Actions/Status** +Required. Status of most recent operation, as an HRESULT. S_OK indicates success, S_FALSE indicates operation is in progress, other values represent specific errors. + +Supported value is Get. Value type is integer. Default is 0. \ No newline at end of file diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md new file mode 100644 index 0000000000..d3d539c88e --- /dev/null +++ b/windows/client-management/mdm/euiccs-ddf-file.md @@ -0,0 +1,343 @@ +--- +title: eUICCs DDF file +description: eUICCs DDF file +ms.assetid: c4cd4816-ad8f-45b2-9b81-8abb18254096 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +ms.date: 06/19/2017 +--- + +# eUICCs DDF file + + +This topic shows the OMA DM device description framework (DDF) for the **eUICCs** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +``` syntax + +]> + + 1.2 + + eUICCs + ./Vendor/MSFT + + + + + Subtree for all embedded UICCs (eUICC) + + + + + + + + + + + + + + com.microsoft/1.0/MDM/eUICCs + + + + + + + + + Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is meaningful only to the LPA (which associates it with an eUICC ID (EID) in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID). The node name "Default" represents the currently active eUICC. + + + + + + + + + + eUICC + + + + + + Identifier + + + + + Identifies an eUICC in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID. + + + + + + + + + + + + + + text/plain + + + + + IsActive + + + + + Indicates whether this eUICC is physically present and active. Updated only by the LPA. + + + + + + + + + + + text/plain + + + + + Profiles + + + + + Represents all enterprise-owned profiles. + + + + + + + + + + + + + + + + + + + + + + Node representing an enterprise-owned eUICC profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC). + + + + + + + + + + ICCID + + + + + + ServerName + + + + + + Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created. + + + + + + + + + + + + + + text/plain + + + + + MatchingID + + + + + + Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created. + + + + + + + + + + + + + + text/plain + + + + + State + + + + + 1 + Current state of the profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4). Queried by the CSP and only updated by the LPA. + + + + + + + + + + + text/plain + + + + + + + Policies + + + + + Device policies associated with the eUICC as a whole (not per-profile). + + + + + + + + + + + + + + + LocalUIEnabled + + + + + + true + Determines whether the local user interface of the LUI is available (true if available, false otherwise). Initially populated by the LPA when the eUICC tree is created, can be queried and changed by the MDM server. + + + + + + + + + + + text/plain + + + + + + Actions + + + + + Actions that can be performed on the eUICC as a whole (when it is active). + + + + + + + + + + + + + + + ResetToFactoryState + + + + + An EXECUTE on this node triggers the LPA to perform an eUICC Memory Reset. + + + + + + + + + + + text/plain + + + + + Status + + + + + 0 + Status of most recent operation, as an HRESULT. S_OK indicates success, S_FALSE indicates operation is in progress, other values represent specific errors. + + + + + + + + + + + text/plain + + + + + + + +``` \ No newline at end of file diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index 99740e166c..94f9d6bbf9 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -6,13 +6,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/18/2017 +ms.date: 11/01/2017 --- # Firewall CSP -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP is new in the next major update to Windows 10. @@ -265,7 +263,7 @@ The following diagram shows the Firewall configuration service provider in tree

    If not specified - a new rule is disabled by default.

    Boolean value. Supported operations are Get and Replace.

    -**FirewallRules_FirewallRuleName_/Profiles** +**FirewallRules/_FirewallRuleName_/Profiles**

    Specifies the profiles to which the rule belongs: Domain, Private, Public. . See [FW_PROFILE_TYPE](https://msdn.microsoft.com/en-us/library/cc231559.aspx) for the bitmasks that are used to identify profile types.

    If not specified, the default is All.

    Value type is integer. Supported operations are Get and Replace.

    @@ -292,7 +290,7 @@ The following diagram shows the Firewall configuration service provider in tree

    Value type is string. Supported operations are Get and Replace.

    -**FirewallRules/FirewallRuleName/InterfaceTypes** +**FirewallRules/_FirewallRuleName_/InterfaceTypes**

    Comma separated list of interface types. Valid values:

    • RemoteAccess
      • diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md index 72944197b3..ccfc5f3021 100644 --- a/windows/client-management/mdm/firewall-ddf-file.md +++ b/windows/client-management/mdm/firewall-ddf-file.md @@ -6,13 +6,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/18/2017 +ms.date: 11/01/2017 --- # Firewall CSP -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **Firewall** configuration service provider. DDF files are used only with OMA DM provisioning XML. diff --git a/windows/client-management/mdm/images/Provisioning_CSP_eUICCs.png b/windows/client-management/mdm/images/Provisioning_CSP_eUICCs.png new file mode 100644 index 0000000000..a4c67a8b7e Binary files /dev/null and b/windows/client-management/mdm/images/Provisioning_CSP_eUICCs.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-dmclient-th2.png b/windows/client-management/mdm/images/provisioning-csp-dmclient-th2.png index ae35570be6..88398bc1c5 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-dmclient-th2.png and b/windows/client-management/mdm/images/provisioning-csp-dmclient-th2.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-euiccs.png b/windows/client-management/mdm/images/provisioning-csp-euiccs.png new file mode 100644 index 0000000000..a4c67a8b7e Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-euiccs.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png b/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png index 2fc6da33fc..fdbeb278ab 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png and b/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png differ diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md index 90364628ea..17a5ef28d6 100644 --- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md +++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md @@ -1,6 +1,6 @@ --- -title: Management tool for the Micosoft Store for Business -description: The Micosoft Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk. +title: Management tool for the Microsoft Store for Business +description: The Microsoft Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk. MS-HAID: - 'p\_phdevicemgmt.business\_store\_portal\_management\_tool' - 'p\_phDeviceMgmt.management\_tool\_for\_windows\_store\_for\_business' @@ -10,12 +10,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/19/2017 +ms.date: 10/27/2017 --- -# Management tool for the Micosoft Store for Business +# Management tool for the Microsoft Store for Business -The Micosoft Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk. The Store for Business enables several capabilities that are required for the enterprise to manage the lifecycle of applications from acquisition to updates. +The Microsoft Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk. The Store for Business enables several capabilities that are required for the enterprise to manage the lifecycle of applications from acquisition to updates. Here's the list of the available capabilities: @@ -26,7 +26,7 @@ Here's the list of the available capabilities: - Custom Line of Business app support –Enables management and distribution of enterprise applications through the Store for Business. - Support for Windows desktop and mobile devices - The Store for Business supports both desktop and mobile devices. -For additional information about Store for Business, see the TechNet topics in [Micosoft Store for Business](https://technet.microsoft.com/library/mt606951.aspx). +For additional information about Store for Business, see the TechNet topics in [Microsoft Store for Business](https://technet.microsoft.com/library/mt606951.aspx). ## Management services diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md index 583f8d769c..bd7b747f13 100644 --- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -296,14 +296,16 @@ The deep link used for connecting your device to work will always use the follow | Parameter | Description | Supported Value for Windows 10| |-----------|--------------------------------------------------------------|----------------------------------------------| -| mode | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| “mdm” | +| mode | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| “mdm”, "awa", "aadj" | |username | Specifies the email address or UPN of the user who should be enrolled into MDM. Added in Windows 10, version 1703. | string | | servername | Specifies the MDM server URL that will be used to enroll the device. Added in Windows 10, version 1703. | string| | accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this can be used as a token to validate the enrollment request. Added in Windows 10, version 1703. | string | | deviceidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to pass in a unique device identifier. Added in Windows 10, version 1703. | GUID | | tenantidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to identify which tenant the device or user belongs to. Added in Windows 10, version 1703. | GUID or string | | ownership | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to determine whether the device is BYOD or Corp Owned. Added in Windows 10, version 1703. | 1, 2, or 3 | -  + +> **Note** "awa" and "aadj" values for mode are only supported on Windows 10, version 1709 and later. + ### Connecting to MDM using a deep link @@ -359,8 +361,7 @@ Starting in Windows 10, version 1709, clicking the **Info** button will show a l ![work or school info](images/unifiedenrollment-rs1-35-b.png) -> [!Note] -> Starting in Windows 10, version 1709, the **Manage** button is no longer available. +> [Note] Starting in Windows 10, version 1709, the **Manage** button is no longer available. ### Disconnect diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index e9c457174a..4b89993d04 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -10,15 +10,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 10/02/2017 +ms.date: 11/01/2017 --- # What's new in MDM enrollment and management -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - This topic provides information about what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices. For details about Microsoft mobile device management protocols for Windows 10 see [\[MS-MDM\]: Mobile Device Management Protocol](http://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). @@ -858,7 +855,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
    -[MDM Bridge WMI Provider](https://msdnstage.redmond.corp.microsoft.com/en-us/library/windows/desktop/dn905224(v=vs.85).aspx) +[MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224)

    Added new classes and properties.

    [Understanding ADMX-backed policies](understanding-admx-backed-policies.md) @@ -942,6 +939,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s [Firewall CSP](firewall-csp.md)

    Added new CSP in Windows 10, version 1709.

    + +[eUICCs CSP](euiccs-csp.md) +

    Added new CSP in Windows 10, version 1709.

    + [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) New CSP added in Windows 10, version 1709. Also added the DDF topic [WindowsDefenderApplicationGuard DDF file](windowsdefenderapplicationguard-ddf-file.md). @@ -992,6 +993,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s +[DMClient CSP](dmclient-csp.md) +

    Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics.

    + + [Bitlocker CSP](bitlocker-csp.md)

    Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.

    @@ -1021,8 +1026,13 @@ For details about Microsoft mobile device management protocols for Windows 10 s

    Added the following new policies for Windows 10, version 1709:

    • Authentication/AllowAadPasswordReset
      • +
    • Authentication/AllowFidoDeviceSignon
    • Browser/LockdownFavorites
    • Browser/ProvisionFavorites
      • +
    • Cellular/LetAppsAccessCellularData
      • +
    • Cellular/LetAppsAccessCellularData_ForceAllowTheseApps
      • +
    • Cellular/LetAppsAccessCellularData_ForceDenyTheseApps
      • +
    • Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps
    • CredentialProviders/DisableAutomaticReDeploymentCredentials
    • DeviceGuard/EnableVirtualizationBasedSecurity
    • DeviceGuard/RequirePlatformSecurityFeatures
      • @@ -1075,9 +1085,12 @@ For details about Microsoft mobile device management protocols for Windows 10 s
    • Education/PrinterNames
    • Search/AllowCloudSearch
    • Security/ClearTPMIfNotReady
      • +
    • Start/HidePeopleBar
      • +
    • Storage/AllowDiskHealthModelUpdates
    • System/LimitEnhancedDiagnosticDataWindowsAnalytics
    • Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork
    • Update/DisableDualScan
      • +
    • Update/ManagePreviewBuilds
    • Update/ScheduledInstallEveryWeek
    • Update/ScheduledInstallFirstWeek
    • Update/ScheduledInstallFourthWeek
      • @@ -1097,6 +1110,8 @@ For details about Microsoft mobile device management protocols for Windows 10 s
    • WindowsDefenderSecurityCenter/EnableInAppCustomization
    • WindowsDefenderSecurityCenter/Phone
    • WindowsDefenderSecurityCenter/URL
      • +
    • WirelessDisplay/AllowMdnsAdvertisement
      • +
    • WirelessDisplay/AllowMdnsDiscovery
    @@ -1367,6 +1382,86 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware ## Change history in MDM documentation +### November 2017 + + ++++ + + + + + + + + + + + +
    New or updated topicDescription
    [Policy CSP](policy-configuration-service-provider.md)

    Added the following policies for Windows 10, version 1709:

    +
      +
    • Authentication/AllowFidoDeviceSignon
      • +
    • Cellular/LetAppsAccessCellularData
      • +
    • Cellular/LetAppsAccessCellularData_ForceAllowTheseApps
      • +
    • Cellular/LetAppsAccessCellularData_ForceDenyTheseApps
      • +
    • Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps
      • +
    • Start/HidePeopleBar
      • +
    • Storage/EnhancedStorageDevices
      • +
    • Update/ManagePreviewBuilds
      • +
    • WirelessDisplay/AllowMdnsAdvertisement
      • +
    • WirelessDisplay/AllowMdnsDiscovery
      • +
    +

    Added missing policies from previous releases:

    +
      +
    • Connectivity/DisallowNetworkConnectivityActiveTest
      • +
    • Search/AllowWindowsIndexer
      • +
    +
    + +### October 2017 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + +
    New or updated topicDescription
    [Policy DDF file](policy-ddf-file.md)

    Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709.

    +
    [Policy CSP](policy-configuration-service-provider.md)

    Updated the following policies:

    +
      +
    • Defender/ControlledFolderAccessAllowedApplications - string separator is |.
      • +
    • Defender/ControlledFolderAccessProtectedFolders - string separator is |.
      • +
    +
    [eUICCs CSP](euiccs-csp.md)

    Added new CSP in Windows 10, version 1709.

    +
    [AssignedAccess CSP](assignedaccess-csp.md)

    Added SyncML examples for the new Configuration node.

    +
    [DMClient CSP](dmclient-csp.md)

    Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics.

    +
    + + ### September 2017 diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md index 96b82f9aa7..b3eec1da15 100644 --- a/windows/client-management/mdm/office-csp.md +++ b/windows/client-management/mdm/office-csp.md @@ -6,13 +6,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/22/2017 +ms.date: 11/01/2017 --- # Office CSP -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219426.aspx). This CSP was added in Windows 10, version 1703. diff --git a/windows/client-management/mdm/office-ddf.md b/windows/client-management/mdm/office-ddf.md index ebd7f2b843..b08297aef0 100644 --- a/windows/client-management/mdm/office-ddf.md +++ b/windows/client-management/mdm/office-ddf.md @@ -7,13 +7,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/22/2017 +ms.date: 11/01/2017 --- # Office DDF -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **Office** configuration service provider. DDF files are used only with OMA DM provisioning XML. diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 1d7f9a2f02..4c4c7bab91 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -7,13 +7,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The Policy configuration service provider enables the enterprise to configure policies on Windows 10. Use this configuration service provider to configure any company policies. @@ -336,6 +334,9 @@ The following diagram shows the Policy configuration service provider in tree fo
    Authentication/AllowFastReconnect
    +
    + Authentication/AllowFidoDeviceSignon +
    Authentication/AllowSecondaryAuthenticationDevice
    @@ -531,6 +532,18 @@ The following diagram shows the Policy configuration service provider in tree fo ### Cellular policies
    +
    + Cellular/LetAppsAccessCellularData +
    +
    + Cellular/LetAppsAccessCellularData_ForceAllowTheseApps +
    +
    + Cellular/LetAppsAccessCellularData_ForceDenyTheseApps +
    +
    + Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps +
    Cellular/ShowAppCellularAccessUI
    @@ -572,6 +585,9 @@ The following diagram shows the Policy configuration service provider in tree fo
    Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards
    +
    + Connectivity/DisallowNetworkConnectivityActiveTests +
    Connectivity/HardenedUNCPaths
    @@ -2399,9 +2415,15 @@ The following diagram shows the Policy configuration service provider in tree fo
    Search/AllowSearchToUseLocation
    +
    + Search/AllowStoringImagesFromVisionSearch +
    Search/AllowUsingDiacritics
    +
    + Search/AllowWindowsIndexer +
    Search/AlwaysUseAutoLangDetection
    @@ -2574,6 +2596,9 @@ The following diagram shows the Policy configuration service provider in tree fo
    Start/HideLock
    +
    + Start/HidePeopleBar +
    Start/HidePowerButton
    @@ -2618,6 +2643,9 @@ The following diagram shows the Policy configuration service provider in tree fo
    Storage/EnhancedStorageDevices
    +
    + Storage/AllowDiskHealthModelUpdates +
    ### System policies @@ -2794,6 +2822,9 @@ The following diagram shows the Policy configuration service provider in tree fo
    Update/IgnoreMOUpdateDownloadLimit
    +
    + Update/ManagePreviewBuilds +
    Update/PauseDeferrals
    @@ -2957,6 +2988,12 @@ The following diagram shows the Policy configuration service provider in tree fo ### WirelessDisplay policies
    +
    + WirelessDisplay/AllowMdnsAdvertisement +
    +
    + WirelessDisplay/AllowMdnsDiscovery +
    WirelessDisplay/AllowProjectionFromPC
    diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index 64f921aac1..12a7923947 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - AboveLock -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index cbec351d99..f7c547db72 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Accounts -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md index d01ca2a458..411a6aa435 100644 --- a/windows/client-management/mdm/policy-csp-activexcontrols.md +++ b/windows/client-management/mdm/policy-csp-activexcontrols.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - ActiveXControls -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md index 4e71e25975..440bf514ac 100644 --- a/windows/client-management/mdm/policy-csp-applicationdefaults.md +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - ApplicationDefaults -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index a5815c7d3e..b3937a002a 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - ApplicationManagement -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md index 512cbecf60..e8d81c05b3 100644 --- a/windows/client-management/mdm/policy-csp-appvirtualization.md +++ b/windows/client-management/mdm/policy-csp-appvirtualization.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - AppVirtualization -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md index 19b60c53f6..71012e8237 100644 --- a/windows/client-management/mdm/policy-csp-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - AttachmentManager -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 9db44013c0..6a21929f0c 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/16/2017 --- # Policy CSP - Authentication -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    @@ -29,6 +28,9 @@ ms.date: 09/29/2017
    Authentication/AllowFastReconnect
    +
    + Authentication/AllowFidoDeviceSignon +
    Authentication/AllowSecondaryAuthenticationDevice
    @@ -172,6 +174,47 @@ ms.date: 09/29/2017

    Most restricted value is 0. + + +

    + +**Authentication/AllowFidoDeviceSignon** + + +
    + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark3check mark3check mark3check mark3cross markcross mark
    + + + +

    Preview release in Windows 10, version 1709. Supported in the next release. Specifies whether Fast Identity Online (FIDO) device can be used to sign on. This policy enables the Windows logon credential provider for FIDO 2.0 + +

    Value type is integer. + +

    Here is an example scenario: At Contoso, there are a lot of shared devices and kiosks that employees throughout the day using as many as 20 different devices. To minimize the loss in productivity when employees have to login with username and password everytime they pick up a device, the IT admin deploys SharePC CSP and Authentication/AllowFidoDeviceSignon policy to shared devices. The IT admin provisions and distributes FIDO 2.0 devices to employees, which allows them to authenticate to various shared devices and PCs. + +

    The following list shows the supported values: + +- 0 - Do not allow. The FIDO device credential provider disabled.  +- 1 - Allow. The FIDO device credential provider is enabled and allows usage of FIDO devices to sign into an Windows. +

    diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md index f63666cdc6..0eeac9b230 100644 --- a/windows/client-management/mdm/policy-csp-autoplay.md +++ b/windows/client-management/mdm/policy-csp-autoplay.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Autoplay -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md index 3d4c5bac81..9eb085531d 100644 --- a/windows/client-management/mdm/policy-csp-bitlocker.md +++ b/windows/client-management/mdm/policy-csp-bitlocker.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Bitlocker -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index d874f9ffa2..f2efa3d5f8 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Bluetooth -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index e31c570992..190229dc56 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 10/10/2017 +ms.date: 11/01/2017 --- # Policy CSP - Browser -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md index ce33fa4faa..bade8a1989 100644 --- a/windows/client-management/mdm/policy-csp-camera.md +++ b/windows/client-management/mdm/policy-csp-camera.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Camera -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md index 183748ec41..b070a9305e 100644 --- a/windows/client-management/mdm/policy-csp-cellular.md +++ b/windows/client-management/mdm/policy-csp-cellular.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/16/2017 --- # Policy CSP - Cellular -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    @@ -20,11 +19,166 @@ ms.date: 09/29/2017 ## Cellular policies
    +
    + Cellular/LetAppsAccessCellularData +
    +
    + Cellular/LetAppsAccessCellularData_ForceAllowTheseApps +
    +
    + Cellular/LetAppsAccessCellularData_ForceDenyTheseApps +
    +
    + Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps +
    Cellular/ShowAppCellularAccessUI
    +
    + +**Cellular/LetAppsAccessCellularData** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark3check mark3check mark3check mark3check mark3cross markcross mark
    + + + +Added in Windows 10, version 1709. This policy setting specifies whether Windows apps can access cellular data. + +You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting. + +If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device. + +If you choose the "Force Allow" option, Windows apps are allowed to access cellular data and employees in your organization cannot change it. + +If you choose the "Force Deny" option, Windows apps are not allowed to access cellular data and employees in your organization cannot change it. + +If you disable or do not configure this policy setting, employees in your organization can decide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device. + +If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.” + +Suported values: + +- 0 - User is in control +- 1 - Force Allow +- 2 - Force Deny + + + +
    + +**Cellular/LetAppsAccessCellularData_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark3check mark3check mark3check mark3check mark3cross markcross mark
    + + + +Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. + + +
    + +**Cellular/LetAppsAccessCellularData_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark3check mark3check mark3check mark3check mark3cross markcross mark
    + + + +Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. + + +
    + +**Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark3check mark3check mark3check mark3check mark3cross markcross mark
    + + + +Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. + +
    **Cellular/ShowAppCellularAccessUI** @@ -62,6 +216,16 @@ ms.date: 09/29/2017 +This policy setting configures the visibility of the link to the per-application cellular access control page in the cellular setting UX. + +If this policy setting is enabled, a drop-down list box presenting possible values will be active. Select "Hide" or "Show" to hide or show the link to the per-application cellular access control page. + +If this policy setting is disabled or is not configured, the link to the per-application cellular access control page is showed by default.” + +Supported values: + +- 0 - Hide +- 1 - Show > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index 415ebf1eac..b2e38b8a0c 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Connectivity -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    @@ -53,6 +52,9 @@ ms.date: 09/29/2017
    Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards
    +
    + Connectivity/DisallowNetworkConnectivityActiveTests +
    Connectivity/HardenedUNCPaths
    @@ -157,7 +159,7 @@ ms.date: 09/29/2017

    The following list shows the supported values: -- 0 – Do not allow the cellular data channel. The user can turn it on. This value is not supported in Windows 10, version 1511. +- 0 – Do not allow the cellular data channel. The user cannot turn it on. This value is not supported in Windows 10, version 1511. - 1 (default) – Allow the cellular data channel. The user can turn it off. - 2 - Allow the cellular data channel. The user cannot turn it off. @@ -204,7 +206,7 @@ ms.date: 09/29/2017

    The following list shows the supported values: -- 0 – Do not allow cellular data roaming. The user can turn it on. This value is not supported in Windows 10, version 1511. +- 0 – Do not allow cellular data roaming. The user cannot turn it on. This value is not supported in Windows 10, version 1511. - 1 (default) – Allow cellular data roaming. - 2 - Allow cellular data roaming on. The user cannot turn it off. @@ -635,6 +637,41 @@ ADMX Info:

    +**Connectivity/DisallowNetworkConnectivityActiveTests** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark2check mark2check mark2check mark2cross markcross mark
    + + + + +Added in Windows 10, version 1703. Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. This policy disables the NCSI active probe, preventing network connectivity to www.msftconnecttest.com. + +Value type is integer. + + + +
    + **Connectivity/HardenedUNCPaths** diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md index 5274de917b..06c155dfec 100644 --- a/windows/client-management/mdm/policy-csp-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-credentialproviders.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - CredentialProviders -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md index 1b7955f4e5..6a2a7950a3 100644 --- a/windows/client-management/mdm/policy-csp-credentialsui.md +++ b/windows/client-management/mdm/policy-csp-credentialsui.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - CredentialsUI -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md index 9c5f328c19..e65cf59e9f 100644 --- a/windows/client-management/mdm/policy-csp-cryptography.md +++ b/windows/client-management/mdm/policy-csp-cryptography.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Cryptography -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md index 1261f2c311..b2d87567b0 100644 --- a/windows/client-management/mdm/policy-csp-dataprotection.md +++ b/windows/client-management/mdm/policy-csp-dataprotection.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - DataProtection -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md index 540a7d26a6..b9d3a22ccc 100644 --- a/windows/client-management/mdm/policy-csp-datausage.md +++ b/windows/client-management/mdm/policy-csp-datausage.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - DataUsage -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 9d75a9f6fa..030df27006 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Defender -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    @@ -1072,7 +1071,7 @@ ms.date: 09/29/2017 > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersAllowedApplications and changed to ControlledFolderAccessAllowedApplications. -

    Added in Windows 10, version 1709. This policy setting allows user-specified applications to the guard my folders feature. Adding an allowed application means the guard my folders feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the Unicode  as the substring separator. +

    Added in Windows 10, version 1709. This policy setting allows user-specified applications to the guard my folders feature. Adding an allowed application means the guard my folders feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator. @@ -1116,7 +1115,7 @@ ms.date: 09/29/2017 > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders. -

    Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the guard my folders feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the Unicode  as the substring separator. +

    Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the guard my folders feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator. diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index f001c4ea3e..1476d9a06b 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - DeliveryOptimization -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +

    diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md index 8d89bebfb5..048304c12e 100644 --- a/windows/client-management/mdm/policy-csp-desktop.md +++ b/windows/client-management/mdm/policy-csp-desktop.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Desktop -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index b45125a146..7570724110 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -6,13 +6,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - DeviceGuard -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
    diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index c57bc0a0a1..7e7740810a 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - DeviceInstallation -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 4767db8c6f..f4face45fd 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - DeviceLock -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    @@ -794,8 +793,8 @@ The number of authentication failures allowed before the device will be wiped. A - 1 - Digits only - 2 - Digits and lowercase letters are required -- 3 - Digits, lowercase letters, and uppercase letters are required -- 4 - Digits, lowercase letters, uppercase letters, and special characters are required +- 3 - Digits, lowercase letters, and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts. +- 4 - Digits, lowercase letters, uppercase letters, and special characters are required. Not supported in desktop.

