diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index e5b91868f9..838a6cc065 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -487,17 +487,17 @@
},
{
"source_path": "windows/deploy/upgrade-analytics-prepare-your-environment.md",
-"redirect_url": "/windows/deployment/upgrade/upgrade-analytics-identify-apps",
+"redirect_url": "/windows/deployment/upgrade/upgrade-readiness-identify-apps",
"redirect_document_id": true
},
{
"source_path": "windows/deploy/upgrade-analytics-release-notes.md",
-"redirect_url": "/windows/deployment/upgrade/upgrade-analytics-requirements",
+"redirect_url": "/windows/deployment/upgrade/upgrade-readiness-requirements",
"redirect_document_id": true
},
{
"source_path": "windows/deploy/upgrade-analytics-review-site-discovery.md",
-"redirect_url": "/windows/deployment/upgrade/upgrade-analytics-additional-insights",
+"redirect_url": "/windows/deployment/upgrade/upgrade-readiness-additional-insights",
"redirect_document_id": true
},
{
diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md
index 1c6e2264ab..9ee05419db 100644
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@@ -1,5 +1,5 @@
# [Microsoft HoloLens](index.md)
-## [HoloLens in the enterprise: requirements](hololens-requirements.md)
+## [HoloLens in the enterprise: requirements and FAQ](hololens-requirements.md)
## [Set up HoloLens](hololens-setup.md)
## [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md)
## [Enroll HoloLens in MDM](hololens-enroll-mdm.md)
diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md
index fb1d9fe158..8377e9a846 100644
--- a/devices/hololens/change-history-hololens.md
+++ b/devices/hololens/change-history-hololens.md
@@ -14,6 +14,12 @@ localizationpriority: medium
This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md).
+## May 2017
+
+| New or changed topic | Description |
+| --- | --- |
+| [Microsoft HoloLens in the enterprise: requirements](hololens-requirements.md) | Changed title to **Microsoft HoloLens in the enterprise: requirements and FAQ**, added questions and answers in new [FAQ section](hololens-requirements.md#faq-for-hololens) |
+
## January 2017
| New or changed topic | Description |
diff --git a/devices/hololens/hololens-enroll-mdm.md b/devices/hololens/hololens-enroll-mdm.md
index cfc6dc0467..813109b1c5 100644
--- a/devices/hololens/hololens-enroll-mdm.md
+++ b/devices/hololens/hololens-enroll-mdm.md
@@ -11,10 +11,10 @@ localizationpriority: medium
# Enroll HoloLens in MDM
-You can manage multiple Microsoft HoloLens devices simultaneously using solutions like Microsoft Intune. You will be able to manage settings, select apps to install and set security configurations tailored to your organization's need.
+You can manage multiple Microsoft HoloLens devices simultaneously using solutions like Microsoft Intune. You will be able to manage settings, select apps to install and set security configurations tailored to your organization's need. See the [configuration service providers (CSPs) that are supported in Windows Holographic](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/configuration-service-provider-reference#hololens) and the [policies supported by Windows Holographic for Business](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#hololenspolicies).
>[!NOTE]
->Mobile device management (MDM) for the Development edition of HoloLens does not include VPN, BitLocker, or kiosk mode. Those features are only available when you [upgrade to Windows Holographic for Business](hololens-upgrade-enterprise.md).
+>Mobile device management (MDM), including the VPN, Bitlocker, and kiosk mode features, is only available when you [upgrade to Windows Holographic for Business](hololens-upgrade-enterprise.md).
## Requirements
diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md
index 0b887cc940..149636b0ac 100644
--- a/devices/hololens/hololens-provisioning.md
+++ b/devices/hololens/hololens-provisioning.md
@@ -111,7 +111,7 @@ In Windows ICD, when you create a provisioning package for Windows Holographic,
| **Certificates** | Deploy a certificate to HoloLens. |
| **ConnectivityProfiles** | Deploy a Wi-Fi profile to HoloLens. |
| **EditionUpgrade** | [Upgrade to Windows Holographic for Business.](hololens-upgrade-enterprise.md) |
-| **Policies** | Allow or prevent developer mode on HoloLens. |
+| **Policies** | Allow or prevent developer mode on HoloLens. [Policies supported by Windows Holographic for Business](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#hololenspolicies) |
>[!NOTE]
>App installation (**UniversalAppInstall**) using a provisioning package is not currently supported for HoloLens.
@@ -119,3 +119,6 @@ In Windows ICD, when you create a provisioning package for Windows Holographic,
+
+
+
diff --git a/devices/hololens/hololens-requirements.md b/devices/hololens/hololens-requirements.md
index 11331b62f4..d8a6a6fb4e 100644
--- a/devices/hololens/hololens-requirements.md
+++ b/devices/hololens/hololens-requirements.md
@@ -1,6 +1,6 @@
---
-title: HoloLens in the enterprise requirements (HoloLens)
-description: Requirements for general use, Wi-Fi, and device management for HoloLens in the enterprise.