    The default value is 1. The following list shows the supported values and actual enforced values: diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md index 43c616c9a7..b23977c0bc 100644 --- a/windows/client-management/mdm/policy-csp-display.md +++ b/windows/client-management/mdm/policy-csp-display.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Display -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +

    diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md index dcb33c8647..fb7ee74e89 100644 --- a/windows/client-management/mdm/policy-csp-education.md +++ b/windows/client-management/mdm/policy-csp-education.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Education -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md index 6f3068b82d..3506a2c3f1 100644 --- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md +++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - EnterpriseCloudPrint -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md index c86f76ed58..67f7bd2d6a 100644 --- a/windows/client-management/mdm/policy-csp-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-errorreporting.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - ErrorReporting -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md index 60434439fa..ea5746021f 100644 --- a/windows/client-management/mdm/policy-csp-eventlogservice.md +++ b/windows/client-management/mdm/policy-csp-eventlogservice.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - EventLogService -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 8f2199edcd..df796d96ca 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Experience -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    @@ -176,14 +175,6 @@ ms.date: 09/29/2017

    Most restricted value is 0. -

    Benefit to the customer: - -

    Before this setting, enterprise customers could not set up Cortana during out-of-box experience (OOBE) at all, even though Cortana is the “voice” that walks you through OOBE. By sending AllowCortana in initial enrollment, enterprise customers can allow their employees to see the Cortana consent page. This enables them to choose to use Cortana and make their lives easier and more productive. - -

    Sample scenario: - -

    An enterprise employee customer is going through OOBE and enjoys Cortana’s help in this process. The customer is happy to learn during OOBE that Cortana can help them be more productive, and chooses to set up Cortana before OOBE finishes. When their setup is finished, they are immediately ready to engage with Cortana to help manage their schedule and more. -

    @@ -323,7 +314,7 @@ ms.date: 09/29/2017 -

    Specifies whether to allow the user to delete the workplace account using the workplace control panel. +

    Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (e.g. auto-enrolled), which is majority of the case for Intune, then disabling the MDM unenrollment has no effect. > [!NOTE] > The MDM server can always remotely delete the account. diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md index f408206e83..e165e843f7 100644 --- a/windows/client-management/mdm/policy-csp-exploitguard.md +++ b/windows/client-management/mdm/policy-csp-exploitguard.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - ExploitGuard -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +

    diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md index 868f23aa8e..c5edf225b8 100644 --- a/windows/client-management/mdm/policy-csp-games.md +++ b/windows/client-management/mdm/policy-csp-games.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Games -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md index e00909e922..ed2e1ec38d 100644 --- a/windows/client-management/mdm/policy-csp-handwriting.md +++ b/windows/client-management/mdm/policy-csp-handwriting.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Handwriting -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index f8d45a8179..88e6a352f7 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - InternetExplorer -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index 0297e2a41a..43b40603af 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Kerberos -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md index 47c63e821c..42ba032275 100644 --- a/windows/client-management/mdm/policy-csp-licensing.md +++ b/windows/client-management/mdm/policy-csp-licensing.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Licensing -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index bb7fdbd8d7..dcf0734b03 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 10/05/2017 +ms.date: 11/01/2017 --- # Policy CSP - LocalPoliciesSecurityOptions -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-location.md b/windows/client-management/mdm/policy-csp-location.md index f1124ffad4..9c979b9d53 100644 --- a/windows/client-management/mdm/policy-csp-location.md +++ b/windows/client-management/mdm/policy-csp-location.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Location -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md index 038d477577..c15d05c78e 100644 --- a/windows/client-management/mdm/policy-csp-lockdown.md +++ b/windows/client-management/mdm/policy-csp-lockdown.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - LockDown -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md index 5c1dab3c54..efff0efc3d 100644 --- a/windows/client-management/mdm/policy-csp-maps.md +++ b/windows/client-management/mdm/policy-csp-maps.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Maps -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md index eac7199c3e..4d41080dfa 100644 --- a/windows/client-management/mdm/policy-csp-messaging.md +++ b/windows/client-management/mdm/policy-csp-messaging.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Messaging -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md index 95dcb7e362..2e86a44453 100644 --- a/windows/client-management/mdm/policy-csp-networkisolation.md +++ b/windows/client-management/mdm/policy-csp-networkisolation.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - NetworkIsolation -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md index 4b0a9b5e62..4133b71c8d 100644 --- a/windows/client-management/mdm/policy-csp-notifications.md +++ b/windows/client-management/mdm/policy-csp-notifications.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Notifications -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index e981b7483e..533e43da2d 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Power -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md index 2e7c8296f2..8718ad65f0 100644 --- a/windows/client-management/mdm/policy-csp-printers.md +++ b/windows/client-management/mdm/policy-csp-printers.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Printers -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index f839be65ee..8293364a2d 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Privacy -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md index 71e7c1ee14..29f29a7267 100644 --- a/windows/client-management/mdm/policy-csp-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-remoteassistance.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - RemoteAssistance -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md index 589ff8b724..dc0834d71a 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md +++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - RemoteDesktopServices -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md index 7ed74820ef..315cac1258 100644 --- a/windows/client-management/mdm/policy-csp-remotemanagement.md +++ b/windows/client-management/mdm/policy-csp-remotemanagement.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - RemoteManagement -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md index 37e4a03a6a..1569a65e29 100644 --- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md +++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - RemoteProcedureCall -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md index 9dd90c60be..a9538c867b 100644 --- a/windows/client-management/mdm/policy-csp-remoteshell.md +++ b/windows/client-management/mdm/policy-csp-remoteshell.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - RemoteShell -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index d8d759bd86..29d698f38d 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Search -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    @@ -29,9 +28,15 @@ ms.date: 09/29/2017
    Search/AllowSearchToUseLocation
    +
    + Search/AllowStoringImagesFromVisionSearch +
    Search/AllowUsingDiacritics
    +
    + Search/AllowWindowsIndexer +
    Search/AlwaysUseAutoLangDetection
    @@ -196,6 +201,15 @@ ms.date: 09/29/2017

    Most restricted value is 0. + + +

    + +**Search/AllowStoringImagesFromVisionSearch** + + +

    This policy has been deprecated. +

    @@ -244,6 +258,39 @@ ms.date: 09/29/2017

    Most restricted value is 0. + + +

    + +**Search/AllowWindowsIndexer** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck markcheck markcheck markcheck markcheck mark
    + + + +

    Allow Windows indexer. Value type is integer. + +

    diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index be8599f45e..b57251df17 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Security -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index 987f2c639b..8ba5c167ce 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Settings -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md index 2437d31e21..fbc0b3e56a 100644 --- a/windows/client-management/mdm/policy-csp-smartscreen.md +++ b/windows/client-management/mdm/policy-csp-smartscreen.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - SmartScreen -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md index de1665ee8d..d00aaf1542 100644 --- a/windows/client-management/mdm/policy-csp-speech.md +++ b/windows/client-management/mdm/policy-csp-speech.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Speech -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index 03c3fb2ea4..d3392ef73f 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Start -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    @@ -68,6 +67,9 @@ ms.date: 09/29/2017
    Start/HideLock
    +
    + Start/HidePeopleBar +
    Start/HidePowerButton
    @@ -902,6 +904,41 @@ ms.date: 09/29/2017 1. Enable policy. 2. Open Start, click on the user tile, and verify "Lock" is not available. + + +
    + +**Start/HidePeopleBar** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark3check mark3check mark3check mark3cross markcross mark
    + + + + +

    Added in Windows 10, version 1709. Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. + +

    Value type is integer. +

    diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index f7485274a3..3a559d0f2c 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Storage -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    @@ -23,6 +22,9 @@ ms.date: 09/29/2017
    Storage/EnhancedStorageDevices
    +
    + Storage/AllowDiskHealthModelUpdates +
    @@ -86,6 +88,46 @@ ADMX Info:
    + +**Storage/AllowDiskHealthModelUpdates** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark3check mark3check mark3check mark3cross markcross mark
    + + + +

    Added in Windows 10, version 1709. Allows disk health model updates. + + +

    The following list shows the supported values: + +- 0 - Do not allow +- 1 (default) - Allow + +

    Value type is integer. + + + +

    Footnote: diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index e05d775dd4..c688af26cd 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - System -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    @@ -765,7 +764,7 @@ ADMX Info:
  • Set Allow Telemetry to level 2 (Enhanced)
    • -

    When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://go.microsoft.com/fwlink/?linkid=847594). +

    When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](https://go.microsoft.com/fwlink/?linkid=847594).

    Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index fde893e7ec..3dae6dd1e7 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - TextInput -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +

    diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md index 5da538c24a..a2ad26f40c 100644 --- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md +++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - TimeLanguageSettings -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 63d53d42c4..9edfd3e3e2 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Update -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    @@ -95,6 +94,9 @@ ms.date: 09/29/2017
    Update/IgnoreMOUpdateDownloadLimit
    +
    + Update/ManagePreviewBuilds +
    Update/PauseDeferrals
    @@ -1454,6 +1456,45 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego 3. Verify that any downloads that are above the download size limit will complete without being paused. + + +
    + +**Update/ManagePreviewBuilds** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark3check mark3check mark3check mark3cross markcheck mark2
    + + + + +

    Added in Windows 10, version 1709. Used to manage Windows 10 Insider Preview builds. Value type is integer. + +

    The following list shows the supported values: + +- 0 - Disable Preview builds +- 1 - Disable Preview builds once the next release is public +- 2 - Enable Preview builds +

    diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md index e035750dfa..6b07a4af85 100644 --- a/windows/client-management/mdm/policy-csp-wifi.md +++ b/windows/client-management/mdm/policy-csp-wifi.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - Wifi -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md index d47b897f44..fadfbb83c4 100644 --- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md +++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - WindowsDefenderSecurityCenter -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md index 43176e2f15..f83331f02e 100644 --- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md +++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - WindowsInkWorkspace -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 71a5e7e63a..07a008be66 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - WindowsLogon -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +
    @@ -190,9 +189,9 @@ ADMX Info:

    Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations. -

    Value type is bool. The following list shows the supported values: +

    Value type is int. The following list shows the supported values: -- 0 (default) - Diabled (visible). +- 0 (default) - Disabled (visible). - 1 - Enabled (hidden).

    To validate on Desktop, do the following: diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md index e249ddea29..5a32e0b066 100644 --- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md +++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md @@ -6,13 +6,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/29/2017 +ms.date: 11/01/2017 --- # Policy CSP - WirelessDisplay -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +

    @@ -20,6 +19,12 @@ ms.date: 09/29/2017 ## WirelessDisplay policies
    +
    + WirelessDisplay/AllowMdnsAdvertisement +
    +
    + WirelessDisplay/AllowMdnsDiscovery +
    WirelessDisplay/AllowProjectionFromPC
    @@ -40,6 +45,78 @@ ms.date: 09/29/2017
    +
    + +**WirelessDisplay/AllowMdnsAdvertisement** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark3check mark3check mark3check mark3check mark3check mark3
    + + + + +

    Added in Windows 10, version 1709. This policy setting allows you to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver. If the network administrator is concerned about network congestion, they may set this policy to 0, disabling mDNS advertisement. + +- 0 - Do not allow +- 1 - Allow + + + +

    + +**WirelessDisplay/AllowMdnsDiscovery** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark3check mark3check mark3check mark3check mark3check mark3
    + + + + +

    Added in Windows 10, version 1709. This policy setting allows you to turn off discovering the display service advertised over multicast DNS by a Wireless Display receiver. If the network administrator is concerned about network congestion, they may set this policy to 0, disabling mDNS discovery. + +- 0 - Do not allow +- 1 - Allow + + +

    **WirelessDisplay/AllowProjectionFromPC** diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index ff7f8c546f..0cdb6f8d7d 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -7,18 +7,18 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 10/23/2017 +ms.date: 11/01/2017 --- # Policy DDF file -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + This topic shows the OMA DM device description framework (DDF) for the **Policy** configuration service provider. DDF files are used only with OMA DM provisioning XML. You can download the DDF files from the links below: +- [Download the Policy DDF file for Windows 10, version 1709](http://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml) - [Download the Policy DDF file for Windows 10, version 1703](http://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml) - [Download the Policy DDF file for Windows 10, version 1607](http://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607.xml) - [Download the Policy DDF file for Windows 10, version 1607 release 8C](http://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index ed973594ca..2a5bad77e5 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -42,6 +42,9 @@ The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which Supported operation is Exec. +**doWipePersistUserData** +Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command. + ## The Remote Wipe Process diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md index e9e79fbfaa..51f0a550f0 100644 --- a/windows/client-management/mdm/remotewipe-ddf-file.md +++ b/windows/client-management/mdm/remotewipe-ddf-file.md @@ -17,6 +17,8 @@ This topic shows the OMA DM device description framework (DDF) for the **RemoteW You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip). +The XML below is the DDF for Windows 10, version 1709. + ``` syntax Exec on this node will perform a remote wipe on the device and fully clean the internal drive. In some device configurations, this command may leave the device unable to boot. The return status code shows whether the device accepted the Exec command. + + doWipePersistUserData + + + + + + + + + + + + + + + text/plain + + Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command. + + ``` diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md index fb24cc596d..a86a8fef94 100644 --- a/windows/client-management/mdm/tpmpolicy-csp.md +++ b/windows/client-management/mdm/tpmpolicy-csp.md @@ -6,13 +6,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/19/2017 +ms.date: 11/01/2017 --- # TPMPolicy CSP -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (telemetry or otherwise, such as downloading background images, Windows Updates, etc.) from Windows and inbox applications to public IP addresses unless directly intended by the user. This allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval. diff --git a/windows/client-management/mdm/tpmpolicy-ddf-file.md b/windows/client-management/mdm/tpmpolicy-ddf-file.md index 7368eb0cd4..36b0f3b280 100644 --- a/windows/client-management/mdm/tpmpolicy-ddf-file.md +++ b/windows/client-management/mdm/tpmpolicy-ddf-file.md @@ -6,13 +6,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/19/2017 +ms.date: 11/01/2017 --- # TPMPolicy DDF file -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **TPMPolicy** configuration service provider. The TPMPolicy CSP was added in Windows 10, version 1703. diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index ede7194396..caa8e9ad15 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -7,13 +7,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/18/2017 +ms.date: 11/01/2017 --- # VPNv2 CSP -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The VPNv2 configuration service provider allows the mobile device management (MDM) server to configure the VPN profile of the device. diff --git a/windows/client-management/mdm/vpnv2-ddf-file.md b/windows/client-management/mdm/vpnv2-ddf-file.md index 3208f1111a..aea3539526 100644 --- a/windows/client-management/mdm/vpnv2-ddf-file.md +++ b/windows/client-management/mdm/vpnv2-ddf-file.md @@ -7,13 +7,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/18/2017 +ms.date: 11/01/2017 --- # VPNv2 DDF file -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **VPNv2** configuration service provider. diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index 665ae99cae..5999ebee5e 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -7,13 +7,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/19/2017 +ms.date: 11/01/2017 --- # WindowsAdvancedThreatProtection CSP -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The Windows Defender Advanced Threat Protection (WDATP) configuration service provider (CSP) allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP. diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md index 196883556d..429036de72 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md @@ -7,13 +7,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/19/2017 +ms.date: 11/01/2017 --- # WindowsAdvancedThreatProtection DDF file -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **WindowsAdvancedThreatProtection** configuration service provider. DDF files are used only with OMA DM provisioning XML. diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index 3df07a32ad..47b499d041 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -6,13 +6,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/27/2017 +ms.date: 11/01/2017 --- # WindowsDefenderApplicationGuard CSP -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in the Application Guard. This CSP was added in Windows 10, version 1709. diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md index d70c704083..12a77ad6e0 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md @@ -6,13 +6,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/27/2017 +ms.date: 11/01/2017 --- # WindowsDefenderApplicationGuard DDF file -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **WindowsDefenderApplicationGuard** configuration service provider. diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md index 5c68eb15b8..2daf689b30 100644 --- a/windows/client-management/windows-10-support-solutions.md +++ b/windows/client-management/windows-10-support-solutions.md @@ -7,6 +7,7 @@ ms.sitesec: library ms.author: elizapo author: kaushika-msft ms.localizationpriority: high +ms.date: 08/30/2017 --- # Top support solutions for Windows 10 diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md index 88c44d0c4c..cad65095b0 100644 --- a/windows/configuration/TOC.md +++ b/windows/configuration/TOC.md @@ -41,7 +41,7 @@ ## [Cortana integration in your business or enterprise](cortana-at-work/cortana-at-work-overview.md) ### [Testing scenarios using Cortana in your business or organization](cortana-at-work/cortana-at-work-testing-scenarios.md) #### [Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook](cortana-at-work/cortana-at-work-scenario-1.md) -#### [Test scenario 2 - Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work/cortana-at-work-scenario-2.md) +#### [Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work/cortana-at-work-scenario-2.md) #### [Test scenario 3 - Set a reminder for a specific location using Cortana at work](cortana-at-work/cortana-at-work-scenario-3.md) #### [Test scenario 4 - Use Cortana at work to find your upcoming meetings](cortana-at-work/cortana-at-work-scenario-4.md) #### [Test scenario 5 - Use Cortana to send email to a co-worker](cortana-at-work/cortana-at-work-scenario-5.md) diff --git a/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md b/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md index cb11a4d0d9..6f2e45cc82 100644 --- a/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md +++ b/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md @@ -9,6 +9,7 @@ ms.pagetype: security ms.localizationpriority: high author: eross-msft ms.author: lizross +ms.date: 11/16/2017 --- @@ -16,7 +17,7 @@ ms.author: lizross **Applies to** -- Windows 10, version 1703 and later +- Windows 10, version 1703 The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. The Basic level also helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. @@ -26,7 +27,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th - [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) >[!Note] ->Updated July 2017 to document new and modified events. We’ve added new fields to several Appraiser events to prepare for upgrades to the next release of Windows and we’ve added a brand-new event, Census.Speech, to collect basic details about speech settings and configuration. +>Updated November 2017 to document new and modified events. We’ve added some new events and also added new fields to existing events to prepare for upgrades to the next release of Windows. ## Common data extensions @@ -592,6 +593,7 @@ The following fields are available: - **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS? - **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade? - **SdbDriverBlockOverridden** Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden? +- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate? ### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove @@ -1475,6 +1477,7 @@ The following fields are available: - **IsDERequirementMet** Represents if the device can do device encryption. - **IsEDPEnabled** Represents if Enterprise data protected on the device. - **ContainerType** The type of container, such as process or virtual machine hosted. +- **EnrollmentType** Represents the type of enrollment, such as MDM or Intune, for a particular device. ### Census.Firmware @@ -1538,7 +1541,11 @@ The following fields are available: - **OEMModelBaseBoardVersion** Differentiates between developer and retail devices. - **ActiveMicCount** The number of active microphones attached to the device. - **OEMModelSystemVersion** The system model version set on the device by the OEM. - +- **D3DMaxFeatureLevel** The supported Direct3D version. +- **Gyroscope** Indicates whether the device has a gyroscope. +- **Magnetometer** Indicates whether the device has a magnetometer. +- **NFCProximity** Indicates whether the device supports NFC. +- **TelemetryLevelLimitEnhanced** The telemetry level for Windows Analytics-based solutions. ### Census.Memory @@ -1611,7 +1618,8 @@ The following fields are available: - **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines. - **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. - **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time -- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy. +- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy. +- **AssignedAccessStatus** The kiosk configuration mode. ### Census.Processor @@ -1628,6 +1636,7 @@ The following fields are available: - **ProcessorModel** Retrieves the name of the processor model. - **SocketCount** Number of physical CPU sockets of the machine. - **ProcessorIdentifier** The processor identifier of a manufacturer. +- **ProcessorUpdateRevision** The microcode version. ### Census.Speech @@ -1713,6 +1722,8 @@ The following fields are available: - **IOMMUPresent** Represents if an input/output memory management unit (IOMMU) is present. - **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors. - **HyperVisor** Retrieves whether the current OS is running on top of a Hypervisor. +- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within. +- **isVDI** Is the device using Virtual Desktop Infrastructure? ### Census.WU @@ -1738,6 +1749,12 @@ The following fields are available: - **OSRollbackCount** The number of times feature updates have rolled back on the device. - **UninstallActive** A flag that represents when a device has uninstalled a previous upgrade recently. - **AppraiserGatedStatus** Indicates whether a device has been gated for upgrading. +- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it? +- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update? +- **OSAssessmentForQualityUpdate** Is the device on the latest quality update? +- **OSAssessmentForSecurityUpdate** Is the device on the latest security update? +- **OSAssessmentQualityOutOfDate** How many days has it been since a the last quality update was released but the device did not install it? +- **OSAssessmentReleaseInfoTime** The freshness of release information used to perform an assessment. ### Census.Xbox @@ -1751,6 +1768,17 @@ The following fields are available: - **XboxLiveSandboxId** Retrieves the developer sandbox id if the device is internal to MS. - **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console. +### Census.Security + +This event provides information on about security settings used to help keep Windows up-to-date and secure. + +- **AvailableSecurityProperties** Enumerates and reports state on the relevant security properties for Device Guard. +- **CGRunning** Is Credential Guard running? +- **DGState** A summary of the Device Guard state. +- **HVCIRunning** Is HVCI running? +- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security. +- **SecureBootCapable** Is this device capable of running Secure Boot? +- **VBSState** Is virtualization-based security enabled, disabled, or running? ## Diagnostic data events @@ -2001,7 +2029,24 @@ The following fields are available: - **aeinv** The version of the App inventory component. - **devinv** The file version of the Device inventory component. +### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync +This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events +- +### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd + +This event sends basic metadata about the USB hubs on the device + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events +- **TotalUserConnectablePorts** Total number of connectable USB ports +- **TotalUserConnectableTypeCPorts** Total number of connectable USB Type C ports +- ### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd This event sends basic metadata about an application on the system to help keep Windows up to date. @@ -2120,6 +2165,7 @@ The following fields are available: - **RelativeOrientation** Indicates if a Relative Orientation sensor is found. - **SimpleDeviceOrientation** Indicates if a Simple Device Orientation sensor is found. - **Temperature** Indicates if a Temperature sensor is found. +- **EnergyMeter** Indicates if an Energy sensor is found. ### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync @@ -2282,6 +2328,7 @@ The following fields are available: - **SubmissionId** The HLK submission ID for the driver package. - **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. - **InventoryVersion** The version of the inventory file generating the events. +- **DriverInBox** Is the driver included with the operating system? ### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove @@ -2313,6 +2360,53 @@ The following fields are available: - **ChecksumDictionary** A count of each operating system indicator. - **PCFP** Equivalent to the InventoryId field that is found in other core events. +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd + +This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions + +The following fields are available: + +- **Design** Count of files with design issues found +- **Design_x64** Count of files with 64 bit design issues found +- **DuplicateVBA** Count of files with duplicate VBA code +- **HasVBA** Count of files with VBA code +- **Inaccessible** Count of files that were inaccessible for scanning +- **Issues** Count of files with issues detected +- **Issues_x64** Count of files with 64-bit issues detected +- **IssuesNone** Count of files with no issues detected +- **IssuesNone_x64** Count of files with no 64-bit issues detected +- **Locked** Count of files that were locked, preventing scanning +- **NoVBA** Count of files with no VBA inside +- **Protected** Count of files that were password protected, preventing scanning +- **RemLimited** Count of files that require limited remediation changes +- **RemLimited_x64** Count of files that require limited remediation changes for 64-bit issues +- **RemSignificant** Count of files that require significant remediation changes +- **RemSignificant_x64** Count of files that require significant remediation changes for 64-bit issues +- **Score** Overall compatibility score calculated for scanned content +- **Score_x64** Overall 64-bit compatibility score calculated for scanned content +- **Total** Total number of files scanned +- **Validation** Count of files that require additional manual validation +- **Validation_x64** Count of files that require additional manual validation for 64-bit issues + +### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync + +This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events + +### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd + +This event provides the basic metadata about the frameworks an application may depend on + +The following fields are available: + +- **FileId** A hash that uniquely identifies a file +- **Frameworks** The list of frameworks this file depends on +- **InventoryVersion** The version of the inventory file generating the events +- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it + ### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd @@ -2323,6 +2417,17 @@ The following fields are available: - **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. - **IndicatorValue** The indicator value +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync + +This event indicates that a new sync is being generated for this object type. + +There are no fields in this event. + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync + +This event indicates that a new sync is being generated for this object type. + +There are no fields in this event. ### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove @@ -2341,6 +2446,98 @@ The following fields are available: - **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd + +This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule + +The following fields are available: + +- **Count** Count of total Microsoft Office VBA rule violations + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd + +This event provides data on the installed Office Add-ins. + +- **AddInCLSID** The CLSID key office the Office addin. +- **AddInId** The ID of the Office addin. +- **BinFileTimestamp** The timestamp of the Office addin. +- **BinFileVersion** The version of the Office addin. +- **Description** The description of the Office addin. +- **FileId** The file ID of the Office addin. +- **FriendlyName** The friendly name of the Office addin. +- **FullPath** The full path to the Office addin. +- **LoadBehavior** A Uint32 that describes the load behavior. +- **LoadTime** The load time for the Office addin. +- **OfficeApplication** The OIffice application for this addin. +- **OfficeArchitecture** The architecture of the addin. +- **OfficeVersion** The Office version for this addin. +- **OutlookCrashingAddin** A boolean value that indicates if crashes have been found for this addin. +- **Provider** The provider name for this addin. + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync + +This event indicates that a new sync is being generated for this object type. + +There are no fields in this event. + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd + +This event provides data on the installed Office identifiers. + +- **OAudienceData** The Office Audience descriptor. +- **OAudienceId** The Office Audience ID. +- **OMID** The Office machine ID. +- **OPlatform** The Office architecture. +- **OVersion** The Office version +- **OTenantId** The Office 365 Tenant GUID. +- **OWowMID** The Office machine ID. + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync + +This event indicates that a new sync is being generated for this object type. + +There are no fields in this event. + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync + +This event indicates that a new sync is being generated for this object type. + +There are no fields in this event. + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync + +This event indicates that a new sync is being generated for this object type. + +There are no fields in this event. + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd + +This event provides data on the installed Office-related Internet Explorer features. + +- **OIeFeatureAddon** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx). +- **OIeMachineLockdown** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx). +- **OIeMimeHandling** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx). +- **OIeMimeSniffing** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx). +- **OIeNoAxInstall** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx). +- **OIeNoDownload** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx). +- **OIeObjectCaching** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx). +- **OIePasswordDisable** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx). +- **OIeSafeBind** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx). +- **OIeSecurityBand** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx). +- **OIeUncSaveCheck** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx). +- **OIeValidateUrl** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx). +- **OIeWebOcPopup** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx). +- **OIeWinRestrict** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx). +- **OIeZoneElevate** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx). + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd + +This event describes the Office products that are installed. + +- **OC2rApps** The Office Click-to-Run apps. +- **OC2rSkus** The Office Click-to-Run products. +- **OMsiApps** The Office MSI apps. +- **OProductCodes** The Office MSI product code. ## OneDrive events diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index f2d6cf6527..22ca0d610d 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -8,13 +8,20 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: high author: jdeckerms -ms.date: 10/20/2017 +ms.date: 11/06/2017 --- # Change history for Configure Windows 10 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile. +## November 2017 + +New or changed topic | Description +--- | --- +|[Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)| Added events that were added in November. | +[Create a provisioning package with multivariant settings](provisioning-packages/provisioning-multivariant.md) | Add support for desktop to [Conditions](provisioning-packages/provisioning-multivariant.md#conditions) table. + ## October 2017 New or changed topic | Description diff --git a/windows/configuration/changes-to-start-policies-in-windows-10.md b/windows/configuration/changes-to-start-policies-in-windows-10.md index 36cb3a412a..495f5b8cb3 100644 --- a/windows/configuration/changes-to-start-policies-in-windows-10.md +++ b/windows/configuration/changes-to-start-policies-in-windows-10.md @@ -8,6 +8,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms ms.localizationpriority: high +ms.date: 11/28/2017 --- # Changes to Group Policy settings for Windows 10 Start @@ -92,10 +93,6 @@ These policy settings are available in **Administrative Templates\\Start Menu an Start Layout

    This applies a specific Start layout, and it also prevents users from changing the layout. This policy can be configured in User Configuration or Computer Configuration.

    -
    -Note   -

    Start Layout policy setting applies only to Windows 10 Enterprise and Windows 10 Education.

    -
     
    diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md index 7c62a1cfd4..929bea684c 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md @@ -47,7 +47,7 @@ Three features enable Start and taskbar layout control: - The [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkID=620879) cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. >[!NOTE]   - >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet. + >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/import-startlayout) cmdlet. - [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include `` or create an .xml file just for the taskbar configuration. diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md index 544462e2ea..1447c25de9 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md @@ -40,7 +40,7 @@ Two features enable Start layout control: - The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. >[!NOTE]   - >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet. + >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/import-startlayout) cmdlet.   diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md index 18f215ad22..cae45faff6 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md @@ -35,7 +35,7 @@ Three features enable Start and taskbar layout control: - The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. >[!NOTE]   - >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet. + >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/import-startlayout) cmdlet. - [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include `` or create an .xml file just for the taskbar configuration. diff --git a/windows/configuration/images/profile-config.png b/windows/configuration/images/profile-config.png index 30a7468dcf..24a4dad4ab 100644 Binary files a/windows/configuration/images/profile-config.png and b/windows/configuration/images/profile-config.png differ diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index cb4884a6d9..147389b7a9 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -573,9 +573,10 @@ Remove Task Manager | Enabled Remove Change Password option in Security Options UI | Enabled Remove Sign Out option in Security Options UI | Enabled Remove All Programs list from the Start Menu | Enabled – Remove and disable setting -Prevent access to drives from My Computer | Enabled - Restrict all drivers

    **Note:** Users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears expalining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics. - +Prevent access to drives from My Computer | Enabled - Restrict all drivers +>[!NOTE] +>When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears expalining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics. diff --git a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 46f3752dcd..4212f120c4 100644 --- a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.localizationpriority: high author: brianlic-msft ms.author: brianlic-msft -ms.date: 07/28/2017 +ms.date: 11/21/2017 --- # Manage connections from Windows operating system components to Microsoft services @@ -33,12 +33,13 @@ We are always striving to improve our documentation and welcome your feedback. Y Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=manage-connections-from-windows-operating-system-components-to-microsoft-services.md). -## What's new in Windows 10, version 1709 +## What's new in Windows 10, version 1709 Here's a list of changes that were made to this article for Windows 10, version 1709: - Added the Phone calls section. - Added the Storage Health section. +- Added discussion of apps for websites in the Microsoft Store section. ## What's new in Windows 10, version 1703 @@ -126,6 +127,7 @@ See the following table for a summary of the management settings for Windows 10 | [24. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | | [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [26.1 Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | | | | [27. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [28. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | @@ -153,6 +155,7 @@ See the following table for a summary of the management settings for Windows Ser | [23. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [24. Windows Media Player](#bkmk-wmp) | | | | ![Check mark](images/checkmark.png) | | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [26.1 Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | | | | [28. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ### Settings for Windows Server 2016 Server Core @@ -1810,6 +1813,10 @@ You can turn off the ability to launch apps from the Microsoft Store that were p - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore!AutoDownload**, with a value of 2 (two). +### 26.1 Apps for websites + +You can turn off apps for websites, preventing customers who visit websites that are registered with their associated app from directly launching the app. + Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Configure web-to-app linking with URI handlers** ### 27. Windows Update Delivery Optimization diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md index 6da2cc4314..e63300657b 100644 --- a/windows/configuration/provisioning-packages/provisioning-multivariant.md +++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md @@ -6,6 +6,8 @@ ms.mktglfcycl: deploy ms.sitesec: library author: jdeckerms ms.localizationpriority: high +ms.date: 11/06/2017 +ms.author: jdecker --- # Create a provisioning package with multivariant settings @@ -44,12 +46,12 @@ The following table shows the conditions supported in Windows 10 provisioning fo | Condition Name | Condition priority | Windows 10 Mobile | Windows 10 for desktop editions | Value type | Value description | | --- | --- | --- | --- | --- | --- | -| MNC | P0 | Supported | N/A | Digit string | Use to target settings based on the Mobile Network Code (MNC) value. | -| MCC | P0 | Supported | N/A | Digit string | Use to target settings based on the Mobile Country Code (MCC) value. | -| SPN | P0 | Supported | N/A | String | Use to target settings based on the Service Provider Name (SPN) value. | -| PNN | P0 | Supported | N/A | String | Use to target settings based on public land mobile network (PLMN) Network Name value. | -| GID1 | P0 | Supported | N/A | Digit string | Use to target settings based on the Group Identifier (level 1) value. | -| ICCID | P0 | Supported | N/A | Digit string | Use to target settings based on the Integrated Circuit Card Identifier (ICCID) value. | +| MNC | P0 | Supported | Supported | Digit string | Use to target settings based on the Mobile Network Code (MNC) value. | +| MCC | P0 | Supported | Supported | Digit string | Use to target settings based on the Mobile Country Code (MCC) value. | +| SPN | P0 | Supported | Supported | String | Use to target settings based on the Service Provider Name (SPN) value. | +| PNN | P0 | Supported | Supported | String | Use to target settings based on public land mobile network (PLMN) Network Name value. | +| GID1 | P0 | Supported | Supported | Digit string | Use to target settings based on the Group Identifier (level 1) value. | +| ICCID | P0 | Supported | Supported | Digit string | Use to target settings based on the Integrated Circuit Card Identifier (ICCID) value. | | Roaming | P0 | Supported | N/A | Boolean | Use to specify roaming. Set the value to **1** (roaming) or **0** (non-roaming). | | UICC | P0 | Supported | N/A | Enumeration | Use to specify the Universal Integrated Circuit Card (UICC) state. Set the value to one of the following:


    - 0 - Empty
    - 1 - Ready
    - 2 - Locked | | UICCSLOT | P0 | Supported | N/A | Digit string | Use to specify the UICC slot. Set the value one of the following:


    - 0 - Slot 0
    - 1 - Slot 1 | diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md index 3a0a9aec87..1dfaf43e0f 100644 --- a/windows/configuration/windows-10-start-layout-options-and-policies.md +++ b/windows/configuration/windows-10-start-layout-options-and-policies.md @@ -54,6 +54,8 @@ The following table lists the different parts of Start and any applicable policy | Taskbar | MDM: **Start/NoPinningToTaskbar** | none | +[Learn how to customize and export Start layout](customize-and-export-start-layout.md) +  ## Taskbar options Starting in Windows 10, version 1607, you can pin additional apps to the taskbar and remove default pinned apps from the taskbar. You can specify different taskbar configurations based on device locale or region. diff --git a/windows/configuration/windows-diagnostic-data.md b/windows/configuration/windows-diagnostic-data.md index f540930a40..3cfd6d422a 100644 --- a/windows/configuration/windows-diagnostic-data.md +++ b/windows/configuration/windows-diagnostic-data.md @@ -37,7 +37,7 @@ Most diagnostic events contain a header of common data: | Category Name | Examples | | - | - | -| Common Data | Information that is added to most diagnostic events, if relevant and available:
    • OS name, version, build, and [locale](https://msdn.microsoft.com/library/windows/desktop/dd318716.aspx)
    • User ID -- a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic diagnostic data
    • Xbox UserID
    • Environment from which the event was logged -- Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time such the period an app is running or between boots of the OS.
    • The diagnostic event name, Event ID, [ETW](https://msdn.microsoft.com/library/windows/desktop/bb968803.aspx) opcode, version, schema signature, keywords, and flags
    • HTTP header information including IP address. This is not the IP address of the device but the source address in the network packet header received by the diagnostics ingestion service.
    • Various IDs that are used to correlate and sequence related events together.
    • Device ID. This is not the user provided device name, but an ID that is unique for that device.
    • Device class -- Desktop, Server, or Mobile
    • Event collection time
    • Diagnostic level -- Basic or Full, Sample level -- for sampled data, what sample level is this device opted into
    | +| Common Data | Information that is added to most diagnostic events, if relevant and available:
    • OS name, version, build, and [locale](https://msdn.microsoft.com/library/windows/desktop/dd318716.aspx)
    • User ID -- a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic diagnostic data
    • Xbox UserID
    • Environment from which the event was logged -- Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time such the period an app is running or between boots of the OS.
    • The diagnostic event name, Event ID, [ETW](https://msdn.microsoft.com/library/windows/desktop/bb968803.aspx) opcode, version, schema signature, keywords, and flags
    • HTTP header information, including the IP address. This IP address is the source address that’s provided by the network packet header and received by the diagnostics ingestion service.
    • Various IDs that are used to correlate and sequence related events together.
    • Device ID. This is not the user provided device name, but an ID that is unique for that device.
    • Device class -- Desktop, Server, or Mobile
    • Event collection time
    • Diagnostic level -- Basic or Full, Sample level -- for sampled data, what sample level is this device opted into
    | ## ​Device, Connectivity, and Configuration data diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index 0040ed7390..4b6e85ba51 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -197,7 +197,7 @@ ####### [Recognized Environment Variables](usmt/usmt-recognized-environment-variables.md) ####### [XML Elements Library](usmt/usmt-xml-elements-library.md) ###### [Offline Migration Reference](usmt/offline-migration-reference.md) - +### [Install fonts in Windows 10](windows-10-missing-fonts.md) ### [Change history for deploy Windows 10](change-history-for-deploy-windows-10.md) ## [Update Windows 10](update/index.md) diff --git a/windows/deployment/change-history-for-deploy-windows-10.md b/windows/deployment/change-history-for-deploy-windows-10.md index 344c93c0af..af4b28f704 100644 --- a/windows/deployment/change-history-for-deploy-windows-10.md +++ b/windows/deployment/change-history-for-deploy-windows-10.md @@ -6,16 +6,23 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: greg-lindsay -ms.date: 10/17/2017 +ms.date: 11/08/2017 --- # Change history for Deploy Windows 10 This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10). +## November 2017 + +New or changed topic | Description +-- | --- + [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) | Added warning that you should not use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml. + ## RELEASE: Windows 10, version 1709 | New or changed topic | Description | |----------------------|-------------| | [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) | Updated the edition upgrade table to include all other Windows 10 editions previously not on the list and the supported upgrade methods for upgrade path. | +| [Fonts missing after upgrading to Windows 10](windows-10-missing-fonts.md)| New article about the set of fonts that have moved from being included in the default installation image to being included in Optional Features. This article includes the steps for adding these optional font features.| ## July 2017 | New or changed topic | Description | diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md index 491211e7a9..b8bc4a5ce1 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md +++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md @@ -9,6 +9,7 @@ ms.localizationpriority: high ms.sitesec: library ms.pagetype: mdt author: mtniehaus +ms.date: 11/08/2017 --- # Create a Windows 10 reference image @@ -19,8 +20,8 @@ author: mtniehaus Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you will learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You will create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you will have a Windows 10 reference image that can be used in your deployment solution. For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, PC0001 is a Windows 10 Enterprise x64 client, and MDT01 is a Windows Server 2012 R2 standard server. HV01 is a Hyper-V host server, but HV01 could be replaced by PC0001 as long as PC0001 has enough memory and is capable of running Hyper-V. MDT01, HV01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. -**Note**   -For important details about the setup for the steps outlined in this article, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). +>{!NOTE]}   +>For important details about the setup for the steps outlined in this article, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).   ![figure 1](../images/mdt-08-fig01.png) @@ -75,8 +76,8 @@ This section will show you how to populate the MDT deployment share with the Win MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images that you have created. In this case, you create a reference image, so you add the full source setup files from Microsoft. -**Note**   -Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM. +>[!OTE]   +>Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM.   ### Add Windows 10 Enterprise x64 (full source) @@ -115,8 +116,8 @@ By storing configuration items as MDT applications, it is easy to move these obj In these examples, we assume that you downloaded the software in this list to the E:\\Downloads folder. The first application is added using the UI, but because MDT supports Windows PowerShell, you add the other applications using Windows PowerShell. -**Note**   -All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523). +>[!NOTE]   +>All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523).   ### Create the install: Microsoft Office Professional Plus 2013 x86 @@ -371,8 +372,11 @@ Figure 9. The Windows 10 desktop with the Resume Task Sequence shortcut. When using MDT, you don't need to edit the Unattend.xml file very often because most configurations are taken care of by MDT. However if, for example, you want to configure Internet Explorer 11 behavior, then you can edit the Unattend.xml for this. Editing the Unattend.xml for basic Internet Explorer settings is easy, but for more advanced settings, you will want to use Internet Explorer Administration Kit (IEAK). -**Note**   -You also can use the Unattend.xml to enable components in Windows 10, like the Telnet Client or Hyper-V client. Normally we prefer to do this via the Install Roles and Features action, or using Deployment Image Servicing and Management (DISM) command-line tools, because then we can add that as an application, being dynamic, having conditions, and so forth. Also, if you are adding packages via Unattend.xml, it is version specific, so Unattend.xml must match the exact version of the operating system you are servicing. +>[!WARNING] +>Do not use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml file. These settings are deprecated and can have unintended effects if used. + +>[!NOTE]   +>You also can use the Unattend.xml to enable components in Windows 10, like the Telnet Client or Hyper-V client. Normally we prefer to do this via the **Install Roles and Features** action, or using Deployment Image Servicing and Management (DISM) command-line tools, because then we can add that as an application, being dynamic, having conditions, and so forth. Also, if you are adding packages via Unattend.xml, it is version specific, so Unattend.xml must match the exact version of the operating system you are servicing.   Follow these steps to configure Internet Explorer settings in Unattend.xml for the Windows 10 Enterprise x64 RTM Default Image task sequence: @@ -465,8 +469,8 @@ For that reason, add only a minimal set of rules to Bootstrap.ini, such as which 2. ISO file name: MDT Build Lab x64.iso 8. Click **OK**. -**Note**   -In MDT, the x86 boot image can deploy both x86 and x64 operating systems (except on computers based on Unified Extensible Firmware Interface). +>[!NOTE]   +>In MDT, the x86 boot image can deploy both x86 and x64 operating systems (except on computers based on Unified Extensible Firmware Interface).   ### Update the deployment share @@ -476,8 +480,8 @@ After the deployment share has been configured, it needs to be updated. This is 1. Using the Deployment Workbench, right-click the **MDT Build Lab deployment share** and select **Update Deployment Share**. 2. Use the default options for the Update Deployment Share Wizard. -**Note**   -The update process will take 5 to 10 minutes. +>[!NOTE]   +>The update process will take 5 to 10 minutes.   ### The rules explained @@ -487,8 +491,8 @@ The Bootstrap.ini and CustomSettings.ini files work together. The Bootstrap.ini The CustomSettings.ini file is normally stored on the server, in the Deployment share\\Control folder, but also can be stored on the media (when using offline media). -**Note**   -The settings, or properties, that are used in the rules (CustomSettings.ini and Bootstrap.ini) are listed in the MDT documentation, in the Microsoft Deployment Toolkit Reference / Properties / Property Definition section. +>[!NOTE]   +>The settings, or properties, that are used in the rules (CustomSettings.ini and Bootstrap.ini) are listed in the MDT documentation, in the Microsoft Deployment Toolkit Reference / Properties / Property Definition section.   ### The Bootstrap.ini file @@ -515,8 +519,8 @@ So, what are these settings?   - **SkipBDDWelcome.** Even if it is nice to be welcomed every time we start a deployment, we prefer to skip the initial welcome page of the Windows Deployment Wizard. -**Note**   -All properties beginning with "Skip" control only whether to display that pane in the Windows Deployment Wizard. Most of the panes also require you to actually set one or more values. +>[!NOTE]   +>All properties beginning with "Skip" control only whether to display that pane in the Windows Deployment Wizard. Most of the panes also require you to actually set one or more values.   ### The CustomSettings.ini file diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md index 81aabe9b28..cc7833708b 100644 --- a/windows/deployment/deploy.md +++ b/windows/deployment/deploy.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: high -ms.date: 09/05/2017 +ms.date: 11/02/2017 author: greg-lindsay --- @@ -27,6 +27,8 @@ Windows 10 upgrade options are discussed and information is provided about plann |[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). | |[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. | |[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. | +|[How to install fonts that are missing after upgrading to Windows 10](windows-10-missing-fonts.md)|Windows 10 introduced changes to the fonts that are included in the image by default. Learn how to install additional fonts from **Optional features** after you install Windows 10 or upgrade from a previous version.| +     diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index ee77f2ce0e..a2e4af2af5 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: greg-lindsay -ms.date: 09/05/2017 +ms.date: 10/26/2017 ms.localizationpriority: high --- @@ -20,25 +20,26 @@ ms.localizationpriority: high **MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **/allowFullOS** option. +>MBR2GPT.EXE is located in the **Windows\\System32** directory on a computer running Windows 10 version 1703 (also known as the Creator's Update) or later. +>The tool is available in both the full OS environment and Windows PE. To use this tool in a deployment task sequence with Configuration Manager or Microsoft Deployment Toolkit (MDT), you must first update the Windows PE image (winpe.wim, boot.wim) with the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) 1703, or a later version. + See the following video for a detailed description and demonstration of MBR2GPT. ->MBR2GPT.EXE is located in the **Windows\\System32** directory on a computer running Windows 10 version 1703 (also known as the Creator's Update) or later. ->The tool is available in both the full OS environment and Windows PE. - You can use MBR2GPT to: - Convert any attached MBR-formatted system disk to the GPT partition format. You cannot use the tool to convert non-system disks from MBR to GPT. - Convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you will need to delete the existing protectors and recreate them. - Convert operating system disks that have earlier versions of Windows 10 installed, such as versions 1507, 1511, and 1607. However, you must run the tool while booted into Windows 10 version 1703 or later, and perform an offline conversion. +- Convert an operating system disk from MBR to GPT using Configuration Manager or MDT provided that your task sequence uses Windows PE version 1703 or later. Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 are not officially supported. The recommended method to convert these disks is to upgrade the operating system to Windows 10 first, then perform the MBR to GPT conversion. >[!IMPORTANT] >After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode.
    Make sure that your device supports UEFI before attempting to convert the disk. -## Prerequisites +## Disk Prerequisites Before any change to the disk is made, MBR2GPT validates the layout and geometry of the selected disk to ensure that: - The disk is currently using MBR diff --git a/windows/deployment/planning/device-dialog-box.md b/windows/deployment/planning/device-dialog-box.md deleted file mode 100644 index 5d32e55b8f..0000000000 --- a/windows/deployment/planning/device-dialog-box.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Device Dialog Box (Windows 10) -description: In Application Compatibility Manager (ACM), the Device dialog box shows information about the selected device. -description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports. ---- \ No newline at end of file diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md index 7c8f74f2cc..5f985c13da 100644 --- a/windows/deployment/update/device-health-get-started.md +++ b/windows/deployment/update/device-health-get-started.md @@ -22,7 +22,7 @@ Steps are provided in sections that follow the recommended setup process: ## Device Health prerequisites Device Health has the following requirements: -1. Device Health is currently only compatible with Windows 10 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops). +1. Device Health is currently only compatible with Windows 10 and Windows Server 2016 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops). 2. The solution requires that at least the [enhanced level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) is enabled on all devices that are intended to be displayed in the solution. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization). 3. The telemetry of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for each of the telemetry services](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on telemetry endpoints and summarizes the use of each endpoint: @@ -178,4 +178,4 @@ As in the other example, if this is successful, `TcpTestSucceeded` should return ## Related topics [Use Device Health to monitor frequency and causes of device crashes](device-health-using.md)
    -For the latest information on Windows Analytics, including new features and usage tips, see the [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics) \ No newline at end of file +For the latest information on Windows Analytics, including new features and usage tips, see the [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics) diff --git a/windows/deployment/update/device-health-monitor.md b/windows/deployment/update/device-health-monitor.md index 9833ec58dc..551585a40a 100644 --- a/windows/deployment/update/device-health-monitor.md +++ b/windows/deployment/update/device-health-monitor.md @@ -44,6 +44,7 @@ Use of Windows Analytics Device Health requires one of the following licenses: - Windows 10 Enterprise E3 or E5 per-device or per-user subscription (including Microsoft 365 F1, E3, or E5) - Windows 10 Education A3 or A5 (including Microsoft 365 Education A3 or A5) - Windows VDA E3 or E5 per-device or per-user subscription +- Windows Server 2016 and on You don't have to install Windows 10 Enterprise on a per-device basis--you just need enough of the above licenses for the number of devices using Device Health. @@ -77,4 +78,4 @@ These steps are illustrated in following diagram: [Use Device Health to monitor frequency and causes of device crashes](device-health-using.md) -For the latest information on Windows Analytics, including new features and usage tips, see the [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics) \ No newline at end of file +For the latest information on Windows Analytics, including new features and usage tips, see the [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics) diff --git a/windows/deployment/update/images/uc-filledworkspacetile.PNG b/windows/deployment/update/images/uc-filledworkspacetile.PNG index 5bce136cd1..7293578b1a 100644 Binary files a/windows/deployment/update/images/uc-filledworkspacetile.PNG and b/windows/deployment/update/images/uc-filledworkspacetile.PNG differ diff --git a/windows/deployment/update/images/uc-filledworkspaceview.PNG b/windows/deployment/update/images/uc-filledworkspaceview.PNG index 7456db62c0..8d99e52e02 100644 Binary files a/windows/deployment/update/images/uc-filledworkspaceview.PNG and b/windows/deployment/update/images/uc-filledworkspaceview.PNG differ diff --git a/windows/deployment/update/images/uc-securityupdatestatus.PNG b/windows/deployment/update/images/uc-securityupdatestatus.PNG index 776df89dc3..75e9d10fd8 100644 Binary files a/windows/deployment/update/images/uc-securityupdatestatus.PNG and b/windows/deployment/update/images/uc-securityupdatestatus.PNG differ diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md index 2295a1f28e..4fa6463ca0 100644 --- a/windows/deployment/update/index.md +++ b/windows/deployment/update/index.md @@ -47,6 +47,6 @@ Windows as a service provides a new way to think about building, deploying, and >[!TIP] >Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as System Center Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows. ->With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md). +>With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md). Additionally, Windows 10 clients can move from any supported version of Windows 10 (i.e. Version 1511) to the latest version directly (i.e 1709). -Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=index.md). \ No newline at end of file +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=index.md). diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index be0f75a719..f4ad73d713 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -4,10 +4,10 @@ description: Delivery Optimization is a new peer-to-peer distribution method in ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: DaniHalfin +author: JaimeO ms.localizationpriority: high -ms.author: daniha -ms.date: 07/27/2017 +ms.author: jaimeo +ms.date: 11/13/2017 --- # Configure Delivery Optimization for Windows 10 updates @@ -19,16 +19,17 @@ ms.date: 07/27/2017 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -Delivery Optimization is a self-organizing distributed cache solution for businesses looking to reduce bandwidth consumption for operating system updates, operating system upgrades, and applications by allowing clients to download those elements from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers. You can use Delivery Optimization in conjunction with stand-alone Windows Update, Windows Server Update Services (WSUS), and Windows Update for Business. This functionality is similar to BranchCache in other systems, such as System Center Configuration Manager. +Windows updates, upgrades, and applications can contain packages with very large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization can accomplish this because it is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers. You can use Delivery Optimization in conjunction with stand-alone Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or System Center Configuration Manager when installation of Express Updates is enabled. -Delivery Optimization is a cloud managed solution. Having access to the Delivery Optimization cloud services, is a requirement for it to be enabled. This means that in order to utilize the peer-to-peer functionality of Delivery Optimization, machines need to have access to the internet. +Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimization cloud services is a requirement. This means that in order to use the peer-to-peer functionality of Delivery Optimization, devices must have access to the internet. -For more details, see [Download mode](#download-mode). >[!NOTE] >WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. -By default in Windows 10 Enterprise and Education, Delivery Optimization allows peer-to-peer sharing on the organization's own network only, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune. +By default in Windows 10 Enterprise and Education editions, Delivery Optimization allows peer-to-peer sharing on the organization's own network only, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune. + +For more details, see [Download mode](#download-mode). ## Delivery Optimization options @@ -58,13 +59,13 @@ Several Delivery Optimization features are configurable: | [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching | 1703 | | [Allow uploads while the device is on battery while under set Battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload | 1703 | -When configuring Delivery Optimization on Windows 10 devices, the first and most important thing to configure, would be [Download mode](#download-mode). Download mode dictates how Delivery Optimization downloads Windows updates. +When configuring Delivery Optimization on Windows 10 devices, the first and most important thing to configure is the [Download mode](#download-mode), which dictates how Delivery Optimization downloads Windows updates. While every other feature setting is optional, they offer enhanced control of the Delivery Optimization behavior. [Group ID](#group-id), combined with Group [Download mode](#download-mode), enables administrators to create custom device groups that will share content between devices in the group. -Delivery Optimization uses locally cached updates. In cases where devices have ample local storage and you would like to cache more content, or if you have limited storage and would like to cache less, use the settings below to adjust the Delivery Optimization cache to suit your scenario: +Delivery Optimization uses locally cached updates. In cases where devices have ample local storage and you would like to cache more content, or if you have limited storage and would like to cache less, use the following settings to adjust the Delivery Optimization cache to suit your scenario: - [Max Cache Size](#max-cache-size) and [Absolute Max Cache Size](#absolute-max-cache-size) control the amount of space the Delivery Optimization cache can use. - [Max Cache Age](#max-cache-age) controls the retention period for each update in the cache. - The system drive is the default location for the Delivery Optimization cache. [Modify Cache Drive](#modify-cache-drive) allows administrators to change that location. @@ -72,22 +73,22 @@ Delivery Optimization uses locally cached updates. In cases where devices have a >[!NOTE] >It is possible to configure preferred cache devices. For more information, see [Set “preferred” cache devices for Delivery Optimization](#set-preferred-cache-devices). -All cached files have to be above a set minimum size. This size is automatically set by the Delivery Optimization cloud services. Administrators may choose to change it, which will result in increased performance, when local storage is sufficient and the network isn't strained or congested. [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size) determines the minimum size of files to be cached. +All cached files have to be above a set minimum size. This size is automatically set by the Delivery Optimization cloud services, but when local storage is sufficient and the network isn't strained or congested, administrators might choose to change it to obtain increased performance. You can set the minimum size of files to cache by adjusting [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size). -There are additional options available to robustly control the impact Delivery Optimization has on your network: -- [Maximum Download Bandwidth](#maximum-download-bandwidth) and [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) controls the download bandwidth used by Delivery Optimization. +Additional options available that control the impact Delivery Optimization has on your network include the following: +- [Maximum Download Bandwidth](#maximum-download-bandwidth) and [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) control the download bandwidth used by Delivery Optimization. - [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage. -- [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers per month. +- [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers each month. - [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This is achieved by adjusting the amount of data downloaded directly from Windows Update or WSUS servers, rather than other peers in the network. -Various controls allow administrators to further customize scenarios where Delivery Optimization will be used: +Administrators can further customize scenarios where Delivery Optimization will be used with the following settings: - [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-allowed-to-use-peer-caching) sets the minimum RAM required for peer caching to be enabled. - [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) sets the minimum disk size required for peer caching to be enabled. - [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) allows clients connected through VPN to use peer caching. -- [Allow uploads while the device is on battery while under set Battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) controls the minimum battery level required for uploads to occur. Enabling this policy is required to allow upload while on battery. +- [Allow uploads while the device is on battery while under set Battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) controls the minimum battery level required for uploads to occur. You must enable this policy to allow upload while on battery. ### How Microsoft uses Delivery Optimization -In Microsoft, to help ensure that ongoing deployments weren’t affecting our network and taking away bandwidth for other services, Microsoft IT used a couple of different bandwidth management strategies. Delivery Optimization, peer-to-peer caching enabled through Group Policy, was piloted and then deployed to all managed devices using Group Policy. Based on recommendations from the Delivery Optimization team, we used the "group" configuration to limit sharing of content to only the devices that are members of the same Active Directory domain. The content is cached for 24 hours. More than 76 percent of content came from peer devices versus the Internet. +At Microsoft, to help ensure that ongoing deployments weren’t affecting our network and taking away bandwidth for other services, Microsoft IT used a couple of different bandwidth management strategies. Delivery Optimization, peer-to-peer caching enabled through Group Policy, was piloted and then deployed to all managed devices using Group Policy. Based on recommendations from the Delivery Optimization team, we used the "group" configuration to limit sharing of content to only the devices that are members of the same Active Directory domain. The content is cached for 24 hours. More than 76 percent of content came from peer devices versus the Internet. For more details, check out the [Adopting Windows as a Service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) technical case study. @@ -95,23 +96,23 @@ Provided below is a detailed description of every configurable feature setting. ### Download mode -Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers. The following table shows the available download mode options and what they do. +Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers. The following table shows the available download mode options and what they do. | Download mode option | Functionality when set | | --- | --- | | HTTP Only (0) | This setting disables peer-to-peer caching but still allows Delivery Optimization to download content from Windows Update servers or WSUS servers. This mode uses additional metadata provided by the Delivery Optimization cloud services for a peerless reliable and efficient download experience. | -| LAN (1 – Default) | This default operating mode for Delivery Optimization enables peer sharing on the same network. | +| LAN (1 – Default) | This default operating mode for Delivery Optimization enables peer sharing on the same network. The Delivery Optimization cloud service finds other clients that connect to the Internet using the same public IP as the target client. These clients then attempts to connect to other peers on the same network by using their private subnet IP.| | Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use the GroupID option to create your own custom group independently of domains and AD DS sites. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. | | Internet (3) | Enable Internet peer sources for Delivery Optimization. | | Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. | |Bypass (100) | Bypass Delivery Optimization and use BITS, instead. For example, select this mode so that clients can use BranchCache. | >[!NOTE] ->Group mode is a best effort optimization and should not be relied on for an authentication of identity of devices participating in the group. +>Group mode is a best-effort optimization and should not be relied on for an authentication of identity of devices participating in the group. ### Group ID -By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and AD DS site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or AD DS site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to peer. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. +By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and AD DS site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or AD DS site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. >[!NOTE] >To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/) @@ -133,11 +134,11 @@ This setting specifies the required minimum disk size (capacity in GB) for the d ### Max Cache Age -In environments configured for Delivery Optimization, you may want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client computer. The default Max Cache Age value is 259,200 seconds (3 days). Alternatively, organizations may choose to set this value to “0” which means “unlimited” to avoid peers re-downloading content. When “Unlimited” value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed). +In environments configured for Delivery Optimization, you might want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client device. The default Max Cache Age value is 259,200 seconds (3 days). Alternatively, organizations might choose to set this value to “0” which means “unlimited” to avoid peers re-downloading content. When “Unlimited” value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed). ### Max Cache Size -This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows 10 client computer that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. The default value for this setting is 20. +This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows 10 client device that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. The default value for this setting is 20. ### Absolute Max Cache Size @@ -194,6 +195,81 @@ On devices that are not preferred, you can choose to set the following policy to - Set **DOMinBackgroundQoS** with a low value, for example `64` which is the equivalent of 64 KB/s. + +## Windows PowerShell cmdlets for analyzing usage +Starting in Windows 10, version 1703, you can use two new PowerShell cmdlets to check the performance of Delivery Optimization: + +`Get-DeliveryOptimizationStatus` returns a real-time snapshot of all current Delivery Optimization jobs. + +| Key | Value | +| --- | --- | +| File ID | A GUID that identifies the file being processed | +| Priority | Priority of the download; values are **foreground** or **background** | +| FileSize | Size of the file | +| TotalBytesDownloaded | The number of bytes from any source downloaded so far | +| PercentPeerCaching |The percentage of bytes downloaded from peers versus over HTTP | +| BytesFromPeers | Total bytes downloaded from peer devices (sum of bytes downloaded from LAN, Group, and Internet Peers) | +| BytesfromHTTP | Total number of bytes received over HTTP | +| DownloadDuration | Total download time in seconds | +| Status | Current state of the operation. Possible values are: **Downloading** (download in progress); **Complete** (download completed, but is not uploading yet); **Caching** (download completed successfully and is ready to upload or uploading); **Paused** (download/upload paused by caller) | + +Using the `-Verbose` option returns additional information: + +| Key | Value | +| --- | --- | +| HTTPUrl| The URL where the download originates | +| BytesFromLANPeers | Total bytes from peer devices on the same LAN |  +| BytesFromGroupPeers | Total bytes from peer devices in the same Group |  +| BytesFrom IntPeers | Total bytes from internet peers | +| HTTPConnectionCount | Number of active connections over HTTP |  +| LANConnectionCount | Number of active connections over LAN | +| GroupConnectionCount | Number of active connections to other devices in the Group |  +| IntConnectionCount | Number of active connections to internet peers |  +| DownloadMode | Indicates the download mode (see the "Download Mode" section for details) | +  + +- `Get-DeliveryOptimizationPerfSnap` returns a list of key performance data: + +- Number of files downloaded  +- Number of files uploaded  +- Total bytes downloaded  +- Total bytes uploaded  +- Average transfer size (download); that is, the number bytes downloaded divided by the number of files  +- Average transfer size (upload); the number of bytes uploaded divided by the number of files +- Peer efficiency; same as PercentPeerCaching + +Using the `-Verbose` option returns additional information: + +- Bytes from peers (per type)  +- Bytes from CDN  (the number of bytes received over HTTP) +- Average number of peer connections per download  + +## Frequently asked questions + +**Does Delivery Optimization work with WSUS?**: Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination. + +**Which ports does Delivery Optimization use?**: For peer-to-peer traffic, it uses 7680 or 3544 (Teredo). For client-service communication, it uses port 80/443. + +**What are the requirements if I use a proxy?**: You must allow Byte Range requests. See [Proxy requirements for Windows Update](https://support.microsoft.com/help/3175743/proxy-requirements-for-windows-update) for details. + +**What hostnames should I allow through my firewall to support Delivery Optimization?**: + +For communication between clients and the Delivery Optimization cloud service: **\*.do.dsp.mp.microsoft.com**. + +For Delivery Optimization metadata: + +- *.dl.delivery.mp.microsoft.com +- *.emdl.ws.microsoft.com + +For the payloads (optional): + +- *.download.windowsupdate.com +- *.windowsupdate.com + + + + + ## Learn more [Windows 10, Delivery Optimization, and WSUS](https://blogs.technet.microsoft.com/mniehaus/2016/08/16/windows-10-delivery-optimization-and-wsus-take-2/) diff --git a/windows/deployment/update/waas-windows-insider-for-business.md b/windows/deployment/update/waas-windows-insider-for-business.md index 6de16163e4..94c1ade630 100644 --- a/windows/deployment/update/waas-windows-insider-for-business.md +++ b/windows/deployment/update/waas-windows-insider-for-business.md @@ -287,7 +287,4 @@ Your individual registration with the Insider program will not be impacted. If y - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) - [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Manage Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) -- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) \ No newline at end of file +- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) \ No newline at end of file diff --git a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md index 2073022a88..40b6f4fcb0 100644 --- a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md +++ b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md @@ -17,7 +17,7 @@ This topic provides information on additional features that are available in Upg The site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 7, Windows 8.1, and Windows 10. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data. > [!NOTE] -> Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. In addition, the data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees. +> Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. In addition, data will be collected on all sites visited by Microsoft Edge on computers running Windows 10 version 1803 (including Insider Preview builds) or newer. The data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees. ### Install prerequisite security update for Internet Explorer diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md index 687130e800..18d561a304 100644 --- a/windows/deployment/upgrade/upgrade-readiness-requirements.md +++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md @@ -57,6 +57,7 @@ See [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields `https://v10.vortex-win.data.microsoft.com/collect/v1`
    `https://vortex-win.data.microsoft.com/health/keepalive`
    `https://settings.data.microsoft.com/qos`
    +`https://settings-win.data.microsoft.com/qos`
    `https://go.microsoft.com/fwlink/?LinkID=544713`
    `https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc`
    diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md index 28539a5108..f0d196dfd1 100644 --- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md +++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md @@ -29,7 +29,7 @@ With Windows Easy Transfer, files and settings can be transferred using a netwo ### Migrate with the User State Migration Tool You can use USMT to automate migration during large deployments of the Windows operating system. USMT uses configurable migration rule (.xml) files to control exactly which user accounts, user files, operating system settings, and application settings are migrated and how they are migrated. You can use USMT for both *side-by-side* migrations, where one piece of hardware is being replaced, or *wipe-and-load* (or *refresh*) migrations, when only the operating system is being upgraded. -## Upgrade and migration monsiderations +## Upgrade and migration considerations Whether you are upgrading or migrating to a new version of Windows, you must be aware of the following issues and considerations: ### Application compatibility diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index fc38a3df22..25d0f04961 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy localizationpriority: high ms.sitesec: library ms.pagetype: mdt -ms.date: 09/05/2017 +ms.date: 11/14/2017 author: greg-lindsay --- @@ -25,7 +25,15 @@ Deployment instructions are provided for the following scenarios: - VMs must be running Windows 10 Pro, version 1703 (also known as the Creator's Update) or later. - VMs must be Active Directory-joined or Azure Active Directory-joined. - VMs must be generation 1. -- VMs must hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx). +- VMs must hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH). + +## Activation + +The underlying Windows 10 Pro license must be activated prior to Subscription Activation of Windows 10 Enterprise. + +Procedures in this topic provide a Windows 10 Pro Generic Volume License Key (GVLK). Activation with this key is accomplished using a Volume License KMS activation server provided by the QMTH. Alternatively, a KMS activation server on your corporate network can be used if you have configured a private connection, such as [ExpressRoute](https://azure.microsoft.com/services/expressroute/) or [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/). + +For examples of activation issues, see [Troubleshoot the user experience](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses#troubleshoot-the-user-experience). ## Active Directory-joined VMs diff --git a/windows/deployment/windows-10-auto-pilot.md b/windows/deployment/windows-10-auto-pilot.md index 8e1cb2f96a..a292123501 100644 --- a/windows/deployment/windows-10-auto-pilot.md +++ b/windows/deployment/windows-10-auto-pilot.md @@ -1,105 +1,145 @@ ---- -title: Overview of Windows AutoPilot -description: This topic goes over Windows AutoPilot and how it helps setup OOBE Windows 10 devices. -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: high -ms.sitesec: library -ms.pagetype: deploy -author: DaniHalfin -ms.author: daniha -ms.date: 06/30/2017 ---- - -# Overview of Windows AutoPilot - -**Applies to** - -- Windows 10 - -Windows AutoPilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows AutoPilot to reset, repurpose and recover devices.
    -This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple. - -## Benefits of Windows AutoPilot - -Traditionally, IT pros spend a lot of time on building and customizing images that will later be deployed to devices with a perfectly good OS already installed on them. Windows AutoPilot introduces a new approach. - -From the users' perspective, it only takes a few simple operations to make their device ready to use. - -From the IT pros' perspective, the only interaction required from the end user, is to connect to a network and to verify their credentials. Everything past that is automated. - -Windows AutoPilot allows you to: -* Automatically join devices to Azure Active Directory (Azure AD) -* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](#prerequisites)) -* Restrict the Administrator account creation -* Create and auto-assign devices to configuration groups based on a device's profile -* Customize OOBE content specific to the organization - -### Prerequisites - -* [Devices must be registered to the organization](#registering-devices-to-your-organization) -* Devices have to be pre-installed with Windows 10 Professional, Enterprise or Education, of version 1703 or later -* Devices must have access to the internet -* [Azure AD Premium P1 or P2](https://www.microsoft.com/cloud-platform/azure-active-directory-features) -* Microsoft Intune or other MDM services to manage your devices - -## Windows AutoPilot Scenarios - -### Cloud-Driven - -The Cloud-Driven scenario enables you to pre-register devices through the Windows AutoPilot Deployment Program. Your devices will be fully configured with no additional intervention required on the users' side. - -#### The Windows AutoPilot Deployment Program experience - -The end user unboxes and turns on a new device. What follows are a few simple configuration steps: -* Select a language and keyboard layout -* Connect to the network -* Provide email address (the email address of the user's Azure AD account) and password - -Multiple additional settings are skipped here, since the device automatically recognizes that [it belongs to an organization](#registering-devices-to-your-organization). Following this process the device is joined to Azure AD, enrolled in Microsoft Intune (or any other MDM service). - -MDM enrollment ensures policies are applied, apps are installed and setting are configured on the device. Windows Update for Business applies the latest updates to ensure the device is up to date. - -
    - - -#### Registering devices to your organization - -In order to register devices, you will need to acquire their hardware ID and register it. We are actively working with various hardware vendors to enable them to provide the required information to you, or upload it on your behalf. - -If you would like to capture that information by yourself, you can use the [Get-WindowsAutoPilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo), which will generate a .csv file with the device's hardware ID. - ->[!NOTE] ->This PowerShell script requires elevated permissions. - -By uploading this information to the Microsoft Store for Business or Partner Center admin portal, you'll be able to assign devices to your organization. -Additional options and customization is available through these portals to pre-configure the devices. - -Options available for Windows 10, version 1703: -* Skipping Work or Home usage selection (*Automatic*) -* Skipping OEM registration, OneDrive and Cortana (*Automatic*) -* Skipping privacy settings -* Skipping EULA (*staring with Windows 10, version 1709*) -* Preventing the account used to set-up the device from getting local administrator permissions - -We are working to add additional options to further personalize and streamline the setup experience in future releases. - -To see additional details on how to customize the OOBE experience and how to follow this process, see guidance for [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices) or [Partner Center](https://msdn.microsoft.com/partner-center/autopilot). - -### IT-Driven - -If you are planning to use to configure these devices with traditional on-premises or cloud-based solutions, the [Windows Configuration Designer](https://www.microsoft.com/store/p/windows-configuration-designer/9nblggh4tx22) can be used to help automate the process. This is more suited to scenarios in which you require a higher level of control over the provisioning process. For more information on creating provisioning packages with Windows Configuration Designer, see [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package). - -### Teacher-Driven - -If you're an IT pro or a technical staff member at a school, your scenario might be simpler. The [Set Up School PCs](http://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) app can be used to quickly set up PCs for students and will get you to a productive state faster and simpler. Please see [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app) for all the details. - -## Ensuring your device can be auto-enrolled to MDM - -In order for your devices to be auto-enrolled into MDM management, MDM auto-enrollment needs to be configured in Azure AD. To do that with Intune, please see [Enroll Windows devices for Microsoft Intune](https://docs.microsoft.com/intune/windows-enroll). For other MDM vendors, please consult your vendor for further details. - ->[!NOTE] ->MDM auto-enrollment requires an Azure AD Premium P1 or P2 subscription. - -Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=windows-10-auto-pilot.md). +--- +title: Overview of Windows AutoPilot +description: This topic goes over Windows AutoPilot and how it helps setup OOBE Windows 10 devices. +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: high +ms.sitesec: library +ms.pagetype: deploy +author: DaniHalfin +ms.author: daniha +ms.date: 11/30/2017 +--- + +# Overview of Windows AutoPilot + +**Applies to** + +- Windows 10 + +Windows AutoPilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows AutoPilot to reset, repurpose and recover devices.
    +This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple. + +## Benefits of Windows AutoPilot + +Traditionally, IT pros spend a lot of time on building and customizing images that will later be deployed to devices with a perfectly good OS already installed on them. Windows AutoPilot introduces a new approach. + +From the users' perspective, it only takes a few simple operations to make their device ready to use. + +From the IT pros' perspective, the only interaction required from the end user, is to connect to a network and to verify their credentials. Everything past that is automated. + +Windows AutoPilot allows you to: +* Automatically join devices to Azure Active Directory (Azure AD) +* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](#prerequisites)) +* Restrict the Administrator account creation +* Create and auto-assign devices to configuration groups based on a device's profile +* Customize OOBE content specific to the organization + +### Prerequisites + +* [Devices must be registered to the organization](#registering-devices-to-your-organization) +* [Company branding needs to be configured](#configure-company-branding-for-oobe) +* [Network connectivity to cloud services used by Windows AutoPilot](#network-connectivity-requirements) +* Devices have to be pre-installed with Windows 10 Professional, Enterprise or Education, of version 1703 or later +* Devices must have access to the internet +* [Azure AD Premium P1 or P2](https://www.microsoft.com/cloud-platform/azure-active-directory-features) +* Microsoft Intune or other MDM services to manage your devices + +## Windows AutoPilot Scenarios + +### Cloud-Driven + +The Cloud-Driven scenario enables you to pre-register devices through the Windows AutoPilot Deployment Program. Your devices will be fully configured with no additional intervention required on the users' side. + +#### The Windows AutoPilot Deployment Program experience + +The end user unboxes and turns on a new device. What follows are a few simple configuration steps: +* Select a language and keyboard layout +* Connect to the network +* Provide email address (the email address of the user's Azure AD account) and password + +Multiple additional settings are skipped here, since the device automatically recognizes that [it belongs to an organization](#registering-devices-to-your-organization). Following this process the device is joined to Azure AD, enrolled in Microsoft Intune (or any other MDM service). + +MDM enrollment ensures policies are applied, apps are installed and setting are configured on the device. Windows Update for Business applies the latest updates to ensure the device is up to date. + +
    + + +#### Registering devices to your organization + +In order to register devices, you will need to acquire their hardware ID and register it. We are actively working with various hardware vendors to enable them to provide the required information to you, or upload it on your behalf. + +If you would like to capture that information by yourself, you can use the [Get-WindowsAutoPilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo), which will generate a .csv file with the device's hardware ID. + +>[!NOTE] +>This PowerShell script requires elevated permissions. + +By uploading this information to the Microsoft Store for Business or Partner Center admin portal, you'll be able to assign devices to your organization. +Additional options and customization is available through these portals to pre-configure the devices. + +For information on how to upload device information, see [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#add-devices-and-apply-autopilot-deployment-profile) or [Partner Center](https://msdn.microsoft.com/partner-center/autopilot) guidance. + +#### OOBE customization + +Deployment profiles are used to configure the Out-Of-the-Box-Experience (OOBE) on devices deployed through the Windows AutoPilot Deployment Program. + +These are the OOBE customization options available for Windows 10, starting with version 1703: +* Skipping Work or Home usage selection (*Automatic*) +* Skipping OEM registration, OneDrive and Cortana (*Automatic*) +* Skipping privacy settings +* Skipping EULA (*staring with Windows 10, version 1709*) +* Preventing the account used to set-up the device from getting local administrator permissions + +We are working to add additional options to further personalize and streamline the setup experience in future releases. + +To configure and apply deployment profiles, see guidance for the various available administration options: +* [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles) +* [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot) +* [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-AutoPilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa) +* [Partner Center](https://msdn.microsoft.com/partner-center/autopilot) + +##### Configure company branding for OOBE + +In order for your company branding to appear during the OOBE, you'll need to configure it in Azure Active Directory first. + +See [Add company branding to your directory](https://docs.microsoft.com/azure/active-directory/customize-branding#add-company-branding-to-your-directory), to configure these settings. + +#### Network connectivity requirements + +The Windows AutoPilot Deployment Program uses a number of cloud services to get your devices to a productive state. This means those services need to be accessible from devices registered as Windows Autopilot devices. + +To manage devices behind firewalls and proxy servers, the following URLs need to be accessible: + +* https://go.microsoft.com +* https://login.microsoftonline.com +* https://login.live.com +* https://account.live.com +* https://signup.live.com +* https://licensing.mp.microsoft.com +* https://licensing.md.mp.microsoft.com +* ctldl.windowsupdate.com +* download.windowsupdate.com + +>[!NOTE] +>Where not explicitly specified, both HTTPS (443) and HTTP (80) need to be accessible. + +>[!TIP] +>If you're auto-enrolling your devices into Microsoft Intune, or deploying Microsoft Office, make sure you follow the networking guidlines for [Microsoft Intune](https://docs.microsoft.com/en-us/intune/network-bandwidth-use#network-communication-requirements) and [Office 365](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2). + +### IT-Driven + +If you are planning to configure devices with traditional on-premises or cloud-based solutions, the [Windows Configuration Designer](https://www.microsoft.com/store/p/windows-configuration-designer/9nblggh4tx22) can be used to help automate the process. This is more suited to scenarios in which you require a higher level of control over the provisioning process. For more information on creating provisioning packages with Windows Configuration Designer, see [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package). + +### Teacher-Driven + +If you're an IT pro or a technical staff member at a school, your scenario might be simpler. The [Set Up School PCs](http://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) app can be used to quickly set up PCs for students and will get you to a productive state faster and simpler. Please see [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app) for all the details. + +## Ensuring your device can be auto-enrolled to MDM + +In order for your devices to be auto-enrolled into MDM management, MDM auto-enrollment needs to be configured in Azure AD. To do that with Intune, please see [Enroll Windows devices for Microsoft Intune](https://docs.microsoft.com/intune/windows-enroll). For other MDM vendors, please consult your vendor for further details. + +>[!NOTE] +>MDM auto-enrollment requires an Azure AD Premium P1 or P2 subscription. + +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=windows-10-auto-pilot.md). diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md index 0ece1c70e2..1b9607c9b5 100644 --- a/windows/deployment/windows-10-deployment-scenarios.md +++ b/windows/deployment/windows-10-deployment-scenarios.md @@ -7,7 +7,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: high ms.sitesec: library -author: mtniehaus +ms.date: 11/7/2017 +author: greg-lindsay --- # Windows 10 deployment scenarios @@ -17,7 +18,18 @@ author: mtniehaus To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. +## Windows AutoPilot + +Windows AutoPilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows AutoPilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator. + +For more information about Windows AutoPilot, see [Overview of Windows AutoPilot](https://docs.microsoft.com/en-us/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows AutoPilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/). + +## Windows 10 Subscription Activation + +Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](https://docs.microsoft.com/en-us/windows/deployment/windows-10-enterprise-subscription-activation). + ## In-place upgrade + For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure. Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like System Center Configuration Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences. @@ -26,22 +38,23 @@ The in-place upgrade process is designed to be extremely reliable, with the abil Because existing applications are preserved through the process, the upgrade process uses the standard Windows installation media image (Install.wim); custom images are not needed and cannot be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.) +Scenarios that support in-place upgrade with some additional procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software. + +- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 does not require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](https://docs.microsoft.com/en-us/windows/deployment/mbr-to-gpt) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode. + +- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting: + - [Windows Setup Automation Overview](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-automation-overview) + - [Windows Setup Command-Line Options](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-command-line-options) + There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include: - Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process cannot change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers. - -- Changing from legacy BIOS to UEFI booting. Some organizations deployed earlier versions of Windows on UEFI-enabled systems, leveraging the legacy BIOS capabilities of these systems. Because changing from legacy BIOS to UEFI requires changing the hardware configuration, disk configuration, and OS configuration, this is not possible using in-place upgrade. -