+title: HoloLens in the enterprise requirements and FAQ (HoloLens)
+description: Requirements and FAQ for general use, Wi-Fi, and device management for HoloLens in the enterprise.
ms.prod: w10
ms.mktglfcycl: manage
ms.pagetype: hololens, devices
@@ -9,11 +9,13 @@ author: jdeckerMS
localizationpriority: medium
---
-# Microsoft HoloLens in the enterprise: requirements
+# Microsoft HoloLens in the enterprise: requirements and FAQ
When you develop for HoloLens, there are [system requirements and tools](https://developer.microsoft.com/windows/mixed-reality/install_the_tools) that you need. In an enterprise environment, there are also a few requirements to use and manage HoloLens which are listed below.
-## General use
+## Requirements
+
+### General use
- Microsoft account or Azure Active Directory (Azure AD) account
- Wi-Fi network to set up HoloLens
@@ -21,7 +23,7 @@ When you develop for HoloLens, there are [system requirements and tools](https:/
>After you set up HoloLens, you can use it offline [with some limitations](https://support.microsoft.com/help/12645/hololens-use-hololens-offline).
-## Supported wireless network EAP methods
+### Supported wireless network EAP methods
- PEAP-MS-CHAPv2
- PEAP-TLS
- TLS
@@ -31,16 +33,36 @@ When you develop for HoloLens, there are [system requirements and tools](https:/
- TTLS-PAP
- TTLS-TLS
-## Device management
+### Device management
- Users have Azure AD accounts with [Intune license assigned](https://docs.microsoft.com/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune-step-4)
- Wi-Fi network
- Intune or a 3rd party mobile device management (MDM) provider that uses Microsoft MDM APIs
-## Upgrade to Windows Holographic for Business
+### Upgrade to Windows Holographic for Business
- HoloLens Enterprise license XML file
+## FAQ for HoloLens
+#### Is Windows Hello for Business supported on HoloLens?
+
+Hello for Business (using a PIN to sign in) is supported for HoloLens. It must be configured [using MDM](hololens-enroll-mdm.md).
+
+#### Does the type of account change the sign-in behavior?
+
+Yes, the behavior for the type of account impacts the sign-in behavior. If you apply policies for sign-in, the policy is always respected. If no policy for sign-in is applied, these are the default behaviors for each account type.
+
+- Microsoft account: signs in automatically
+- Local account: always asks for password, not configurable by Settings
+- Azure AD: asks for password by default; configurable by Settings to no longer ask for password.
+
+>[!NOTE]
+>Inactivity timers are currently not supported, which means that the **AllowIdleReturnWithoutPassword** policy is respected only when the device goes into StandBy.
+
+
+#### How do I remove a HoloLens device from the Intune dashboard?
+
+You cannot [unenroll](https://docs.microsoft.com/intune-user-help/unenroll-your-device-from-intune-windows) HoloLens from Intune remotely. If the administrator unenrolls the device using MDM, the device will age out of the Intune dashboard.
## Related resources
diff --git a/windows/access-protection/TOC.md b/windows/access-protection/TOC.md
index 16b848c11f..d9e141960f 100644
--- a/windows/access-protection/TOC.md
+++ b/windows/access-protection/TOC.md
@@ -47,7 +47,6 @@
#### [User Account Control security policy settings](user-account-control\user-account-control-security-policy-settings.md)
#### [User Account Control Group Policy and registry key settings](user-account-control\user-account-control-group-policy-and-registry-key-settings.md)
-### [Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-overview.md)
### [Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-overview.md)
#### [Understanding and Evaluating Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-understanding-and-evaluating.md)
##### [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-cards\virtual-smart-card-get-started.md)
diff --git a/windows/access-protection/credential-guard/credential-guard-known-issues.md b/windows/access-protection/credential-guard/credential-guard-known-issues.md
index b9cacf0bc7..a3780e1d3f 100644
--- a/windows/access-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/access-protection/credential-guard/credential-guard-known-issues.md
@@ -26,26 +26,29 @@ See also Knowledge Base articles [KB4015219](https://support.microsoft.com/en-us
[KB4015221](https://support.microsoft.com/en-us/help/4015221/windows-10-update-kb4015221)
The following issue is under investigation. For available workarounds, see the following Knowledge Base article:
-- [Installing AppSense Environment Manager on Windows 10 machines causes LsaIso.exe to exhibit high CPU usage when Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) *
+- [Installing AppSense Environment Manager on Windows 10 machines causes LSAiso.exe to exhibit high CPU usage when Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) * [1]
- *Registration required to access this article.