    **Note**
    Windows 10 does not require UEFI, so it would work fine to upgrade a system using legacy BIOS emulation. Some Windows 10 features, such as Secure Boot, would not be available after doing this. - - Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed. - -- Devices that use third-party disk encryption software. While devices encrypted with BitLocker can easily be upgraded, more work is necessary for third-party disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process (check with your ISV to see if they have instructions), but if not available a traditional deployment would be needed. - - Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported – preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS. - - Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken. ## Dynamic provisioning + For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this. The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include: @@ -49,11 +62,8 @@ The goal of dynamic provisioning is to take a new PC out of the box, turn it on, - Changing the Windows edition with a single reboot. For organizations that have Software Assurance for Windows, it is easy to change a device from Windows 10 Pro to Windows 10 Enterprise, just by specifying an appropriate product or setup key. When the device restarts, all of the Windows 10 Enterprise features will be enabled. - Configuring the device with VPN and Wi-Fi connections that may be needed to gain access to organization resources. - - Installation of additional apps needed for organization functions. - - Configuration of common Windows settings to ensure compliance with organization policies. - - Enrollment of the device in a mobile device management (MDM) solution, such as Microsoft Intune. There are two primary dynamic provisioning scenarios: @@ -66,7 +76,8 @@ Either way, these scenarios can be used to enable “choose your own device” ( While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts. -## Traditional deployment +## Traditional deployment: + New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md), and [System Center Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md). With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them. diff --git a/windows/deployment/windows-10-missing-fonts.md b/windows/deployment/windows-10-missing-fonts.md new file mode 100644 index 0000000000..b3b591759e --- /dev/null +++ b/windows/deployment/windows-10-missing-fonts.md @@ -0,0 +1,100 @@ +--- +title: How to install fonts missing after upgrading to Windows 10 +description: Some of the fonts are missing from the system after you upgrade to Windows 10. +keywords: deploy, upgrade, FoD, optional feature +ms.prod: w10 +ms.mktglfcycl: plan +ms.sitesec: library +ms.localizationpriority: high +author: kaushika-msft +ms.author: kaushika +ms.date: 10/31/2017 +--- +# How to install fonts that are missing after upgrading to Windows 10 + +> Applies to: Windows 10 + +When you upgrade from the Windows 7, Windows 8, or Windows 8.1 operating system to Windows 10, certain fonts are no longer available by default post-upgrade. To reduce the operating system footprint, improve performance, and optimize disk space usage, we moved many of the fonts that were previously shipped with prior versions of Windows to the optional features of Windows 10. If you install a fresh instance of Windows 10, or upgrade an older version of Windows to Windows 10, these optional features are not enabled by default. As a result, these fonts appear to be missing from the system. + +If you have documents created using the missing fonts, these documents might display differently on Windows 10. + +For example, if you have an English (or French, German, or Spanish) version of Windows 10 installed, you might notice that fonts such as the following are appear to be missing: + +- Gautami +- Meiryo +- Narkism/Batang +- BatangChe +- Dotum +- DotumChe +- Gulim +- GulimChe +- Gungsuh +- GungsuhChe + +If you want to use these fonts, you can enable the optional feature to add these back to your system. Be aware that this is a permanent change in behavior for Windows 10, and it will remain this way in future releases. + +## Installing language-associated features via language settings: + +If you want to use the fonts from the optional feature and you know that you will want to view Web pages, edit documents, or use apps in the language associated with that feature, add that language into your user profile. You do this the Settings app. + +For example, here are the steps to install the fonts associated with the Hebrew language: + +1. Click **Start > Settings**. +2. In Settings, click **Time & language**, and then click **Region & language**. +3. If Hebrew is not included in the list of languages, click the plus sign (**+**) to add a language. +4. Find Hebrew, and then click it to add it to your language list. + +Once you have added Hebrew to your language list, then the optional Hebrew font feature and other optional features for Hebrew language support are installed. This should only take a few minutes. + +> Note: The optional features are installed by Windows Update. This means you need to be online for the Windows Update service to work. + +## Install optional fonts manually without changing language settings: + +If you want to use fonts in an optional feature but don't need to search web pages, edit documents, or use apps in the associated language, you can install the optional font features manually without changing your language settings. + +For example, here are the steps to install the fonts associated with the Hebrew language without adding the Hebrew language itself to your language preferences: + +1. Click **Start > Settings**. +2. In Settings, click **Apps**, click **Apps & features**, and then click **Manage optional features**. + +3. If you don't see **Hebrew Supplemental Fonts** in the list of installed features, click the plus sign (**+**) to add a feature. +4. Select **Hebrew Supplemental Fonts** in the list, and then click **Install**. + +> Note: The optional features are installed by Windows Update. You need to be online for the Windows Update service to work. + +## Fonts included in optional font features + +Here is a comprehensive list of the font families in each of the optional features. Some font families might include multiple fonts for different weights and styles. + +- Arabic Script Supplemental Fonts: Aldhabi, Andalus, Arabic Typesetting, Microsoft Uighur, Sakkal Majalla, Simplified Arabic, Traditional Arabic, Urdu Typesetting +- Bangla Script Supplemental Fonts: Shonar Bangla, Vrinda +- Canadian Aboriginal Syllabics Supplemental Fonts: Euphemia +- Cherokee Supplemental Fonts: Plantagenet Cherokee +- Chinese (Simplified) Supplemental Fonts: DengXian, FangSong, KaiTi, SimHei +- Chinese (Traditional) Supplemental Fonts: DFKai-SB, MingLiU, MingLiU_HKSCS, PMingLiU +- Devanagari Supplemental Fonts: Aparajita, Kokila, Mangal, Sanskrit Text, Utsaah +- Ethiopic Supplemental Fonts: Nyala +- Gujarati Supplemental Fonts: Shruti +- Gurmukhi Supplemental Fonts: Raavi +- Hebrew Supplemental Fonts: Aharoni Bold, David, FrankRuehl, Gisha, Levanim MT, Miriam, Miriam Fixed, Narkism, Rod +- Japanese Supplemental Fonts: Meiryo, Meiryo UI, MS Gothic, MS PGothic, MS UI Gothic, MS Mincho, MS PMincho, Yu Mincho +- Kannada Supplemental Fonts: Tunga +- Khmer Supplemental Fonts: DaunPenh, Khmer UI, MoolBoran +- Korean Supplemental Fonts: Batang, BatangChe, Dotum, DotumChe, Gulim, GulimChe, Gungsuh, GungsuhChe +- Lao Supplemental Fonts: DokChampa, Lao UI +- Malayalam Supplemental Fonts: Karthika +- Odia Supplemental Fonts: Kalinga +- Pan-European Supplemental Fonts: Arial Nova, Georgia Pro, Gill Sans Nova, Neue Haas Grotesk, Rockwell Nova, Verdana Pro +- Sinhala Supplemental Fonts: Iskoola Pota +- Syriac Supplemental Fonts: Estrangelo Edessa +- Tamil Supplemental Fonts: Latha, Vijaya +- Telugu Supplemental Fonts: Gautami, Vani +- Thai Supplemental Fonts: Angsana New, AngsanaUPC, Browallia New, BrowalliaUPC, Cordia New, CordiaUPC, DilleniaUPC, EucrosiaUPC, FreesiaUPC, IrisUPC, JasmineUPC, KodchiangUPC, Leelawadee, LilyUPC + +## Related Topics + +[Download the list of all available language FODs](http://download.microsoft.com/download/0/A/A/0AA4342D-3933-4216-A90D-3BA8392FB1D1/Windows%2010%201703%20FOD%20to%20LP%20Mapping%20Table.xlsx) + +[Features On Demand V2 (Capabilities)](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities#span-idrelatedtopicsspanrelated-topics) + +[Add Language Packs to Windows](/windows-hardware/manufacture/desktop/add-language-packs-to-windows) diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index b7d72b7783..9e55510904 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -92,7 +92,7 @@ Harware requirements are displayed below: **OS** - Windows 8.1/10 or Windows Server 2012/2012 R2/2016* + Windows 8.1/10 or Windows Server 2012/2012 R2/2016\* Windows 7 or a later @@ -129,7 +129,7 @@ Harware requirements are displayed below: -*The Hyper-V server role can also be installed on a computer running Windows Server 2008 R2. However, the Windows PowerShell module for Hyper-V is not available on Windows Server 2008 R2, therefore you cannot use many of the steps provided in this guide to configure Hyper-V. To manage Hyper-V on Windows Server 2008 R2, you can use Hyper-V WMI, or you can use the Hyper-V Manager console. Providing all steps in this guide as Hyper-V WMI or as 2008 R2 Hyper-V Manager procedures is beyond the scope of the guide. +\*The Hyper-V server role can also be installed on a computer running Windows Server 2008 R2. However, the Windows PowerShell module for Hyper-V is not available on Windows Server 2008 R2, therefore you cannot use many of the steps provided in this guide to configure Hyper-V. To manage Hyper-V on Windows Server 2008 R2, you can use Hyper-V WMI, or you can use the Hyper-V Manager console. Providing all steps in this guide as Hyper-V WMI or as 2008 R2 Hyper-V Manager procedures is beyond the scope of the guide.

    The Hyper-V role cannot be installed on Windows 7 or earlier versions of Windows. @@ -229,7 +229,7 @@ When you have completed installation of Hyper-V on the host computer, begin conf After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. An example of the download offering is shown below. - +
    ![VHD](images/download_vhd.png)
    @@ -262,7 +262,7 @@ w10-enterprise.iso >Important: Do not attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, do not start the VM outside the PoC network. -
    +
    If you do not have a PC available to convert to VM, perform the following steps to download an evaluation VM:
      @@ -292,7 +292,7 @@ When creating a VM in Hyper-V, you must specify either generation 1 or generatio
      - +
      @@ -363,7 +363,7 @@ The following table displays the Hyper-V VM generation to choose based on the OS
      -
      Architecture
      +
      @@ -372,8 +372,8 @@ The following table displays the Hyper-V VM generation to choose based on the OS - - + + @@ -384,7 +384,7 @@ The following table displays the Hyper-V VM generation to choose based on the OS - + @@ -395,8 +395,8 @@ The following table displays the Hyper-V VM generation to choose based on the OS - - + + @@ -407,7 +407,7 @@ The following table displays the Hyper-V VM generation to choose based on the OS - + @@ -513,7 +513,7 @@ Notes:
      ### Resize VHD -
      +
      **Enhanced session mode** **Important**: Before proceeding, verify that you can take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer. @@ -524,7 +524,7 @@ To ensure that enhanced session mode is enabled on the Hyper-V host, type the fo >If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex. -
      +
      The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 100GB to support installing imaging tools and storing OS images. diff --git a/windows/device-security/TOC.md b/windows/device-security/TOC.md index 5294ed490a..13af847a45 100644 --- a/windows/device-security/TOC.md +++ b/windows/device-security/TOC.md @@ -125,6 +125,7 @@ ## [Encrypted Hard Drive](encrypted-hard-drive.md) +## [Enable HVCI](enable-virtualization-based-protection-of-code-integrity.md) ## [Security auditing](auditing\security-auditing-overview.md) ### [Basic security audit policies](auditing\basic-security-audit-policies.md) diff --git a/windows/device-security/auditing/event-4634.md b/windows/device-security/auditing/event-4634.md index ed2fc54241..a6b32d39a0 100644 --- a/windows/device-security/auditing/event-4634.md +++ b/windows/device-security/auditing/event-4634.md @@ -23,7 +23,7 @@ author: Mir0sh This event shows that logon session was terminated and no longer exists. -The main difference between “[4647](event-4647.md): User initiated logoff.” and 4647 event is that 4647 event is generated when logoff procedure was initiated by specific account using logoff function, and 4634 event shows that session was terminated and no longer exists. +The main difference between “[4647](event-4647.md): User initiated logoff.” and 4634 event is that 4647 event is generated when logoff procedure was initiated by specific account using logoff function, and 4634 event shows that session was terminated and no longer exists. 4647 is more typical for **Interactive** and **RemoteInteractive** logon types when user was logged off using standard methods. You will typically see both 4647 and 4634 events when logoff procedure was initiated by user. diff --git a/windows/device-security/bitlocker/bitlocker-countermeasures.md b/windows/device-security/bitlocker/bitlocker-countermeasures.md index 2c2cdbe94e..9cff481f09 100644 --- a/windows/device-security/bitlocker/bitlocker-countermeasures.md +++ b/windows/device-security/bitlocker/bitlocker-countermeasures.md @@ -93,7 +93,7 @@ For many years, Microsoft has recommended using pre-boot authentication to prote Although effective, pre-boot authentication is inconvenient to users. In addition, if a user forgets their PIN or loses their startup key, they’re denied access to their data until they can contact their organization’s support team to obtain a recovery key. Today, most new PCs running Windows 10, Windows 8.1, or Windows 8 provide sufficient protection against DMA attacks without requiring pre-boot authentication. For example, most modern PCs include USB port options (which are not vulnerable to DMA attacks) but do not include FireWire or Thunderbolt ports (which are vulnerable to DMA attacks). -BitLocker-encrypted devices with DMA ports enabled, including FireWire or Thunderbolt ports, should be configured with pre-boot authentication if they are running Windows 10, Windows 7, Windows 8, or Windows 8.1 and disabling the ports using policy or firmware configuration is not an option. Windows 8.1 and later InstantGo devices do not need pre-boot authentication to defend against DMA-based port attacks, as the ports will not be present on certified devices. A non-InstantGo Windows 8.1 and later device requires pre-boot authentication if DMA ports are enabled on the device and additional mitigations described in this document are not implemented. Many customers find that the DMA ports on their devices are never used, and they choose to eliminate the possibility of an attack by disabling the DMA ports themselves, either at the hardware level or through Group Policy. +BitLocker-encrypted devices with DMA ports enabled, including FireWire or Thunderbolt ports, should be configured with pre-boot authentication if they are running Windows 10, Windows 7, Windows 8, or Windows 8.1 and disabling the ports using policy or firmware configuration is not an option. Windows 8.1 and later Modern Standby devices do not need pre-boot authentication to defend against DMA-based port attacks, as the ports will not be present on certified devices. A non-Modern Standby Windows 8.1 and later device requires pre-boot authentication if DMA ports are enabled on the device and additional mitigations described in this document are not implemented. Many customers find that the DMA ports on their devices are never used, and they choose to eliminate the possibility of an attack by disabling the DMA ports themselves, either at the hardware level or through Group Policy. Many new mobile devices have the system memory soldered to the motherboard, which helps prevent the cold boot–style attack, where the system memory is frozen, removed, and then placed into another device. Those devices, and most PCs, can still be vulnerable when booting to a malicious operating system, however. You can mitigate the risk of booting to a malicious operating system: @@ -133,7 +133,7 @@ While the features listed above protect the Windows boot process from malware th ### Protection After Startup: eliminate DMA availability -Windows InstantGo–certified devices do not have DMA ports, eliminating the risk of DMA attacks. On other devices, you can disable FireWire, Thunderbolt, or other ports that support DMA. +Windows Modern Standby–certified devices do not have DMA ports, eliminating the risk of DMA attacks. On other devices, you can disable FireWire, Thunderbolt, or other ports that support DMA. ## See also - [Types of Attacks for Volume Encryption Keys](types-of-attacks-for-volume-encryption-keys.md) diff --git a/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md index 2fc47e4258..c9d9a49c93 100644 --- a/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -62,7 +62,7 @@ With earlier versions of Windows, administrators had to enable BitLocker after W ## BitLocker Device Encryption -Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support InstantGo. With Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are InstantGo. Microsoft expects that most devices in the future will pass the testing requirements, which makes BitLocker Device Encryption pervasive across modern Windows devices. BitLocker Device Encryption further protects the system by transparently implementing device-wide data encryption. +Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are Modern Standby. Microsoft expects that most devices in the future will pass the testing requirements, which makes BitLocker Device Encryption pervasive across modern Windows devices. BitLocker Device Encryption further protects the system by transparently implementing device-wide data encryption. Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how this happens: @@ -101,7 +101,7 @@ Windows 10 can enable a true SSO experience from the preboot environment on mod When BitLocker is enabled on a system drive and the PC has a TPM, you can choose to require that users type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows logon, which makes it virtually impossible for the attacker to access or modify user data and system files. Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor (a second “something you know”). This configuration comes with some costs, however. One of the most significant is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password on a regular basis. -Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, InstantGo devices do not require a PIN for startup: They are designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system. +Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, Modern Standby devices do not require a PIN for startup: They are designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system. For more information about how startup security works and the countermeasures that Windows 10 provides, see [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md). ## Configure Network Unlock diff --git a/windows/device-security/bitlocker/bitlocker-group-policy-settings.md b/windows/device-security/bitlocker/bitlocker-group-policy-settings.md index cb8e0ad837..be88d6d8bf 100644 --- a/windows/device-security/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/device-security/bitlocker/bitlocker-group-policy-settings.md @@ -89,7 +89,7 @@ The following policies are used to support customized deployment scenarios in yo ### Allow devices with Secure Boot and protected DMA ports to opt out of preboot PIN -This policy setting allows users on devices that are compliant with InstantGo or the Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for preboot authentication. +This policy setting allows users on devices that are compliant with Modern Standby or the Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for preboot authentication.
      OS Partition styleProcedure
      Windows 7MBRWindows 7MBR 32 1 [Prepare a generation 1 VM](#prepare-a-generation-1-vm)[Prepare a generation 1 VM](#prepare-a-generation-1-vm)
      GPTGPT 32 N/A N/A[Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk)
      Windows 8 or laterMBRWindows 8 or laterMBR 32 1 [Prepare a generation 1 VM](#prepare-a-generation-1-vm)[Prepare a generation 1 VM](#prepare-a-generation-1-vm)
      GPTGPT 32 1 [Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk)
      @@ -99,7 +99,7 @@ This policy setting allows users on devices that are compliant with InstantGo or - + @@ -121,7 +121,7 @@ This policy setting allows users on devices that are compliant with InstantGo or - + @@ -132,7 +132,7 @@ This policy setting allows users on devices that are compliant with InstantGo or   **Reference** -The preboot authentication option Require startup PIN with TPM of the [Require additional authentication at startup](#bkmk-unlockpol1) policy is often enabled to help ensure security for older devices that do not support InstantGo. +The preboot authentication option Require startup PIN with TPM of the [Require additional authentication at startup](#bkmk-unlockpol1) policy is often enabled to help ensure security for older devices that do not support Modern Standby. But visually impaired users have no audible way to know when to enter a PIN. This setting enables an exception to the PIN-required policy on secure hardware. @@ -343,7 +343,7 @@ This policy setting is used to set a minimum PIN length when you use an unlock m - + @@ -1100,19 +1100,25 @@ This policy setting is used to control the encryption method and cipher strength - +

      Policy description

      With this policy setting, you can allow TPM-only protection for newer, more secure devices, such as devices that support InstantGo or HSTI, while requiring PIN on older devices.

      With this policy setting, you can allow TPM-only protection for newer, more secure devices, such as devices that support Modern Standby or HSTI, while requiring PIN on older devices.

      Introduced

      When enabled

      Users on InstantGo and HSTI compliant devices will have the choice to turn on BitLocker without preboot authentication.

      Users on Modern Standby and HSTI compliant devices will have the choice to turn on BitLocker without preboot authentication.

      When disabled or not configured

      When enabled

      You can require that users enter a minimum number of digits to when setting their startup PINs.

      You can require that startup PINs set by users must have a minimum length you choose that is between 4 and 20 digits.

      When disabled or not configured

      When disabled or not configured

      BitLocker uses the default encryption method of AES 128-bit or the encryption method that is specified by the setup script.

      Beginning with Windows 10, version 1511, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script. Windows Phone does not support XTS; it uses AES-CBC 128-bit by default and supports AES-CBC 256-bit by policy.
        **Reference** -By default, BitLocker uses AES 128-bit encryption. Available options are AES-128 and AES-256. The values of this policy determine the strength of the cipher that BitLocker uses for encryption. Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128). +The values of this policy determine the strength of the cipher that BitLocker uses for encryption. +Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128). + +If you enable this setting, you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. +For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. +For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511 or later. + Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored. >**Warning:**  This policy does not apply to encrypted drives. Encrypted drives utilize their own algorithm, which is set by the drive during partitioning.   -When this policy setting is disabled, BitLocker uses AES with the same bit strength (128-bit or 256-bit) as specified in the policy setting **Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7)**. If neither policy is set, BitLocker uses the default encryption method, AES-128, or the encryption method that is specified in the setup script. +When this policy setting is disabled or not configured, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method that is specified in the setup script. ### Configure use of hardware-based encryption for fixed data drives @@ -2464,7 +2470,7 @@ reduces the likelihood of BitLocker starting in recovery mode as a result of fir PCR 7 measurements must follow the guidance that is described in [Appendix A Trusted Execution Environment EFI Protocol](http://msdn.microsoft.com/library/windows/hardware/jj923068.aspx). -PCR 7 measurements are a mandatory logo requirement for systems that support InstantGo (also known as Always On, Always Connected PCs), such as the Microsoft Surface RT. On such systems, if the TPM with PCR 7 measurement and Secure Boot are correctly configured, BitLocker binds to PCR 7 and PCR 11 by default. +PCR 7 measurements are a mandatory logo requirement for systems that support Modern Standby (also known as Always On, Always Connected PCs), such as the Microsoft Surface RT. On such systems, if the TPM with PCR 7 measurement and Secure Boot are correctly configured, BitLocker binds to PCR 7 and PCR 11 by default. ## See also - [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview) diff --git a/windows/device-security/bitlocker/bitlocker-management-for-enterprises.md b/windows/device-security/bitlocker/bitlocker-management-for-enterprises.md index 2315455956..190a682c87 100644 --- a/windows/device-security/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/device-security/bitlocker/bitlocker-management-for-enterprises.md @@ -18,7 +18,7 @@ This topic explains recommendations for managing BitLocker, both on-premises usi The ideal for modern BitLocker management is to eliminate the need for IT admins to set management policies using tools or other mechanisms by having Windows perform tasks that it is more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, Secure Boot, and other hardware improvements, for example, has helped to alleviate the support burden on the helpdesk, and we are seeing a consequent decrease in support call volumes, yielding improved user satisfaction. -Therefore, we recommend that you upgrade your hardware so that your devices comply with InstantGo or [Hardware Security Test Interface (HSTI)](https://msdn.microsoft.com/library/windows/hardware/mt712332.aspx) specifications to take advantage of their automated features, for example, when using Azure Active Directory (Azure AD). +Therefore, we recommend that you upgrade your hardware so that your devices comply with Modern Standby or [Hardware Security Test Interface (HSTI)](https://msdn.microsoft.com/library/windows/hardware/mt712332.aspx) specifications to take advantage of their automated features, for example, when using Azure Active Directory (Azure AD). Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently-asked questions, and also provides BitLocker recommendations for: @@ -42,7 +42,7 @@ Though much Windows BitLocker [documentation](bitlocker-overview.md) has been p |Cloud-managed|[MDM](#MDM) |Auto-encryption|[Scripts](#powershell)|[MDM](#MDM)/EAS|
      -*PC hardware that supports InstantGo or HSTI +*PC hardware that supports Modern Standby or HSTI

      @@ -50,7 +50,7 @@ Though much Windows BitLocker [documentation](bitlocker-overview.md) has been p ## Recommendations for domain-joined computers -Windows continues to be the focus for new features and improvements for built-in encryption management, for example, automatically enabling encryption on devices that support InstantGo beginning with Windows 8.1. For more information, see [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption). +Windows continues to be the focus for new features and improvements for built-in encryption management, for example, automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1. For more information, see [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption). Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx). @@ -75,7 +75,7 @@ Devices joined to Azure Active Directory (Azure AD) are managed using Mobile Dev Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 Business or Enterprise editions and on Windows Phones. -For hardware that is compliant with InstantGo and HSTI, when using either of these features, BitLocker Device Encryption is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD. +For hardware that is compliant with Modern Standby and HSTI, when using either of these features, BitLocker Device Encryption is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD. diff --git a/windows/device-security/bitlocker/choose-the-right-bitlocker-countermeasure.md b/windows/device-security/bitlocker/choose-the-right-bitlocker-countermeasure.md index f00f1b4e23..7206bde1f7 100644 --- a/windows/device-security/bitlocker/choose-the-right-bitlocker-countermeasure.md +++ b/windows/device-security/bitlocker/choose-the-right-bitlocker-countermeasure.md @@ -117,7 +117,7 @@ Tables 1 and 2 summarize the recommended mitigations for different types of atta **Table 2.**  How to choose the best countermeasures for Windows 10 -The latest InstantGo devices, primarily tablets, are designed to be secure by default against all attacks that might compromise the BitLocker encryption key. Other Windows devices can be secure by default too. DMA port–based attacks, which represent the attack vector of choice, are not possible on InstantGo devices because these port types are prohibited. The inclusion of DMA ports on even non-InstantGo devices is extremely rare on recent devices, particularly on mobile ones. This could change if Thunderbolt is broadly adopted, so IT should consider this when purchasing new devices. In any case, DMA ports can be disabled entirely, which is an increasingly popular option because the use of DMA ports is infrequent in the non-developer space. To prevent DMA port usage unless an authorized user is signed in, you can set the DataProtection/AllowDirectMemoryAccess policy by using Mobile Device Management (MDM) or the Group Policy setting **Disable new DMA devices when this computer is locked** (beginning with Windows 10, version 1703). This setting is **Not configured** by default. The path to the Group Policy setting is: +The latest Modern Standby devices, primarily tablets, are designed to be secure by default against all attacks that might compromise the BitLocker encryption key. Other Windows devices can be secure by default too. DMA port–based attacks, which represent the attack vector of choice, are not possible on Modern Standby devices because these port types are prohibited. The inclusion of DMA ports on even non-Modern Standby devices is extremely rare on recent devices, particularly on mobile ones. This could change if Thunderbolt is broadly adopted, so IT should consider this when purchasing new devices. In any case, DMA ports can be disabled entirely, which is an increasingly popular option because the use of DMA ports is infrequent in the non-developer space. To prevent DMA port usage unless an authorized user is signed in, you can set the DataProtection/AllowDirectMemoryAccess policy by using Mobile Device Management (MDM) or the Group Policy setting **Disable new DMA devices when this computer is locked** (beginning with Windows 10, version 1703). This setting is **Not configured** by default. The path to the Group Policy setting is: **Computer Configuration|Administrative Templates|Windows Components|BitLocker Drive Encryption** diff --git a/windows/device-security/bitlocker/types-of-attacks-for-volume-encryption-keys.md b/windows/device-security/bitlocker/types-of-attacks-for-volume-encryption-keys.md index efc97f3e17..8dea84c3be 100644 --- a/windows/device-security/bitlocker/types-of-attacks-for-volume-encryption-keys.md +++ b/windows/device-security/bitlocker/types-of-attacks-for-volume-encryption-keys.md @@ -78,7 +78,7 @@ scans the system memory of the target and locates the encryption key. Once acqui A much more efficient form of this attack exists in theory: An attacker crafts a custom FireWire or Thunderbolt device that has the DMA attack logic programmed on it. Now, the attacker simply needs to physically connect the device. If the attacker does not have physical access, they could disguise it as a free USB flash drive and distribute it to employees of a target organization. When connected, the attacking device could use a DMA attack to scan the PC’s memory for the encryption key. It could then transmit the key (or any data in the PC’s memory) using the PC’s Internet connection or its own wireless connection. This type of attack would require an extremely high level of sophistication, because it requires that the attacker create a custom device (devices of these types are not readily available in the marketplace at this time). -Today, one of the most common uses for DMA ports on Windows devices is for developer debugging, a task that some developers need to perform and one that few consumers will ever perform. Because USB; DisplayPort; and other, more secure port types satisfy consumers, most new mobile PCs do not include DMA ports. Microsoft’s view is that because of the inherent security risks of DMA ports, they do not belong on mobile devices, and Microsoft has prohibited their inclusion on any InstantGo-certified devices. InstantGo devices offer mobile phone–like power management and instant-on capabilities; at the time of writing, they are primarily found in Windows tablets. +Today, one of the most common uses for DMA ports on Windows devices is for developer debugging, a task that some developers need to perform and one that few consumers will ever perform. Because USB; DisplayPort; and other, more secure port types satisfy consumers, most new mobile PCs do not include DMA ports. Microsoft’s view is that because of the inherent security risks of DMA ports, they do not belong on mobile devices, and Microsoft has prohibited their inclusion on any Modern Standby-certified devices. Modern Standby devices offer mobile phone–like power management and instant-on capabilities; at the time of writing, they are primarily found in Windows tablets. DMA-based expansion slots are another avenue of attack, but these slots generally appear only on desktop PCs that are designed for expansion. Organizations can use physical security to prevent outside attacks against their desktop PCs. In addition, a DMA attack on the expansion slot would require a custom device; as a result, an attacker would most likely insert an interface with a traditional DMA port (for example, FireWire) into the slot to attack the PC. diff --git a/windows/device-security/change-history-for-device-security.md b/windows/device-security/change-history-for-device-security.md index f87ef6a78a..cdc986a04a 100644 --- a/windows/device-security/change-history-for-device-security.md +++ b/windows/device-security/change-history-for-device-security.md @@ -11,6 +11,11 @@ author: brianlic-msft # Change history for device security This topic lists new and updated topics in the [Device security](index.md) documentation. +## November 2017 +|New or changed topic |Description | +|---------------------|------------| +| [How to enable virtualization-based protection of code integrity](enable-virtualization-based-protection-of-code-integrity.md)| New. Explains how to enable HVCI. | + ## October 2017 |New or changed topic |Description | |---------------------|------------| diff --git a/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md b/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md index 72fe5c9576..50fee16fa2 100644 --- a/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md +++ b/windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md @@ -79,6 +79,25 @@ For information about signing catalog files by using a certificate and SignTool. For information about adding the signing certificate to a code integrity policy, see [Add a catalog signing certificate to a code integrity policy](#add-a-catalog-signing-certificate-to-a-code-integrity-policy). +### Resolving package failures + +Packages can fail for the following reasons: + +- Package is too large for default USN Journal or Event Log sizes + - To diagnose whether USN journal size is the issue, after running through Package Inspector, click Start > install app > PackageInspector stop + - Get the value of the reg key at HKEY\_CURRENT\_USER/PackageInspectorRegistryKey/c: (this was the most recent USN when you ran PackageInspector start) + - `fsutil usn readjournal C: startusn=RegKeyValue > inspectedusn.txt` + - ReadJournal command should throw an error if the older USNs don’t exist anymore due to overflow + - For USN Journal, log size can be expanded using: `fsutil usn createjournal` command with a new size and alloc delta. `Fsutil usn queryjournal` will give the current size and allocation delta, so using a multiple of that may help + - To diagnose whether Eventlog size is the issue, look at the Microsoft/Windows/CodeIntegrity/Operational log under Applications and Services logs in Event Viewer and ensure that there are entries present from when you began Package Inspector (You can use write time as a justification; if you started the install 2 hours ago and there are only entries from 30 minutes prior, the log is definitely too small) + - To increase Eventlog size, in Event Viewer you can right click the operational log, click properties, and then set new values (some multiple of what it was previously) +- Package files that change hash each time the package is installed + - Package Inspector is completely incompatible if files in the package (temporary or otherwise) change hash each time the package is installed. You can diagnose this by looking at the hash field in the 3077 block events when the package is failing in enforcement. If each time you attempt to run the package you get a new block event with a different hash, the package will not work with Package Inspector +- Files with an invalid signature blob or otherwise “unhashable” files + - This issue arises when a file that has been signed is modified post signing in a way that invalidates the PE header and renders the file unable to be hashed by the Authenticode Spec. + - Device Guard uses Authenticode Hashes to validate files when they are running. If the file is unhashable via the authenticode SIP, there is no way to identify the file to allow it, regardless of if you attempt to add the file to the policy directly, or re-sign the file with a Package Inspector catalog (the signature is invalidated due to file being edited, file can’t be allowed by hash due to authenticode hashing algorithm rejecting it) + - Recent versions of InstallShield packages that use custom actions can hit this. If the DLL input to the custom action was signed before being put through InstallShield, InstallShield adds tracking markers to the file (editing it post signature) which leaves the file in this “unhashable” state and renders the file unable to be allowed by Device Guard (regardless of if you try to allow directly by policy or resign with Package Inspector) + ## Catalog signing with SignTool.exe In this section, you sign a catalog file you generated by using PackageInspector.exe, as described in the previous section, [Create catalog files](#create-catalog-files). In this example, you need the following: diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md index 47d2848249..f5c907daf3 100644 --- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md +++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md @@ -73,6 +73,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you |Matt Nelson | @enigma0x3| |Oddvar Moe |@Oddvarmoe| |Alex Ionescu | @aionescu| +|Lee Christensen|@tifkin_|
      @@ -134,6 +135,7 @@ Microsoft recommends that you block the following Microsoft-signed applications + @@ -418,6 +420,7 @@ Microsoft recommends that you block the following Microsoft-signed applications + diff --git a/windows/device-security/enable-virtualization-based-protection-of-code-integrity.md b/windows/device-security/enable-virtualization-based-protection-of-code-integrity.md new file mode 100644 index 0000000000..46290126ff --- /dev/null +++ b/windows/device-security/enable-virtualization-based-protection-of-code-integrity.md @@ -0,0 +1,72 @@ +--- +title: Enable virtualization-based protection of code integrity +description: This article explains the steps to opt in to using HVCI on Windows devices. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: high +ms.author: justinha +author: brianlic-msft +ms.date: 11/07/2017 +--- + +# Enable virtualization-based protection of code integrity + +**Applies to** + +- Windows 10 +- Windows Server 2016 + +Virtualization-based protection of code integrity (herein referred to as HVCI) is a powerful system mitigation, which leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code. +Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor. + +Some applications, including device drivers, may be incompatible with HVCI. +This can cause devices or software to malfunction and in rare cases may result in a Blue Screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. +If this happens, see [Troubleshooting](#troubleshooting) for remediation steps. + +## How to Turn on virtualization-based protection of code integrity on the Windows 10 Fall Creators Update (version 1709) + +These steps apply to Windows 10 S, Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. + +The following instructions are intended for Windows 10 client systems running the Fall Creators Update (version 1709) that have hypervisor support and that are not already using a [Windows Defender Application Control (WDAC)](https://blogs.technet.microsoft.com/mmpc/2017/10/23/introducing-windows-defender-application-control/) policy. +If your device already has a WDAC policy (SIPolicy.p7b), please contact your IT administrator to request HVCI. + +> [!NOTE] +> You must be an administrator to perform this procedure. + +1. Download the [Enable HVCI cabinet file](http://download.microsoft.com/download/7/A/F/7AFBCDD1-578B-49B0-9B27-988EAEA89A8B/EnableHVCI.cab). + +2. Open the cabinet file. + +3. Right-click the SIPolicy.p7b file and extract it. Then move it to the following location: + + C:\Windows\System32\CodeIntegrity + + > [!NOTE] + > Do not perform this step if a SIPolicy.p7b file is already in this location. + +4. Turn on the hypervisor: + + a. Click Start, type **Turn Windows Features on or off** and press ENTER. + + b. Select **Hyper-V** > **Hyper-V Platform** > **Hyper-V Hypervisor** and click **OK**. + + ![Turn Windows features on or off](images\turn-windows-features-on-or-off.png) + + c. After the installation completes, restart your computer. + +5. To confirm HVCI was successfully enabled, open **System Information** and check **Virtualization-based security Services Running**, which should now display **Hypervisor enforced Code Integrity**. + + +## Troubleshooting + +A. If a device driver fails to load or crashes at runtime, you may be able to update the driver using **Device Manager**. + +B. If you experience software or device malfunction after using the above procedure to turn on HVCI, but you are able to log in to Windows, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from the file location in step 3 above and then restart your device. + +C. If you experience a critical error during boot or your system is unstable after using the above procedure to turn on HVCI, you can recover using the Windows Recovery Environment (Windows RE). To boot to Windows RE, see [Windows RE Technical Reference](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference). After logging in to Windows RE, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from the file location in step 3 above and then restart your device. + +## How to Turn off HVCI on the Windows 10 Fall Creators Update + +1. Rename or delete the SIPolicy.p7b file located at C:\Windows\System32\CodeIntegrity. +2. Restart the device. +3. To confirm HVCI has been successfully disabled, open System Information and check **Virtualization-based security Services Running**, which should now have no value displayed. diff --git a/windows/device-security/images/turn-windows-features-on-or-off.png b/windows/device-security/images/turn-windows-features-on-or-off.png new file mode 100644 index 0000000000..8d47a53b51 Binary files /dev/null and b/windows/device-security/images/turn-windows-features-on-or-off.png differ diff --git a/windows/device-security/tpm/how-windows-uses-the-tpm.md b/windows/device-security/tpm/how-windows-uses-the-tpm.md index 88f2a9f786..680fea9138 100644 --- a/windows/device-security/tpm/how-windows-uses-the-tpm.md +++ b/windows/device-security/tpm/how-windows-uses-the-tpm.md @@ -99,7 +99,7 @@ Newer hardware and Windows 10 work better together to disable direct memory acce ## Device Encryption -Device Encryption is the consumer version of BitLocker, and it uses the same underlying technology. How it works is if a customer logs on with a Microsoft account and the system meets InstantGo hardware requirements, BitLocker Drive Encryption is enabled automatically in Windows 10. The recovery key is backed up in the Microsoft cloud and is accessible to the consumer through his or her Microsoft account. The InstantGo hardware requirements inform Windows 10 that the hardware is appropriate for deploying Device Encryption and allows use of the “TPM-only” configuration for a simple consumer experience. In addition, InstantGo hardware is designed to reduce the likelihood that measurement values change and prompt the customer for the recovery key. +Device Encryption is the consumer version of BitLocker, and it uses the same underlying technology. How it works is if a customer logs on with a Microsoft account and the system meets Modern Standby hardware requirements, BitLocker Drive Encryption is enabled automatically in Windows 10. The recovery key is backed up in the Microsoft cloud and is accessible to the consumer through his or her Microsoft account. The Modern Standby hardware requirements inform Windows 10 that the hardware is appropriate for deploying Device Encryption and allows use of the “TPM-only” configuration for a simple consumer experience. In addition, Modern Standby hardware is designed to reduce the likelihood that measurement values change and prompt the customer for the recovery key. For software measurements, Device Encryption relies on measurements of the authority providing software components (based on code signing from manufacturers such as OEMs or Microsoft) instead of the precise hashes of the software components themselves. This permits servicing of components without changing the resulting measurement values. For configuration measurements, the values used are based on the boot security policy instead of the numerous other configuration settings recorded during startup. These values also change less frequently. The result is that Device Encryption is enabled on appropriate hardware in a user-friendly way while also protecting data. diff --git a/windows/device-security/tpm/manage-tpm-commands.md b/windows/device-security/tpm/manage-tpm-commands.md index c95d30f931..6fc1327a37 100644 --- a/windows/device-security/tpm/manage-tpm-commands.md +++ b/windows/device-security/tpm/manage-tpm-commands.md @@ -77,7 +77,7 @@ The following procedures describe how to manage the TPM command lists. You must ## Use the TPM cmdlets -You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx). +You can manage the TPM using Windows PowerShell. For details, see [TrustedPlatformModule PowerShell cmdlets](https://docs.microsoft.com/powershell/module/trustedplatformmodule/?view=win10-ps). ## Related topics diff --git a/windows/device-security/tpm/tpm-recommendations.md b/windows/device-security/tpm/tpm-recommendations.md index f30df74373..e04cffc57b 100644 --- a/windows/device-security/tpm/tpm-recommendations.md +++ b/windows/device-security/tpm/tpm-recommendations.md @@ -100,7 +100,7 @@ The following table defines which Windows features require TPM support. |-------------------------|--------------|--------------------|--------------------|----------| | Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot | | BitLocker | Yes | Yes | Yes | TPM 1.2 or 2.0 is required | -| Device Encryption | Yes | N/A | Yes | Device Encryption requires InstantGo/Connected Standby certification, which requires TPM 2.0. | +| Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0. | | Device Guard | No | Yes | Yes | | | Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. | | Device Health Attestation| Yes | Yes | Yes | | diff --git a/windows/device-security/windows-security-baselines.md b/windows/device-security/windows-security-baselines.md index 7a05bbf4e0..f79a9cec63 100644 --- a/windows/device-security/windows-security-baselines.md +++ b/windows/device-security/windows-security-baselines.md @@ -15,7 +15,6 @@ ms.date: 10/17/2017 **Applies to** - Windows 10 -- Windows Server (Semi-Annual Channel) - Windows Server 2016 ## Using security baselines in your organization diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index a13dd273a6..8604996ad8 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -25,13 +25,14 @@ ### [Onboard endpoints and set up access](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md) #### [Configure client endpoints](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md) ##### [Configure endpoints using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md) -##### [Configure endpoints using System Security Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) +##### [Configure endpoints using System Center Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) ##### [Configure endpoints using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) ###### [Configure endpoints using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune) ##### [Configure endpoints using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md) ##### [Configure non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) #### [Configure non-Windows endpoints](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) #### [Configure server endpoints](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md) +#### [Run a detection test on a newly onboarded endpoint](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md) #### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md) #### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) ### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md) @@ -59,7 +60,7 @@ #### [Manage alerts](windows-defender-atp\manage-alerts-windows-defender-advanced-threat-protection.md) #### [Take response actions](windows-defender-atp\response-actions-windows-defender-advanced-threat-protection.md) ##### [Take response actions on a machine](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md) -###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package) +###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines) ###### [Run antivirus scan](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines) ###### [Restrict app execution](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution) ###### [Remove app restriction](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction) @@ -70,6 +71,7 @@ ###### [Stop and quarantine files in your network](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network) ###### [Remove file from quarantine](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine) ###### [Block files in your network](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network) +###### [Remove file from blocked list](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list) ###### [Check activity details in Action center](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) ###### [Deep analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis) ####### [Submit files for analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis) @@ -134,6 +136,7 @@ #### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) ##### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines) ##### [Misconfigured machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines) +### [Windows Defender ATP service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md) ### [Configure Windows Defender ATP preferences settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md) #### [Update general settings](windows-defender-atp\general-settings-windows-defender-advanced-threat-protection.md) #### [Turn on advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md) @@ -141,13 +144,14 @@ #### [Configure email notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md) #### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md) #### [Enable Threat intel API](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md) -#### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md) +#### [Enable and create Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md) #### [Enable Security Analytics security controls](windows-defender-atp\enable-security-analytics-windows-defender-advanced-threat-protection.md) + ### [Windows Defender ATP settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md) -### [Windows Defender ATP service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md) +### [Access the Windows Defender ATP Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md) ### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md) ### [Review events and errors on endpoints with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md) -### [Windows Defender Antivirus compatibility](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md) +### [Windows Defender Antivirus compatibility with Windows Defender ATP](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md) ## [Windows Defender Antivirus in Windows 10](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md) ### [Windows Defender AV in the Windows Defender Security Center app](windows-defender-antivirus\windows-defender-security-center-antivirus.md) @@ -164,7 +168,7 @@ #### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md) ##### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md) #### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md) -##### [Troublehsoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md) +##### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md) #### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md) ##### [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md) ##### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md) diff --git a/windows/threat-protection/change-history-for-threat-protection.md b/windows/threat-protection/change-history-for-threat-protection.md index 18996780d2..a68faca235 100644 --- a/windows/threat-protection/change-history-for-threat-protection.md +++ b/windows/threat-protection/change-history-for-threat-protection.md @@ -14,6 +14,7 @@ This topic lists new and updated topics in the [Threat protection](index.md) doc ## October 2017 |New or changed topic |Description | |---------------------|------------| +|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md)|Added auto-recovery section. |[Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-mam-intune-azure.md)|New topic for MAM using the Azure portal.| ## June 2017 diff --git a/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection.md b/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection.md index 5142227854..658e3fcaf7 100644 --- a/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection.md +++ b/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection.md @@ -606,9 +606,9 @@ Here are the minimum steps for WEF to operate: - + *[EventData[Data[@Name="QueryOptions"]="140737488355328"]] - + *[EventData[Data[@Name="QueryResults"]=""]] @@ -636,7 +636,7 @@ Here are the minimum steps for WEF to operate: - + @@ -650,4 +650,4 @@ You can get more info with the following links: - [Event Query Schema](http://msdn.microsoft.com/library/aa385760.aspx) - [Windows Event Collector](http://msdn.microsoft.com/library/windows/desktop/bb427443.aspx) -Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=use-windows-event-forwarding-to-assist-in-instrusion-detection.md). \ No newline at end of file +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=use-windows-event-forwarding-to-assist-in-instrusion-detection.md). diff --git a/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md index 4d97b468d3..2c61ab81ad 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md @@ -43,6 +43,11 @@ You can also [specify how long the file should be prevented from running](config > [!IMPORTANT] > There is no specific individual setting in System Center Configuration Manager to enable or disable Block at First Sight. It is enabled by default when the pre-requisite settings are configured correctly. You must use Group Policy settings to enable or disable the feature. + +>[!TIP] +>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work. + + ## How it works When a Windows Defender Antivirus client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean. diff --git a/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index 3ab8d056a6..4648182715 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: iaanw ms.author: iawilt -ms.date: 06/13/2017 +ms.date: 10/30/2017 --- # Configure and validate exclusions based on file extension and folder location @@ -38,6 +38,11 @@ ms.date: 06/13/2017 You can exclude certain files from being scanned by Windows Defender AV by modifying exclusion lists. +Generally, you shouldn't need to apply exclusions. Windows Defender AV includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations. + +>[!TIP] +>The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default. + This topic describes how to configure exclusion lists for the following: Exclusion | Examples | Exclusion list @@ -48,20 +53,29 @@ A specific file in a specific folder | The file c:\sample\sample.test only | Fil A specific process | The executable file c:\test\process.exe | File and folder exclusions This means the exclusion lists have the following characteristics: -- Folder exclusions will apply to all files and folders under that folder. -- File extensions will apply to any file name with the defined extension, regardless of where the file is located. +- Folder exclusions will apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately. +- File extensions will apply to any file name with the defined extension if a path or folder is not defined. + +>[!IMPORTANT] +>The use of wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work. +> +>You cannot exclude mapped network drives. You must specify the actual network path. +> +>Folders that are reparse points that are created after the Windows Defender AV service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target. + + To exclude files opened by a specific process, see the [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) topic. -The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). +The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [real-time protection](configure-real-time-protection-windows-defender-antivirus.md). -Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists. +>[!IMPORTANT] +>Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). +> +>Changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists. -You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [System Center Configuration Manager, Microsoft Intune, and with the Windows Defender Security Center app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists. - -You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) and [validating](#validate) your lists. By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. @@ -79,7 +93,7 @@ You can [configure how locally and globally defined exclusions lists are merged] **Use Group Policy to configure folder or file extension exclusions:** >[!NOTE] ->If you include a fully qualified path to a file, then only that file will be excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder will be excluded. +>If you specify a fully qualified path to a file, then only that file will be excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder will be excluded. 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -94,7 +108,7 @@ You can [configure how locally and globally defined exclusions lists are merged] 1. Set the option to **Enabled**. 2. Under the **Options** section, click **Show...** - 3. Enter each folder on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column for all processes. + 3. Enter each folder on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column. 7. Click **OK**. @@ -104,7 +118,7 @@ You can [configure how locally and globally defined exclusions lists are merged] 1. Set the option to **Enabled**. 2. Under the **Options** section, click **Show...** - 3. Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column for all processes. + 3. Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column. 9. Click **OK**. @@ -187,23 +201,102 @@ See [Add exclusions in the Windows Defender Security Center app](windows-defende ## Use wildcards in the file name and folder path or extension exclusion lists -You can use the asterisk \*, question mark ?, or environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the file name or folder path exclusion list. +You can use the asterisk `*`, question mark `?`, or environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in other apps and languages, so you should read this section to understand their specific limitations. >[!IMPORTANT] ->Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. - -You cannot use a wildcard in place of a drive letter. +>There are key limitations and usage scenarios for these wildcards: +> +>- Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. +>- You cannot use a wildcard in place of a drive letter. +>- The use of asterisk `*` in a folder exclusion will stand in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names. The following table describes how the wildcards can be used and provides some examples. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      WildcardUse in file and file extension exclusionsUse in folder exclusionsExample useExample matches>
      \* (asterisk)Replaces any number of characters.
      Only applies to files in the last folder defined in the argument.       		Replaces a single folder.
      Use multiple \* with folder slashes \\ to indicate multiple, nested folders.
      After matching to the number of wilcarded and named folders, all subfolders will also be included.      		 +
        +
      1. C:\MyData\\\*.txt
        2. +
      2. C:\somepath\\\*\Data
        3. +
      3. C:\Serv\\\*\\\*\Backup +
      +       		+
        +
      1. C:\MyData\\notes.txt
        2. +
      2. Any file in: +
          +
        • C:\somepath\\Archives\Data and its subfolders
          • +
        • C:\somepath\\Authorized\Data and its subfolders
          • +
        +
      3. Any file in: +
          +
        • C:\Serv\\Primary\\Denied\Backup and its subfolders
          • +
        • C:\Serv\\Secondary\\Allowed\Backup and its subfolders
          • +
        +
      +
      + ? (question mark) + + Replaces a single character.
      + Only applies to files in the last folder defined in the argument. +       		+ Replaces a single character in a folder name.
      + After matching to the number of wilcarded and named folders, all subfolders will also be included. +       		+
        +
      1. C:\MyData\my?.zip
        2. +
      2. C:\somepath\\?\Data
        3. +
      3. C:\somepath\test0?\Data
        4. +
      +       		+
        +
      1. C:\MyData\my1.zip
        2. +
      2. Any file in C:\somepath\\P\Data and its subfolders
        3. +
      3. Any file in C:\somepath\test01\Data and its subfolders
        4. +
      +
      Environment variablesThe defined variable will be populated as a path when the exclusion is evaluated.Same as file and extension use. +
        +
      1. %ALLUSERSPROFILE%\CustomLogFiles
        2. +
      +       		+
        +
      1. C:\ProgramData\CustomLogFiles\Folder1\file1.txt
        2. +
      +
      -Wildcard | Use | Example use | Example matches ----|---|---|--- -\* (asterisk) | Replaces any number of characters |
      • C:\MyData\my\*.zip
      • C:\somepath\\\*\Data
      |
      • C:\MyData\my-archived-files-43.zip
      • Any file in C:\somepath\folder1\folder2\Data
      -? (question mark) | Replaces a single character |
      • C:\MyData\my\?.zip
      • C:\somepath\\\?\Data
      |
      • C:\MyData\my1.zip
      • Any file in C:\somepath\P\Data
      -Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |
      • %ALLUSERSPROFILE%\CustomLogFiles
      |
      • C:\ProgramData\CustomLogFiles\Folder1\file1.txt
      - - +>[!IMPORTANT] +>If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders. +> +>For example, you can exclude all files that start with "date" in the folders *c:\data\final\marked* and *c:\data\review\marked* by using the rule argument c:\data\\\*\marked\date*.\*. +> +>This argument, however, will not match any files in **subfolders** under *c:\data\final\marked* or *c:\data\review\marked*. @@ -211,6 +304,11 @@ Environment variables | The defined variable will be populated as a path when th You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), or the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). +>[!IMPORTANT] +>Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). +> +>Changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists. + If you use PowerShell, you can retrieve the list in two ways: - Retrieve the status of all Windows Defender AV preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. @@ -273,6 +371,14 @@ $client = new-object System.Net.WebClient $client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt") ``` +If you do not have Internet access, you can create your own EICAR test file by writing the EICAR string to a new text file with the following PowerShell command: + +```PowerShell +[io.file]::WriteAllText("test.txt",'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*') +``` + +You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude. + ## Related topics diff --git a/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index f144ebfc04..cfcb0f8782 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -32,6 +32,12 @@ This topic lists the connections that must be allowed, such as by using firewall See the Enterprise Mobility and Security blog post [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/) for some details about network connectivity. +>[!TIP] +>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working: +>- Cloud-delivered protection +>- Fast learning (including Black at first sight) +>- Potentially unwanted application blocking + ## Allow connections to the Windows Defender Antivirus cloud The Windows Defender Antivirus cloud provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommend as it provides very important protection against malware on your endpoints and across your network. diff --git a/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md index 43bd302fff..9035fb9082 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md @@ -82,7 +82,7 @@ Hiding notifications can be useful in situations where you cannot hide the entir > [!NOTE] > Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [System Center Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection). -See the [Customize the Windows Defender Security Center app for your organization](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center-antivirus.md) topic for instructions to add cusomt contact information to the notifications that users see on their machines. +See the [Customize the Windows Defender Security Center app for your organization](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center-antivirus) topic for instructions to add custom contact information to the notifications that users see on their machines. **Use Group Policy to hide notifications:** diff --git a/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index c0f1e340b7..baaa8a9d3c 100644 --- a/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: iaanw ms.author: iawilt -ms.date: 08/25/2017 +ms.date: 11/01/2017 --- # Detect and block Potentially Unwanted Applications @@ -41,12 +41,17 @@ Typical PUA behavior includes: These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications. +>[!TIP] +>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. + ## How it works PUAs are blocked when a user attempts to download or install the detected file, and if the file meets one of the following conditions: - The file is being scanned from the browser -- The file is in the %downloads% folder -- The file is in the %temp% folder +- The file is in a folder with "**downloads**" in the path +- The file is in a folder with "**temp**" in the path +- The file is on the user's Dekstop +- The file does not meet one of these conditions and is not under *%programfiles%*, *%appdata%*, or *%windows%* The file is placed in the quarantine section so it won't run. @@ -59,6 +64,8 @@ They will also appear in the usual [quarantine list in the Windows Defender Secu PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. +Hoever, PUA detections will be reported if you have set up email notifications for detections. + See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID 1160. diff --git a/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md index a997f2b43b..37acd87aed 100644 --- a/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md @@ -86,10 +86,10 @@ Use the following cmdlets to enable cloud-delivered protection: ```PowerShell Set-MpPreference -MAPSReporting Advanced -Set-MpPreference -SubmitSamplesConsent 3 +Set-MpPreference -SubmitSamplesConsent Always ``` >[!NOTE] ->You can also set -SubmitSamplesConsent to 1. Setting it to 0 will lower the protection state of the device, and setting it to 2 means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. +>You can also set -SubmitSamplesConsent to `None`. Setting it to `Never` will lower the protection state of the device, and setting it to 2 means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. diff --git a/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md index ebc5c3cbc4..2ba340b214 100644 --- a/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md @@ -28,6 +28,13 @@ ms.date: 08/25/2017 If you're an enterprise security administrator, and you want to determine how well Windows Defender Antivirus protects you from viruses, malware, and potentially unwanted applications, then you can use this guide to help you evaluate Microsoft protection. +>[!TIP] +>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work: +>- Cloud-delivered protection +>- Fast learning (including Black at first sight) +>- Potentially unwanted application blocking + + It explains the important features available for both small and large enterprises in Windows Defender, and how they will increase malware detection and protection across your network. You can choose to configure and evaluate each setting independently, or all at once. We have grouped similar settings based upon typical evaluation scenarios, and include instructions for using PowerShell to enable the settings. diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.md b/windows/threat-protection/windows-defender-antivirus/images/svg/check-no.svg similarity index 100% rename from windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.md rename to windows/threat-protection/windows-defender-antivirus/images/svg/check-no.svg diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.md b/windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.svg similarity index 100% rename from windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.md rename to windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.svg diff --git a/windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md index deb05534d1..506abf3a2c 100644 --- a/windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md @@ -1,7 +1,7 @@ --- -title: Schedule regular scans with Windows Defender AV +title: Schedule regular quick and full scans with Windows Defender AV description: Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans -keywords: schedule scan, daily, weekly, time, scheduled, recurring, regular +keywords: quick scan, full scan, quick vs full, schedule scan, daily, weekly, time, scheduled, recurring, regular search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -15,7 +15,7 @@ ms.date: 08/25/2017 --- -# Configure scheduled scans for Windows Defender AV +# Configure scheduled quick or full scans for Windows Defender AV diff --git a/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md index 603cf37adf..f10174b897 100644 --- a/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md @@ -34,6 +34,11 @@ The tables list: - [Windows Defender AV client error codes](#error-codes) - [Internal Windows Defender AV client error codes (used by Microsoft during development and testing)](#internal-error-codes) +>[!TIP] +>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working: +>- Cloud-delivered protection +>- Fast learning (including Black at first sight) +>- Potentially unwanted application blocking ## Windows Defender AV event IDs @@ -1637,8 +1642,8 @@ The Windows Defender client attempted to download and install the latest definit To troubleshoot this event:
      1. Restart the computer and try again.
        2. -
      2. Download the latest definitions from the Microsoft Malware Protection Center. -Note: The size of the definitions file downloaded from the Microsoft Malware Protection Center can exceed 60 MB and should not be used as a long-term solution for updating definitions. +
      3. Download the latest definitions from the Windows Defender Security Intelligence site. +Note: The size of the definitions file downloaded from the site can exceed 60 MB and should not be used as a long-term solution for updating definitions.
      4. Contact Microsoft Technical Support.
        5. @@ -2708,8 +2713,8 @@ This error indicates that there might be a problem with your security product.
      5. Update the definitions. Either:
        1. Click the Update definitions button on the Update tab in Windows Defender. Update definitions in Windows DefenderOr,
          2. -
        2. Download the latest definitions from the Microsoft Malware Protection Center. -Note: The size of the definitions file downloaded from the Microsoft Malware Protection Center can exceed 60 MB and should not be used as a long-term solution for updating definitions. +
        3. Download the latest definitions from the Windows Defender Security Intelligence site. +Note: The size of the definitions file downloaded from the site can exceed 60 MB and should not be used as a long-term solution for updating definitions.
        6. diff --git a/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md index 6a6267b89a..6eb293cfaa 100644 --- a/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md @@ -40,6 +40,10 @@ src="https://videoplayercdn.osi.office.net/embed/c2f20f59-ca56-4a7b-ba23-44c60bc Cloud-delivered protection is enabled by default, however you may need to re-enable it if it has been disabled as part of previous organizational policies. +>[!TIP] +>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. + + The following table describes the differences in cloud-delivered protection between recent versions of Windows and System Center Configuration Manager. diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index b2d2890d2b..ac10f8950b 100644 --- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -67,9 +67,9 @@ This table indicates the functionality and features that are available in each s State | Description | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Threat definition updates](manage-updates-baselines-windows-defender-antivirus.md) :-|:-|:-:|:-:|:-:|:-:|:-: -Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service. | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] -Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)] -Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] +Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] +Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)]] +Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] Passive mode is enabled if you are enrolled in Windows Defender ATP because [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md) in order to properly monitor your devices and network for intrusion attempts and attacks. diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md index 2f90715cf9..989d6a0711 100644 --- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md +++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md @@ -42,6 +42,13 @@ Some of the highlights of Windows Defender AV include: - [Always-on scanning](configure-real-time-protection-windows-defender-antivirus.md), using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection") - [Dedicated protection updates](manage-updates-baselines-windows-defender-antivirus.md) based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research + +>[!TIP] +>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work: +>- Cloud-delivered protection +>- Fast learning (including Black at first sight) +>- Potentially unwanted application blocking + ## What's new in Windows 10, version 1703 New features for Windows Defender AV in Windows 10, version 1703 include: diff --git a/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md index 634876b5b8..74e513ecbd 100644 --- a/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md +++ b/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -19,6 +19,15 @@ Answering frequently asked questions about Windows Defender Application Guard (A ## Frequently Asked Questions +| | | +|---|----------------------------| +|**Q:** |Can I enable Application Guard on machines equipped with 4GB RAM?| +|**A:** |We recommend 8GB RAM for optimal performance but you may use the following registry values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. | +||HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount - Default is 4 cores. | +||HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB - Default is 8GB.| +||HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB - Default is 5GB.| +
        + | | | |---|----------------------------| |**Q:** |Can employees download documents from the Application Guard Edge session onto host devices?| diff --git a/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md index 00798f619b..b7f830ebd5 100644 --- a/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md +++ b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md @@ -17,12 +17,15 @@ ms.date: 08/11/2017 The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Windows Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. +>[!NOTE] +>Windows Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host. + ## Hardware requirements Your environment needs the following hardware to run Windows Defender Application Guard. |Hardware|Description| |--------|-----------| -|64-bit CPU|A 64-bit computer is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).| +|64-bit CPU|A 64-bit computer with minimum 4 cores is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).| |CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_