+ *Registration required to access this article.
+
+ [1] For further technical information on LSAiso.exe, see this MSDN article: [Isolated User Mode (IUM) Processes](https://msdn.microsoft.com/library/windows/desktop/mt809132(v=vs.85).aspx)
+
+The following issue affects Cisco AnyConnect Secure Mobility Client:
- [Blue screen on Windows 10 computers running Device Guard and Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692)**
- **Registration required to access this article.
+**Registration required to access this article.
-Products that connect to Virtualization Based Security (VBS) protected processes can cause Credential Guard-enabled Windows 10 clients to exhibit high CPU usage. For further information, see the following Knowledge Base articles:
+Products that connect to Virtualization Based Security (VBS) protected processes can cause Credential Guard-enabled Windows 10 clients to exhibit high CPU usage. For further information, see the following Knowledge Base article:
- KB88869: [Windows 10 machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869)
+The following issue is under investigation:
- Windows 10 machines exhibit high CPU usage with Citrix applications installed when Credential Guard is enabled.
- Microsoft is currently working with Citrix to investigate this issue.
-
-
## Vendor support
+See the following article on Citrix support for Secure Boot:
- [Citrix Support for Secure Boot](https://www.citrix.com/blogs/2016/12/08/windows-server-2016-hyper-v-secure-boot-support-now-available-in-xenapp-7-12/)
Credential Guard is not supported by either these products, products versions, computer systems, or Windows 10 versions:
diff --git a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 03a95580ef..e95ca70d41 100644
--- a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -287,15 +287,19 @@ You can prevent Windows from setting the time automatically.
-or-
+- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**.
+
+After that, configure the following:
+
- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Enable Windows NTP Server** > **Windows Time Service** > **Configure Windows NTP Client**
+
+ > [!NOTE]
+ > This is only available on Windows 10, version 1703 and later.
-or -
-- Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient!Enabled** to 0 (zero).
+- Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient!Enabled** and set it to 0 (zero).
- -or-
-
-- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**.
### 4. Device metadata retrieval
@@ -392,7 +396,6 @@ Use Group Policy to manage settings for Internet Explorer. You can find the Int
| Turn on Suggested Sites| Choose whether an employee can configure Suggested Sites.
Default: Enabled
You can also turn this off in the UI by clearing the **Internet Options** > **Advanced** > **Enable Suggested Sites** check box.|
| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the address bar.
Default: Enabled|
| Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the address bar.
Default: Disabled You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.|
-| Disable Periodic Check for Internet Explorer software updates| Choose whether Internet Explorer periodically checks for a new version.
Default: Enabled |
| Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
Default: Disabled|
| Prevent managing SmartScreen filter | Choose whether employees can manage the SmartScreen Filter in Internet Explorer.
Default: Disabled |
@@ -403,7 +406,6 @@ Alternatively, you could use the registry to set the Group Policies.
| Turn on Suggested Sites| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Suggested Sites!Enabled
REG_DWORD: 0|
| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\AllowServicePoweredQSA
REG_DWORD: 0|
| Turn off the auto-complete feature for web addresses | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Explorer\\AutoComplete!AutoSuggest
REG_SZ: **No** |
-| Disable Periodic Check for Internet Explorer software updates| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Infodelivery\\Restrictions!NoUpdateCheck
REG_DWORD: 1 |
| Turn off browser geolocation | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation!PolicyDisableGeolocation
REG_DWORD: 1 |
| Prevent managing SmartScreen filter | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\ Internet Explorer\\PhishingFilter!EnabledV9
REG_DWORD: 0 |
@@ -510,8 +512,8 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g
| Configure search suggestions in Address bar | Choose whether the address bar shows search suggestions.
Default: Enabled |
| Configure Windows Defender SmartScreen Filter (Windows 10, version 1703)
Configure SmartScreen Filter (Windows Server 2016) | Choose whether Windows Defender SmartScreen is turned on or off.
Default: Enabled |
| Allow web content on New Tab page | Choose whether a new tab page appears.
Default: Enabled |
-| Configure Start pages | Choose the Start page for domain-joined devices.
Set this to **about:blank** |
-| Prevent the First Run webpage from opening pages | Choose whether employees see the First Run webpage.
Default: Enabled |
+| Configure Start pages | Choose the Start page for domain-joined devices.
Set this to **\** |
+| Prevent the First Run webpage from opening on Microsoft Edge | Choose whether employees see the First Run webpage.
Default: Disabled |
The Windows 10, version 1511 Microsoft Edge Group Policy names are:
diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md
index e3479458a2..77755fdf5a 100644
--- a/windows/configuration/provisioning-packages/provisioning-multivariant.md
+++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md
@@ -19,7 +19,7 @@ localizationpriority: high
In your organization, you might have different configuration requirements for devices that you manage. You can create separate provisioning packages for each group of devices in your organization that have different requirements. Or, you can create a multivariant provisioning package, a single provisioning package that can work for multiple conditions. For example, in a single provisioning package, you can define one set of customization settings that will apply to devices set up for French and a different set of customization settings for devices set up for Japanese.
-To provision multivariant settings, you use Windows Imaging and Configuration Designer (ICD) to create a provisioning package that contains all of the customization settings that you want to apply to any of your devices. Next, you manually edit the .XML file for that project to define each set of devices (a **Target**). For each **Target**, you specify at least one **Condition** with a value, which identifies the devices to receive the configuration. Finally, for each **Target**, you provide the customization settings to be applied to those devices.
+To provision multivariant settings, you use Windows Configuration Designer to create a provisioning package that contains all of the customization settings that you want to apply to any of your devices. Next, you manually edit the .XML file for that project to define each set of devices (a **Target**). For each **Target**, you specify at least one **Condition** with a value, which identifies the devices to receive the configuration. Finally, for each **Target**, you provide the customization settings to be applied to those devices.
Let's begin by learning how to define a **Target**.
@@ -258,7 +258,7 @@ Follow these steps to create a provisioning package with multivariant capabiliti
6. Save the updated customizations.xml file and note the path to this updated file. You will need the path as one of the values for the next step.
-7. Use the [Windows ICD command-line interface](provisioning-command-line.md) to create a provisioning package using the updated customizations.xml.
+7. Use the [Windows Configuration Designer command-line interface](provisioning-command-line.md) to create a provisioning package using the updated customizations.xml.
For example:
diff --git a/windows/device-security/TOC.md b/windows/device-security/TOC.md
index ec0aee811a..9305ed157e 100644
--- a/windows/device-security/TOC.md
+++ b/windows/device-security/TOC.md
@@ -12,7 +12,6 @@
#### [Monitor app usage with AppLocker](applocker\monitor-application-usage-with-applocker.md)
#### [Manage packaged apps with AppLocker](applocker\manage-packaged-apps-with-applocker.md)
#### [Working with AppLocker rules](applocker\working-with-applocker-rules.md)
-#### [Working with AppLocker rules](applocker\working-with-applocker-rules.md)
##### [Create a rule that uses a file hash condition](applocker\create-a-rule-that-uses-a-file-hash-condition.md)
##### [Create a rule that uses a path condition](applocker\create-a-rule-that-uses-a-path-condition.md)
##### [Create a rule that uses a publisher condition](applocker\create-a-rule-that-uses-a-publisher-condition.md)
@@ -561,6 +560,7 @@
##### [Network access: Remotely accessible registry paths](security-policy-settings/network-access-remotely-accessible-registry-paths.md)
##### [Network access: Remotely accessible registry paths and subpaths](security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md)
##### [Network access: Restrict anonymous access to Named Pipes and Shares](security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)
+##### [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md)
##### [Network access: Shares that can be accessed anonymously](security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md)
##### [Network access: Sharing and security model for local accounts](security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md)
##### [Network security: Allow Local System to use computer identity for NTLM](security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)
diff --git a/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
index 6887868509..f28eab1191 100644
--- a/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
+++ b/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
@@ -151,3 +151,4 @@ If the policy is defined, admin tools, scripts and software that formerly enumer
[SAMRi10 - Hardening SAM Remote Access in Windows 10/Server 2016](https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b)
+
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
index 90098f1ce1..d3a3a91d2b 100644
--- a/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
@@ -28,7 +28,7 @@ You can use a dedicated command-line tool to perform various functions in Window
This utility can be useful when you want to automate the use of Windows Defender Antivirus.
-The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_ and must be run from a command prompt.
+The utility is available in _%ProgramFiles%\Windows Defender\MpCmdRun.exe_ and must be run from a command prompt.
> [!NOTE]
> You may need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
@@ -51,6 +51,7 @@ Command | Description
\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures
\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
\-ValidateMapsConnection | Used to validate connection to the [cloud-delivered protection service](configure-network-connections-windows-defender-antivirus.md)
+\-SignatureUpdate [-UNC [-Path ]] | Checks for new definition updates
diff --git a/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
index d73a96d98b..194b3e9cfb 100644
--- a/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
@@ -146,6 +146,8 @@ Use the following argument with the Windows Defender AV command line utility (*m
```DOS
MpCmdRun - ValidateMapsConnection
```
+> [!NOTE]
+> You may need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the *mpcmdrun.exe* utility.