        **-AND-**

        One of the following virtualization extensions for VBS:

        VT-x (Intel)

        **-OR-**

        AMD-V| |Hardware memory|Microsoft recommends 8GB RAM for optimal performance| |Hard disk|5 GB free space, solid state disk (SSD) recommended| diff --git a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md index a4b8d93002..f262dc08a7 100644 --- a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md @@ -47,20 +47,20 @@ To see a list of alerts, click any of the queues under the **Alerts queue** opti ## Sort, filter, and group the alerts list You can sort and filter the alerts using the available filters or clicking on a column's header that will sort the view in ascending or descending order. -**Time period**
        +### Time period - 1 day - 3 days - 7 days - 30 days - 6 months -**OS Platform**
        +### OS Platform - Windows 10 - Windows Server 2012 R2 - Windows Server 2016 - Other -**Severity**
        +### Severity Alert severity | Description :---|:--- @@ -71,7 +71,21 @@ Informational
        (Grey) | Informational alerts are those that might not be con Reviewing the various alerts and their severity can help you decide on the appropriate action to protect your organization's endpoints. -**Detection source**
        +#### Understanding alert severity +It is important to understand that the Windows Defender Antivirus (Windows Defender AV) and Windows Defender ATP alert severities are different because they represent different scopes. + +The Windows Defender AV threat severity represents the absolute severity of the detected threat (malware), and is assigned based on the potential risk to the individual machine, if infected. + +The Windows Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the machine but more importantly the potential risk to the organization. + +So, for example: +- The severity of a Windows Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage incurred. +- An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as "Low" because it may have caused some damage to the individual machine but poses no organizational threat. +- An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High". +- Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations. + + +### Detection source - Windows Defender AV - Windows Defender ATP - Windows Defender SmartScreen @@ -80,7 +94,7 @@ Reviewing the various alerts and their severity can help you decide on the appro >[!NOTE] >The Windows Defender Antivirus filter will only appear if your endpoints are using Windows Defender Antivirus as the default real-time protection antimalware product. -**View**
        +### View - **Flat view** - Lists alerts individually with alerts having the latest activity displayed at the top. - **Grouped view** - Groups alerts by alert ID, file hash, malware family, or other attribute to enable more efficient alert triage and management. Alert grouping reduces the number of rows in the queue by aggregating similar alerts together. diff --git a/windows/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..17cd076296 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md @@ -0,0 +1,39 @@ +--- +title: Access the Windows Defender ATP Community Center +description: Access the Windows Defender ATP Community Center to share experiences, engange, and learn about the product. +keywords: community, community center, tech community, conversation, announcements +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 11/30/2017 +--- + + +# Access the Windows Defender ATP Community Center + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +The Windows Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product. + +There are several spaces you can explore to learn about specific information: +- Announcements +- What's new +- Threat Intelligence + + +There are several ways you can access the Community Center: +- In the Windows Defender ATP portal navigation pane, select **Community center**. A new browser tab opens and takes you to the Windows Defender ATP Tech Community page. +- Access the community through the [Windows Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced) page + + +You can instantly view and read conversations that have been posted in the community. + +To get the full experience within the community such as being able to comment on posts, you'll need to join the community. For more information on how to get started in the Microsoft Tech Community, see [Microsoft Tech Community: Getting Started](https://techcommunity.microsoft.com/t5/Getting-Started/Microsoft-Tech-Community-Getting-Started-Guide/m-p/77888#M15). diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md index 3df84f3009..daaf785304 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md @@ -56,6 +56,8 @@ ms.date: 10/17/2017 9. Click **OK** and close any open GPMC windows. +>[!TIP] +> After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). ## Additional Windows Defender ATP configuration settings For each endpoint, you can state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis. @@ -159,4 +161,5 @@ With Group Policy there isn’t an option to monitor deployment of policies on t - [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) - [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) - [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) +- [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md) - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index b9ebce1508..3aff67dc2f 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -113,6 +113,11 @@ Configuration for onboarded machines: telemetry reporting frequency | ./Device/V > - Configuration of telemetry reporting frequency is only available for machines on Windows 10, version 1703. > - Using the Expedite mode might have an impact on the machine's battery usage and actual bandwidth used for sensor data. You should consider this when these measures are critical. + +>[!TIP] +> After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). + + ### Using the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher 1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): @@ -215,4 +220,5 @@ Health Status for offboarded machines: Onboarding State | ./Device/Vendor/MSFT/W - [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) - [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) - [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) +- [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md) - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md index 16ffe7b3b9..706db3ef71 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security author: mjcaparas localizationpriority: high -ms.date: 10/25/2017 +ms.date: 11/08/2017 --- # Configure non-Windows endpoints @@ -20,6 +20,8 @@ ms.date: 10/25/2017 - Linux - Windows Defender Advanced Threat Protection (Windows Defender ATP) +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-nonwindows-abovefoldlink) + [!include[Prerelease information](prerelease.md)] Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products’ sensor data. @@ -27,7 +29,7 @@ Windows Defender ATP provides a centralized security operations experience for W You'll need to know the exact Linux distros and Mac OS X versions that are compatible with Windows Defender ATP for the integration to work. ## Onboard non-Windows endpoints -You'll need to take the following steps to onboard non-Windows endpoints: +You'll need to take the following steps to oboard non-Windows endpoints: 1. Turn on third-party integration 2. Run a detection test @@ -46,7 +48,7 @@ You'll need to take the following steps to onboard non-Windows endpoints: >The access token has a limited validity period. If needed, regenerate the token close to the time you need to share it with the third-party solution. ### Run detection test -There are various methods to run a detection test. Follow the specific instructions for each third-party product as described in the portal. The typical way of running a detection test is by creating an EICAR test file. You can create an EICAR file by saving the string displayed on the portal in an empty text file. Then, introduce the test file to a machine running the third-party antivirus solution. +Create an EICAR test file by saving the string displayed on the portal in an empty text file. Then, introduce the test file to a machine running the third-party antivirus solution. The file should trigger a detection and a corresponding alert on Windows Defender ATP. diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index c28b6b77f8..8747d4b975 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -61,6 +61,8 @@ You can use existing System Center Configuration Manager functionality to create > [!NOTE] > Windows Defender ATP doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](https://answers.microsoft.com/en-us/windows/wiki/windows_10/how-to-complete-the-windows-10-out-of-box/47e3f943-f000-45e3-8c5c-9d85a1a0cf87) phase. Make sure users complete OOBE after running Windows installation or upgrading. +>[!TIP] +> After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). ### Configure sample collection settings For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis. @@ -175,4 +177,5 @@ For more information about System Center Configuration Manager Compliance see [C - [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) - [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) - [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) +- [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md) - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md index f6bd888c41..b81b7d062e 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -54,7 +54,11 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You 5. Press the **Enter** key or click **OK**. -For for information on how you can manually validate that the endpoint is compliant and correctly reports sensor data see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md). +For information on how you can manually validate that the endpoint is compliant and correctly reports sensor data see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md). + + +>[!TIP] +> After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). ## Configure sample collection settings For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis. @@ -127,4 +131,5 @@ Monitoring can also be done directly on the portal, or by using the different de - [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) - [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) - [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) +- [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md) - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index 8e51bf936a..ba65c41f73 100644 --- a/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -20,7 +20,7 @@ ms.date: 10/17/2017 - Windows Server 2016 - Windows Defender Advanced Threat Protection (Windows Defender ATP) - +[!include[Prerelease information](prerelease.md)] >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configserver-abovefoldlink) @@ -37,6 +37,8 @@ To onboard your servers to Windows Defender ATP, you’ll need to: - Turn on server monitoring from the Windows Defender Security Center portal. - If you're already leveraging System Center Operations Manager (SCOM) or Operations Management Suite (OMS), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through [Multi Homing support](https://blogs.technet.microsoft.com/msoms/2016/05/26/oms-log-analytics-agent-multi-homing-support/). Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below. +>[!TIP] +> After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). ### Turn on Server monitoring from the Windows Defender Security Center portal @@ -85,5 +87,7 @@ For more information, see [To disable an agent](https://docs.microsoft.com/en-us ## Related topics - [Configure Windows Defender ATP client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) +- [Configure non-Windows endpoints](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) - [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) +- [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md) - [Troubleshooting Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md index 34e01f4d78..e5c44b8d67 100644 --- a/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md @@ -52,10 +52,10 @@ Each group is further sub-categorized into their corresponding alert severity le For more information see, [Alerts overview](alerts-queue-windows-defender-advanced-threat-protection.md). -The **Latest ATP alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. For more information see, [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [Alerts overview](alerts-queue-windows-defender-advanced-threat-protection.md). +The **Latest active alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. For more information see, [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [Alerts overview](alerts-queue-windows-defender-advanced-threat-protection.md). ## Daily machines reporting -The **Daily machines reporting** tile shows a bar graph that represents the number of machines reporting alerts daily in the last 30 days. Hover over individual bars on the graph to see the exact number of machines reporting in each day. +The **Daily machines reporting** tile shows a bar graph that represents the number of machines reporting daily in the last 30 days. Hover over individual bars on the graph to see the exact number of machines reporting in each day. ![Image of daily machines reporting tile](images/atp-daily-machines-reporting.png) diff --git a/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md index 17f7fa36ee..761f4e11dc 100644 --- a/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Windows Defender ATP data storage and privacy description: Learn about how Windows Defender ATP handles privacy and data that it collects. -keywords: Windows Defender ATP data storage and privacy, storage, privacy +keywords: Windows Defender ATP data storage and privacy, storage, privacy, licensing, geolocation, data retention, data search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -17,23 +17,19 @@ ms.date: 10/17/2017 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) This section covers some of the most frequently asked questions regarding privacy and data handling for Windows Defender ATP. > [!NOTE] -> This document explains the data storage and privacy details related to Windows Defender ATP. For more information related to Windows Defender ATP and other products and services like Windows Defender and Windows 10, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576). See also [Windows 10 privacy FAQ](https://go.microsoft.com/fwlink/?linkid=827577) for more information. +> This document explains the data storage and privacy details related to Windows Defender ATP. For more information related to Windows Defender ATP and other products and services like Windows Defender Antivirus and Windows 10, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576). See also [Windows 10 privacy FAQ](https://go.microsoft.com/fwlink/?linkid=827577) for more information. ## What data does Windows Defender ATP collect? Microsoft will collect and store information from your configured endpoints in a database specific to the service for administration, tracking, and reporting purposes. -Information collected includes code file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as GUIDs, names, and the operating system version). +Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as machine identifiers, names, and the operating system version). Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://go.microsoft.com/fwlink/?linkid=827578). @@ -42,11 +38,11 @@ Microsoft uses this data to: - Generate alerts if a possible attack was detected - Provide your security operations with a view into machines, files, and URLs related to threat signals from your network, enabling you to investigate and explore the presence of security threats on the network. -Microsoft does not mine your data for advertising or for any other purpose other than providing you the service. +Microsoft does not use your data for advertising or for any other purpose other than providing you the service. ## Do I have the flexibility to select where to store my data? -When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in Europe or United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation. +When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in Europe or in the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not under any circumstance, transfer the data from the specified geolocation into another geolocation. ## Is my data isolated from other customer data? Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides. @@ -69,7 +65,7 @@ No. Customer data is isolated from other customers and is not shared. However, i You can choose the data retention policy for your data. This determines how long Window Defender ATP will store your data. There’s a flexibility of choosing in the range of 1 month to six months to meet your company’s regulatory compliance needs. **At contract termination or expiration**
        -Your data will be kept for a period of at least 90 days, during which it will be available to you. At the end of this period, that data will be erased from Microsoft’s systems to make it unrecoverable, no later than 180 days from contract termination or expiration. +Your data will be kept and will be available to you while the licence is under grace period or suspended mode. At the end of this period, that data will be erased from Microsoft’s systems to make it unrecoverable, no later than 180 days from contract termination or expiration. ## Can Microsoft help us maintain regulatory compliance? diff --git a/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md index 38cb6ddf0f..8dc6263371 100644 --- a/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Windows Defender Antivirus compatibility +title: Windows Defender Antivirus compatibility with Windows Defender ATP description: Learn about how Windows Defender works with Windows Defender ATP and how it functions when a third-party antimalware client is used. keywords: windows defender compatibility, defender, windows defender atp search.product: eADQiWindows 10XVcnh @@ -13,7 +13,7 @@ ms.localizationpriority: high ms.date: 10/17/2017 --- -# Windows Defender Antivirus compatibility +# Windows Defender Antivirus compatibility with Windows Defender ATP **Applies to:** @@ -30,6 +30,11 @@ ms.date: 10/17/2017 The Windows Defender Advanced Threat Protection agent depends on Windows Defender Antivirus for some capabilities such as file scanning. +>[!IMPORTANT] +>Windows Defender ATP does not adhere to the Windows Defender Antivirus Exclusions settings. + +You must configure the signature updates on the Windows Defender ATP endpoints whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md). + If an onboarded endpoint is protected by a third-party antimalware client, Windows Defender Antivirus on that endpoint will enter into passive mode. Windows Defender Antivirus will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client. diff --git a/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md index 6947c9cd8a..978f65a2d7 100644 --- a/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md @@ -53,7 +53,7 @@ Enable security information and event management (SIEM) integration so you can p 5. Select **Generate tokens** to get an access and refresh token. > [!NOTE] - > You'll need to generate a new Access token every 90 days. + > You'll need to generate a new Refresh token every 90 days. You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from the Windows Defender ATP portal. diff --git a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md index b196a3f4fa..8003743e5d 100644 --- a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md @@ -148,7 +148,7 @@ This step will guide you in exploring the custom alert in the portal. ![Image of sample custom ti alert in the portal](images/atp-sample-custom-ti-alert.png) > [!NOTE] -> It can take up to 15 minutes for the alert to appear in the portal. +> There is a latency time of approximately 20 minutes between the the time a custom TI is introduced and when it becomes effective. ## Related topics - [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/images/atp-data-not-available.png b/windows/threat-protection/windows-defender-atp/images/atp-data-not-available.png new file mode 100644 index 0000000000..fed14b65f4 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-data-not-available.png differ diff --git a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md index 8c0ade88d7..e8200e9584 100644 --- a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -66,7 +66,7 @@ The hardware requirements for Windows Defender ATP on endpoints is the same as t > Endpoints that are running mobile versions of Windows are not supported. #### Internet connectivity -Internet connectivity on endpoints is required. +Internet connectivity on endpoints is required either directly or through proxy. The Windows Defender ATP sensor can utilize up to 5MB daily of bandwidth to communicate with the Windows Defender ATP cloud service and report cyber data. @@ -121,11 +121,13 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the ``` ## Windows Defender Antivirus signature updates are configured -The Windows Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them. If Windows Defender Antivirus is not the active antimalware in your organization, you may need to configure the signature updates. For more information see [Configure Windows Defender Antivirus in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md). +The Windows Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them. + +You must configure the signature updates on the Windows Defender ATP endpoints whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md). When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows Defender ATP must be excluded from this group policy. -For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md). +For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). ## Windows Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled If you're running Windows Defender Antivirus as the primary antimalware product on your endpoints, the Windows Defender ATP agent will successfully onboard. diff --git a/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md index 68514478d8..0daa0c343a 100644 --- a/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Onboard endpoints and set up the Windows Defender ATP user access description: Set up user access in Azure Active Directory and use Group Policy, SCCM, or do manual registry changes to onboard endpoints to the service. -keywords: onboarding, windows defender advanced threat protection onboarding, windows atp onboarding, sccm, group policy +keywords: onboarding, windows defender advanced threat protection onboarding, windows atp onboarding, sccm, group policy, mdm, local script search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -36,14 +36,25 @@ Windows Defender Advanced Threat Protection requires one of the following Micros - Windows 10 Enterprise E5 - Windows 10 Education E5 - - Secure Productive Enterprise E5 (SPE E5) which includes Windows 10 Enterprise E5 + - Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5 For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2). +## Windows Defender Antivirus configuration requirement +The Windows Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them. + +You must configure the signature updates on the Windows Defender ATP endpoints whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md). + +When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows Defender ATP must be excluded from this group policy. + +For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). + + ## In this section Topic | Description :---|:--- [Configure client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to configure endpoints for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure endpoints in your enterprise. +[Configure non-Windows endpoints](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) | Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products sensor data. [Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md) | Onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings. [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding. diff --git a/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md index f57a807c89..d6331e520b 100644 --- a/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md @@ -49,15 +49,17 @@ Windows Defender ATP supports the onboarding of the following servers: - Windows Server 2012 R2 - Windows Server 2016 -- [Configure non-Windows endpoints](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) -Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products sensor data. - - [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
        Windows Defender ATP supports the use of Power BI data connectors to enable you to connect and access Windows Defender ATP data using Microsoft Graph. - [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)
        Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you, to automate workflows and innovate based on Windows Defender ATP capabilities. +- [Configure non-Windows endpoints](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
        +Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products' sensor data. + +- [Access the Windows Defender ATP Community Center](community-windows-defender-advanced-threat-protection.md)
        +The Windows Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product. Access and join the community to learn and interact with other members on product specific information. >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink) diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index 10734a86ca..f5bdb18d2e 100644 --- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/17/2017 +ms.date: 11/10/2017 --- # Take response actions on a file @@ -29,17 +29,26 @@ ms.date: 10/17/2017 Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details on the Action center. ->[!NOTE] -> These response actions are only available for machines on Windows 10, version 1703. +>[!IMPORTANT] +>These response actions are only available for machines on Windows 10, version 1703 or later. You can also submit files for deep analysis to run the file in a secure cloud sandbox. When the analysis is complete, you'll get a detailed report that provides information about the behavior of the file. ## Stop and quarantine files in your network You can contain an attack in your organization by stopping the malicious process and quarantine the file where it was observed. +>[!IMPORTANT] +>You can only take this action if: +> - The machine you're taking the action on is running Windows 10, version 1703 or later +> - The file does not belong to trusted third-party publishers or not signed by Microsoft +> - Windows Defender Antivirus must at least be running on Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). + The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys. -The action takes effect on machines with the latest Windows 10, version 1703 where the file was observed in the last 30 days. +The action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last 30 days. + +>[!NOTE] +>You’ll be able to remove the file from quarantine at any time. ### Stop and quarantine files 1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box: @@ -70,7 +79,7 @@ When the file is being removed from an endpoint, the following notification is s In the machine timeline, a new event is added for each machine where a file was stopped and quarantined. ->[!NOTE] +>[!IMPORTANT] >The **Action** button is turned off for files signed by Microsoft as well as trusted third–party publishers to prevent the removal of critical system files and files used by important applications. ![Image of action button turned off](images/atp-file-action.png) @@ -97,11 +106,12 @@ You can roll back and remove a file from quarantine if you’ve determined that ## Block files in your network You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization. ->[!NOTE] ->This feature is only available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).

        -This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. This response action is available for machines on Windows 10, version 1703 or later. - >[!IMPORTANT] +>- This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).

        +>- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. +>- This response action is available for machines on Windows 10, version 1703 or later. + +>[!NOTE] > The PE file needs to be in the machine timeline for you to be able to take this action. diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index ffd0412eb8..87f97bcd64 100644 --- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/17/2017 +ms.date: 11/10/2017 --- # Take response actions on a machine @@ -24,20 +24,19 @@ ms.date: 10/17/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-respondmachine-abovefoldlink) Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center. ->[!NOTE] -> These response actions are only available for machines on Windows 10, version 1703. - - +>[!IMPORTANT] +> These response actions are only available for machines on Windows 10, version 1703 or later. ## Collect investigation package from machines As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker. +>[!IMPORTANT] +> This response action is available for machines on Windows 10, version 1703 or later. + You can download the package (Zip file) and investigate the events that occurred on a machine. The package contains the following folders: @@ -89,8 +88,10 @@ The package contains the following folders: ## Run Windows Defender Antivirus scan on machines As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised machine. ->[!NOTE] -> A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not. +>[!IMPORTANT] +>- This action is available for machines on Windows 10, version 1709 or later. +>- A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). + 1. Select the machine that you want to run the scan on. You can select or search for a machine from any of the following views: @@ -121,6 +122,11 @@ The machine timeline will include a new event, reflecting that a scan action was ## Restrict app execution In addition to the ability of containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running. +>[!IMPORTANT] +> - This action is available for machines on Windows 10, version 1709 or later. +> - This action needs to meet the Windows Defender Application Control code integrity policy formats and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/en-us/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing). + + The action to restrict an application from running applies a code integrity policy that only allows running of files that are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised machines and performing further malicious activities. >[!NOTE] @@ -171,9 +177,14 @@ Depending on the severity of the attack and the state of the machine, you can ch ## Isolate machines from the network Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine from the network. This action can help prevent the attacker from controlling the compromised machine and performing further activities such as data exfiltration and lateral movement. +>[!IMPORTANT] +>- Full isolation is available for machines on Windows 10, version 1703. +>- Selective isolation is available for machines on Windows 10, version 1709 or later. + + This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine. -On Windows 10, version 1710 and above, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity. +On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity. >[!NOTE] >You’ll be able to reconnect the machine back to the network at any time. diff --git a/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md index 6f30bcb438..b43fb54643 100644 --- a/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md @@ -31,7 +31,7 @@ ms.date: 10/17/2017 You can take response actions on machines and files to quickly respond to detected attacks so that you can contain or reduce and prevent further damage caused by malicious attackers in your organization. >[!NOTE] -> These response actions are only available for machines on Windows 10, version 1703. +> These response actions are only available for machines on Windows 10, version 1703 or higher. ## In this section Topic | Description diff --git a/windows/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..9be70be191 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md @@ -0,0 +1,47 @@ +--- +title: Run a detection test on a newly onboarded Windows Defender ATP endpoint +description: Run the detection script on a newly onboarded endpoint to verify that it is properly onboarded to the Windows Defender ATP service. +keywords: detection test, detection, powershell, script, verify, onboarding, windows defender advanced threat protection onboarding, clients, servers, endpoint, test +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 11/06/2017 +--- + +# Run a detection test on a newly onboarded Windows Defender ATP endpoint + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +Run the following PowerShell script on a newly onboarded endpoint to verify that it is properly reporting to the Windows Defender ATP service. + +1. Open an elevated command-line prompt on the endpoint and run the script: + + a. Go to **Start** and type **cmd**. + + b. Right-click **Command Prompt** and select **Run as administrator**. + + ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) + +2. At the prompt, copy and run the following command: + + ``` + powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\test-WDATP-test\invoice.exe');Start-Process 'C:\test-WDATP-test\invoice.exe' + ``` + +The Command Prompt window will close automatically. If successful, the detection test will be marked as completed and a new alert will appear in the portal for the onboarded endpoint in approximately 10 minutes. + +## Related topics +- [Configure client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) +- [Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md index 7eaf489912..f8b9b55c33 100644 --- a/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md @@ -29,6 +29,9 @@ ms.date: 10/17/2017 The Security Analytics dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines. +>[!IMPORTANT] +> This feature is available for machines on Windows 10, version 1703 or later. + The **Security analytics dashboard** displays a snapshot of: - Organizational security score - Security coverage diff --git a/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md index 3a6898510d..5d97ac1e70 100644 --- a/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md @@ -60,7 +60,7 @@ To set the time zone: 3. Select **Timezone UTC** or your local time zone, for example -7:00. ### Regional settings -To apply different date formats for Windows Defender ATP, use regional settings for IE and Edge. If you're using another browser such as Google Chrome, follow the required steps to change the time and date settings for that browser. +To apply different date formats for Windows Defender ATP, use regional settings for Internet Explorer (IE) and Microsoft Edge (Edge). If you're using another browser such as Google Chrome, follow the required steps to change the time and date settings for that browser. **Internet Explorer (IE) and Microsoft Edge (Edge)** diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md index 88fd5b5c34..bf1c9e6d63 100644 --- a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: v-tanewt author: tbit0001 ms.localizationpriority: high -ms.date: 09/10/2017 +ms.date: 11/22/2017 --- # Troubleshoot subscription and portal access issues @@ -64,5 +64,13 @@ For more information see, [**Assign user access to the portal**](https://docs.mi ![Image of not authorized to access portal](images\atp-not-authorized-to-access-portal.png) +## Data currently isn't available on some sections of the portal +If the portal dashboard, and other sections show an error message such as "Data currently isn't available": + +![Image of data currently isn't available](images/atp-data-not-available.png) + +You'll need to whitelist the `security.windows.com` and all sub-domains under it. For example `*security.windows.com`. + + ## Related topics - [Validating licensing provisioning and completing setup for Windows Defender ATP](licensing-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index 286271b278..0d8d3540c1 100644 --- a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -270,7 +270,7 @@ Windows Defender Advanced Threat Protection requires one of the following Micros - Windows 10 Enterprise E5 - Windows 10 Education E5 - - Secure Productive Enterprise E5 (SPE E5) which includes Windows 10 Enterprise E5 + - Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5 For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2). diff --git a/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md index ec8c9e2244..56df91f582 100644 --- a/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md @@ -106,7 +106,7 @@ Topic | Description [Windows Defender ATP service health](service-status-windows-defender-advanced-threat-protection.md) | Verify that the service health is running properly or if there are current issues. [Troubleshoot Windows Defender Advanced Threat Protection](troubleshoot-windows-defender-advanced-threat-protection.md) | This topic contains information to help IT Pros find workarounds for the known issues and troubleshoot issues in Windows Defender ATP. [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)| Review events and errors associated with event IDs to determine if further troubleshooting steps are required. -[Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md) | Learn about how Windows Defender works in conjunction with Windows Defender ATP. +[Windows Defender Antivirus compatibility with Windows Defender ATP](defender-compatibility-windows-defender-advanced-threat-protection.md) | Learn about how Windows Defender Antivirus works in conjunction with Windows Defender ATP. ## Related topic [Windows Defender ATP helps detect sophisticated threats](https://www.microsoft.com/itshowcase/Article/Content/854/Windows-Defender-ATP-helps-detect-sophisticated-threats) diff --git a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index a3bb50ab5b..7ee1ff05ed 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -21,7 +21,12 @@ ms.date: 08/25/2017 **Applies to:** -- Windows 10, version 1709 +- Windows 10, version 1709 (and later) +- Microsoft Office 365 +- Microsoft Office 2016 +- Microsoft Office 2013 +- Microsoft Office 2010 + @@ -41,13 +46,16 @@ Attack surface reduction helps prevent actions and apps that are typically used It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). +>[!TIP] +>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. + Attack surface reduction works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). The feature is comprised of a number of rules, each of which target specific behaviors that are typically used by malware and malicious apps to infect machines, such as: - Executable files and scripts used in Office apps or web mail that attempt to download or run files - Scripts that are obfuscated or otherwise suspicious -- Behaviors that apps undertake that are not usually inititated during normal day-to-day work +- Behaviors that apps undertake that are not usually initiated during normal day-to-day work See the [Attack surface reduction rules](#attack-surface-reduction-rules) section in this topic for more information on each rule. @@ -59,7 +67,7 @@ You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evalua The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table: -Rule name | GUIDs +Rule name | GUID -|- Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A @@ -69,6 +77,15 @@ Block JavaScript or VBScript from launching downloaded executable content | D3E0 Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B +The rules apply to the following Office apps running on Windows 10, version 1709. See the **Applies to** section at the start of this topic for a list of supported Office version. + +Supported Office apps: +- Microsoft Word +- Microsoft Excel +- Microsoft PowerPoint +- Microsoft OneNote + +The rules do not apply to any other Office apps. ### Rule: Block executable content from email client and webmail @@ -79,7 +96,8 @@ This rule blocks the following file types from being run or launched from an ema - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) - Script archive files - +>[!IMPORTANT] +>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). ### Rule: Block Office applications from creating child processes @@ -102,14 +120,18 @@ Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines. +>[!IMPORTANT] +>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). -### Rule: Block JavaScript ok VBScript From launching downloaded executable content +### Rule: Block JavaScript or VBScript From launching downloaded executable content JavaScript and VBScript scripts can be used by malware to launch other malicious apps. This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines. +>[!IMPORTANT] +>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). ### Rule: Block execution of potentially obfuscated scripts diff --git a/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md index c63d4747c8..1f91198bed 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md @@ -40,6 +40,9 @@ This topic provides links that describe how to enable the audit functionality fo You can use Group Policy, PowerShell, and configuration servicer providers (CSPs) to enable audit mode. +>[!TIP] +>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work. + Audit options | How to enable audit mode | How to view events @@ -58,7 +61,7 @@ You can also use the a custom PowerShell script that enables the features in aud 2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt. -3. Enter the following in the PowerShell window to enable Controlled folder access and Attack surface reduction in audie mode: +3. Enter the following in the PowerShell window to enable Controlled folder access and Attack surface reduction in audit mode: ```PowerShell Set-ExecutionPolicy Bypass -Force \Enable-ExploitGuardAuditMode.ps1 diff --git a/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md index 973eae24a0..a2095a35f1 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md @@ -42,6 +42,9 @@ Controlled folder access helps you protect valuable data from malicious apps and It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). +>[!TIP] +>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. + Controlled folder access works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder. diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index e68c054cde..421eef2058 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -43,9 +43,35 @@ You can use Group Policy, PowerShell, and MDM CSPs to configure these settings. ## Exclude files and folders -You can exclude files and folders from being evaluated by Attack surface reduction rules. +You can exclude files and folders from being evaluated by most Attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an Attack surface reduction rule, the file will not be blocked from running. + +This could potentially allow unsafe files to run and infect your devices. + +>[!WARNING] +>Excluding files or folders can severly reduce the protection provided by Attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded. +> +>If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules). + +You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode) and that allow exclusions. + +Exclusions will only be applied to certain rules. Some rules will not honor the exclusion list. This means that even if you have added a file to the exclusion list, some rules will still evaluate and potentially block that file if the rule determines the file to be unsafe. + +>[!IMPORTANT] +>Rules that do not honor the exclusion list will not exclude folders or files added in the exclusion list. All files will be evaluated and potentially blocked by rules that do not honor the exclusion list (indicated with a red X in the following table). + + +Rule description | Rule honors exclusions | GUID +-|:-:|- +Block Office applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | D4F940AB-401B-4EFC-AADC-AD5F3C50688A +Block execution of potentially obfuscated scripts | [!include[Check mark yes](images/svg/check-yes.svg)] | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC +Block Win32 API calls from Office macro | [!include[Check mark yes](images/svg/check-yes.svg)] | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B +Block Office applications from creating executable content | [!include[Check mark yes](images/svg/check-yes.svg)] | 3B576869-A4EC-4529-8536-B80A7769E899 +Block Office applications from injecting code into other processes | [!include[Check mark no](images/svg/check-no.svg)] | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 +Block JavaScript or VBScript from launching downloaded executable content | [!include[Check mark no](images/svg/check-no.svg)] | D3E037E1-3EB8-44C8-A917-57927947596D +Block executable content from email client and webmail | [!include[Check mark no](images/svg/check-no.svg)] | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 + +See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. -You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode). ### Use Group Policy to exclude files and folders diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md index 40aebba1d3..d1e292f7a7 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md +++ b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md @@ -63,28 +63,28 @@ The **Use default** configuration for each of the mitigation settings indicates For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic. Mitigation | Description | Can be applied to | Audit mode available -- | - | - | - -Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](images/svg/check-no.md)] -Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](images/svg/check-no.md)] -Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](images/svg/check-no.md)] -Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](images/svg/check-no.md)] -Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](images/svg/check-no.md)] -Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](images/svg/check-no.md)] -Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Code integrity guard | Restricts loading of images signed by Microsoft, WQL, and higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](images/svg/check-no.md)] -Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](images/svg/check-no.md)] -Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] +- | - | - | :-: +Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] +Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] +Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] +Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] +Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] +Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] +Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Code integrity guard | Restricts loading of images signed by Microsoft, WQL, and higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] +Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] +Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] >[!IMPORTANT] >If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: @@ -92,10 +92,10 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi > >Enabled in **Program settings** | Enabled in **System settings** | Behavior >:-: | :-: | :-: ->[!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | As defined in **Program settings** ->[!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | As defined in **Program settings** ->[!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | As defined in **System settings** ->[!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | Default as defined in **Use default** option +>[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | As defined in **Program settings** +>[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **Program settings** +>[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **System settings** +>[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | Default as defined in **Use default** option > > > @@ -185,7 +185,7 @@ Exporting the configuration as an XML file allows you to copy the configuration The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Defender Security Center. This means that if you use the app to configure a mitigation, then use PowerShell to configure the same mitigation, the app will update to show the changes you made with PowerShell. If you were to then use the app to change the mitigation again, that change would apply. >[!IMPORTANT] - >Any changes that are deployed to a machine through Group Policy will override the local configuration. When setting up an initial configuration, use a machine that will not have a Group Policy configuration applied to ensure your changes aren't overriden. + >Any changes that are deployed to a machine through Group Policy will override the local configuration. When setting up an initial configuration, use a machine that will not have a Group Policy configuration applied to ensure your changes aren't overridden. You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app: @@ -194,7 +194,16 @@ Exporting the configuration as an XML file allows you to copy the configuration Get-ProcessMitigation -Name processName.exe ``` - Use `Set` to configure each mitigation in the following format: +>[!IMPORTANT] +>System-level mitigations that have not been configured will show a status of `NOTSET`. +> +>For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied. +> +>For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied. +> +>The default setting for each system-level mitigation can be seen in the Windows Defender Security Center, as described in the [Configure system-level mitigations with the Windows Defender Security Center app section above](#configure-system-level-mitigations-with-the-windows-defender-security-center-app). + +Use `Set` to configure each mitigation in the following format: ```PowerShell Set-ProcessMitigation - - ,, diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index e4853782de..c147b811c2 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -50,19 +50,19 @@ Attack surface reduction rules are identified by their unique rule ID. You can manually add the rules by using the GUIDs in the following table: -Rule description | GUIDs +Rule description | GUID -|- Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 -Block Office applications from injecting into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D +Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 +Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B +Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. -### Use Group Policy to enable Attack surface reduction rules +### Use Group Policy to enable or audit Attack surface reduction rules 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -84,7 +84,7 @@ See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) to - ### Use PowerShell to enable Attack surface reduction rules + ### Use PowerShell to enable or audit Attack surface reduction rules 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index 4af5aacff1..b0bc4e5eac 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -49,6 +49,12 @@ You can enable Controlled folder access with the Windows Defender Security Cente For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). +>[!NOTE] +>The Controlled folder access feature will display the state in the Windows Defender Security Center app under **Virus & threat protection settings**. +>If the feature is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Defender Security Center app after a restart of the device. +>If the feature is set to **Audit mode** with any of those tools, the Windows Defender Security Center app will show the state as **Off**. +>See [Use audit mode to evaluate Windows Defender Exploit Guard features](audit-windows-defender-exploit-guard.md) for more details on how audit mode works. + ### Use the Windows Defender Security app to enable Controlled folder access diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md index a419fbe410..93cf4d2df8 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md +++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md @@ -39,12 +39,15 @@ ms.date: 08/25/2017 Attack surface reduction is a feature that is part of Windows Defender Exploit Guard [that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines](attack-surface-reduction-exploit-guard.md). -This topic helps you evaluate Attack surface reduction. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organisation. +This topic helps you evaluate Attack surface reduction. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization. >[!NOTE] >This topic uses a customized testing tool and PowerShell cmdlets to make it easy to enable the feature and test it. >For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md). +>[!TIP] +>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. + ## Use the demo tool to see how Attack surface reduction works diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md index c664d02fce..a31b2ff2e6 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md +++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md @@ -38,12 +38,14 @@ Controlled folder access is a feature that is part of Windows Defender Exploit G It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/en-us/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage. -This topic helps you evaluate Controlled folder access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organisation. +This topic helps you evaluate Controlled folder access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization. >[!NOTE] >This topic uses PowerShell cmdlets to make it easy to enable the feature and test it. >For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Controlled folder access topic](controlled-folders-exploit-guard.md). +>[!TIP] +>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. ## Use the demo tool to see how Controlled folder access works diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md index 6ab98f2f63..660b96a36a 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md +++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md @@ -46,6 +46,8 @@ This topcs helps you evaluate Exploit protection. See the [Exploit protection to >This topic uses PowerShell cmdlets to make it easy to enable the feature and test it. >For instructions on how to use Group Policy and Mobile Device Management (MDM to deploy these settings across your network, see the main [Exploit protection topic](exploit-protection-exploit-guard.md) . +>[!TIP] +>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. ## Enable and validate an Exploit protection mitigation diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md index e17117ec49..f3d44b112d 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md +++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md @@ -45,6 +45,9 @@ This topic helps you evaluate Network protection by enabling the feature and gui >[!NOTE] >The site will replicate the behavior that would happen if a user visted a malicious site or domain. The sites in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. +>[!TIP] +>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. + ## Enable Network protection 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** diff --git a/windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md index b22bf2e8e4..2b0ebfe200 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md @@ -33,7 +33,11 @@ Windows Defender Exploit Guard is a new collection of tools and features that he Windows Defender Exploit Guard is comprised of four features. We've developed evaluation guides for each of the features so you can easily and quickly see how they work and determine if they are suitable for your organization. -Before you begin, you should read the main [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) topic to get an understanding of each of the features and what their prerequisutes are. +>[!TIP] +>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work. + + +Before you begin, you should read the main [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) topic to get an understanding of each of the features and what their prerequisites are. - [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md) @@ -45,6 +49,8 @@ You might also be interested in enabling the features in audit mode - which allo - [Use audit mode to evaluate Windows Defender Exploit Guard features](audit-windows-defender-exploit-guard.md) + + ## Related topics Topic | Description diff --git a/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md index eb09cca9c9..447c78fb6f 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md @@ -42,6 +42,9 @@ Exploit protection automatically applies a number of exploit mitigation techniqu It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). +>[!TIP] +>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. + Exploit protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You [configure these settings using the Windows Defender Security Center app or PowerShell](customize-exploit-protection.md) on an individual machine, and then [export the configuration as an XML file that you can deploy to other machines](import-export-exploit-protection-emet-xml.md). You can use Group Policy to distribute the XML file to multiple devices at once. diff --git a/windows/threat-protection/windows-defender-antivirus/images/svg/check-no.md b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg similarity index 76% rename from windows/threat-protection/windows-defender-antivirus/images/svg/check-no.md rename to windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg index afa7a3d27d..89a87afa8b 100644 --- a/windows/threat-protection/windows-defender-antivirus/images/svg/check-no.md +++ b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg @@ -1,4 +1,4 @@ - + Check mark no + Check mark yes [!IMPORTANT] +> >Ensure you import a configuration file that is created specifically for Exploit protection. You cannot directly import an EMET configuration file, you must convert it first. @@ -123,6 +127,15 @@ You can convert an existing EMET configuration file to the new format used by Ex You can only do this conversion in PowerShell. +>[!WARNING] +> +>You cannot directly convert the default EMET configuration files that are distributed with EMET. These files are intended to help set up EMET for a first-time user. Attempting to directly convert these files into an Exploit protection configuration file will not work. +> +>However, if you want to apply the same settings as in the default EMET configuration files, you must first import the default configuration file into EMET, then export the settings to a new file. +> +>You can then convert that file using the PowerShell cmdlet described here before importing the settings into Exploit protection. + + 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: @@ -132,6 +145,13 @@ You can only do this conversion in PowerShell. Change `emetFile` to the name and location of the EMET configuration file, and change `filename` to whichever location and file name you want to use. +>[!IMPORTANT] +> +>If you have enabled Mandatory ASLR for any apps in EMET, export the EMET settings to an XML file, and then convert the XML file into an Exploit protection configuration file, you will need to manually edit the converted XML file to ensure the Mandatory ASLR mitigation setting is correctly configured: +> +> 1. Open the PowerShell-converted XML file in a text editor. +> 2. Search for `ASLR ForceRelocateImages="false"` and change it to `ASLR ForceRelocateImages="true"` for each app that you want Mandatory ASLR to be enabled. + ## Manage or deploy a configuration diff --git a/windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md index f9df3de12e..a81cd5aa90 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md @@ -42,6 +42,10 @@ It expands the scope of [Windows Defender SmartScreen](../windows-defender-smart It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). +>[!TIP] +>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. + + Network protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). When Network protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. diff --git a/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md index 1fbdee219b..22db1ea61d 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md @@ -45,6 +45,9 @@ You can evaluate each feature of Windows Defender EG with the guides at the foll You can also [enable audit mode](audit-windows-defender-exploit-guard.md) for the features, which provides you with basic event logs that indicate how the feature would have responded if it had been fully enabled. This can be useful when evaluating the impact of Windows Defender EG and to help determine the impact of the features on your network's security. +>[!TIP] +>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how each of them work. + Windows Defender EG can be managed and reported on in the Windows Defender Security Center as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies, which also includes: - [The Windows Defender ATP console](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - [Windows Defender Antivirus in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) @@ -52,7 +55,7 @@ Windows Defender EG can be managed and reported on in the Windows Defender Secur - Windows Defender Device Guard - [Windows Defender Application Guard](../windows-defender-application-guard/wd-app-guard-overview.md) -You can use the Windows Defender ATP console to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +You can use the Windows Defender ATP console to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [sign up for a free trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works. Each of the features in Windows Defender EG have slightly different requirements: diff --git a/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md index cee2d5b687..a671cb8bc6 100644 --- a/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md +++ b/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md @@ -126,6 +126,35 @@ If you use a cloud environment in your organization, you may still want to resto The Windows Credential service automatically recovers the employee’s previously revoked keys from the Recovery\Input location. All your company’s previously revoked files should be accessible to the employee again. +## Auto-recovery of encryption keys +Starting with Windows 10, version 1709, WIP includes a data recovery feature that lets your employees auto-recover access to work files if the encryption key is lost and the files are no longer accessible. This typically happens if an employee reimages the operating system partition, removing the WIP key info, or if a device is reported as lost and you mistakenly target the wrong device for unenrollment. + +To help make sure employees can always access files, WIP creates an auto-recovery key that’s backed up to their Azure Active Directory (Azure AD) identity. + +The employee experience is based on sign in with an Azure AD work account. The employee can either: + +- Add a work account through the **Windows Settings > Accounts > Access work or school > Connect** menu. + + -OR- + +- Open **Windows Settings > Accounts > Access work or school > Connect** and choose the **Join this device to Azure Active Directory** link, under **Alternate actions**. + + >[!Note] + >To perform an Azure AD Domain Join from the Settings page, the employee must have administrator privileges to the device. + +After signing in, the necessary WIP key info is automatically downloaded and employees are able to access the files again. + +**To test what the employee sees during the WIP key recovery process** +1. Attempt to open a work file on an unenrolled device. + + The **Connect to Work to access work files** box appears. + +2. Click **Connect**. + + The **Access work or school settings** page appears. + +3. Sign-in to Azure AD as the employee and verify that the files now open + ## Related topics - [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) @@ -139,5 +168,4 @@ If you use a cloud environment in your organization, you may still want to resto >[!Note] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). - +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to this article](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md index 6ad14ee564..1bf9bd3df0 100644 --- a/windows/whats-new/whats-new-windows-10-version-1709.md +++ b/windows/whats-new/whats-new-windows-10-version-1709.md @@ -78,6 +78,8 @@ The AssignedAccess CSP has been expanded to make it easy for administrators to c >[!NOTE] >Windows security features have been rebranded as Windows Defender security features, including Windows Defender Device Guard, Windows Defender Credential Guard, and Windows Defender Firewall. +**Windows security baselines** have been updated for Windows 10. A [security baseline](https://docs.microsoft.com/en-us/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/en-us/windows/device-security/security-compliance-toolkit-10). + ### Windows Defender ATP Windows Defender ATP has been expanded with powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. For more information, see [View the Windows Defender Advanced Threat Protection Security analytics dashboard](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection).