diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 5b0aef0b16..095e765c2a 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1,6 +1,16 @@ { "redirections": [ { +"source_path": "windows/security/threat-protection/intelligence/av-tests.md", +"redirect_url": "/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/intelligence/transparency-report.md", +"redirect_url": "/windows/security/threat-protection/intelligence/av-tests", +"redirect_document_id": true +}, +{ "source_path": "windows/deployment/update/waas-windows-insider-for-business-aad.md", "redirect_url": "https://docs.microsoft.com/en-us/windows-insider/at-work-pro/wip-4-biz-add", "redirect_document_id": true diff --git a/browsers/edge/includes/allow-config-updates-books-include.md b/browsers/edge/includes/allow-config-updates-books-include.md index 325293262e..ee403d0ebc 100644 --- a/browsers/edge/includes/allow-config-updates-books-include.md +++ b/browsers/edge/includes/allow-config-updates-books-include.md @@ -1,5 +1,5 @@ ->*Supported versions: Microsoft Edge on Windows 10, version 1802 or later*
+>*Supported versions: Microsoft Edge on Windows 10, version 1803 or later*
>*Default setting: Enabled or not configured (Allowed)* [!INCLUDE [allow-configuration-updates-for-books-library-shortdesc](../shortdesc/allow-configuration-updates-for-books-library-shortdesc.md)] diff --git a/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md b/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md index 5d516b75b6..68b5ecc3da 100644 --- a/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md +++ b/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md @@ -1,5 +1,5 @@ ->*Supported versions: Microsoft Edge on Windows 10, version 1802 or later*
+>*Supported versions: Microsoft Edge on Windows 10, version 1803 or later*
>*Default setting: Disabled or not configured (Gather and send only basic diagnostic data)* [!INCLUDE [allow-extended-telemetry-for-books-tab-shortdesc](../shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md)] @@ -32,4 +32,4 @@ - **Value type:** REG_DWORD -
\ No newline at end of file +
diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md index 953c771d7c..c62abeb7fa 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md @@ -7,7 +7,7 @@ ms.prod: surface-hub ms.sitesec: library author: jdeckerms ms.author: jdecker -ms.date: 06/01/2018 +ms.date: 08/28/2018 ms.localizationpriority: medium --- @@ -108,8 +108,7 @@ If you have a single-forest on-premises deployment with Microsoft Exchange 2013  ## Disable anonymous email and IM ->[!WARNING] ->This information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + Surface Hub uses a device account to provide email and collaboration services (IM, video, voice). This device account is used as the originating identity (the “from” party) when sending email, IM, and placing calls. As this account is not coming from an individual, identifiable user, it is deemed “anonymous” because it originated from the Surface Hub's device account. diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md index ff5af2b652..babce30d59 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md @@ -6,7 +6,7 @@ ms.prod: surface-hub ms.sitesec: library author: jdeckerms ms.author: jdecker -ms.date: 06/01/2018 +ms.date: 08/28/2018 ms.localizationpriority: medium --- @@ -97,8 +97,7 @@ If you have a multi-forest on-premises deployment with Microsoft Exchange 2013 o ## Disable anonymous email and IM ->[!WARNING] ->This information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + Surface Hub uses a device account to provide email and collaboration services (IM, video, voice). This device account is used as the originating identity (the “from” party) when sending email, IM, and placing calls. As this account is not coming from an individual, identifiable user, it is deemed “anonymous” because it originated from the Surface Hub's device account. diff --git a/education/get-started/inclusive-classroom-it-admin.md b/education/get-started/inclusive-classroom-it-admin.md index def3d886d3..5500fe19dc 100644 --- a/education/get-started/inclusive-classroom-it-admin.md +++ b/education/get-started/inclusive-classroom-it-admin.md @@ -29,7 +29,6 @@ You will also learn how to deploy apps using Microsoft Intune, turn on or off Ea | Read aloud with simultaneous highlighting | |

X

(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)

|

X

(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)

|

X

|

X

(N/A for Outlook PC)

|

X

(N/A for any OneNote apps or Outlook PC)

| | Adjustable text spacing and font size | |

X

(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)

|

X

(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)

|

X

|

X

|

X

(N/A for any OneNote apps)

| | Syllabification | | |

X

(N/A for Word for iOS, Word Online, Outlook Web Access)

|

X

(N/A for Word iOS)

|

X

(N/A for Word iOS)

|

X

(N/A for any OneNote apps or Word iOS)

| - | Parts of speech identification | |

X

(N/A for Word Online, Outlook Web Access)

|

X

(N/A for Word Online, Outlook Web Access)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

| | Line focus mode | | |

X

(N/A for Word Online, Outlook Web Access)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

| | Picture Dictionary | | |

X

(N/A for Word Online, Outlook Web Access)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

| @@ -48,7 +47,6 @@ You will also learn how to deploy apps using Microsoft Intune, turn on or off Ea | Creating accessible content features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | |---|---|---|---|---|---|---| - | Accessibility Checker | | |

X

|

X

| | | | Accessible Templates | | |

X

|

X

| | | | Ability to add alt-text for images | |

X

|

X

|

X

| | | diff --git a/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md b/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md index 41afc5d8a5..3e9aff0890 100644 --- a/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md +++ b/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md @@ -7,12 +7,12 @@ ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library ms.prod: w10 -ms.date: 07/18/2017 +ms.date: 08/23/2018 +ms.author: pashort --- -# High-Level Architecture of MBAM 2.5 with Configuration Manager Integration Topology - +# High-level architecture of MBAM 2.5 with Configuration Manager Integration topology This topic describes the recommended architecture for deploying Microsoft BitLocker Administration and Monitoring (MBAM) with the Configuration Manager Integration topology. This topology integrates MBAM with System Center Configuration Manager. To deploy MBAM with the Stand-alone topology, see [High-Level Architecture of MBAM 2.5 with Stand-alone Topology](high-level-architecture-of-mbam-25-with-stand-alone-topology.md). @@ -54,7 +54,7 @@ The recommended number of servers and supported number of clients in a productio   -## Differences between Configuration Manager Integration and Stand-alone topologies +## Differences between Configuration Manager Integration and stand-alone topologies The main differences between the topologies are: @@ -70,15 +70,15 @@ The following diagram and table describe the recommended high-level architecture ![mbam2\-5](images/mbam2-5-cmserver.png) -### Database Server +### Database server -#### Recovery Database +#### Recovery database This feature is configured on a computer running Windows Server and supported SQL Server instance. The **Recovery Database** stores recovery data that is collected from MBAM Client computers. -#### Audit Database +#### Audit database This feature is configured on a computer running Windows Server and supported SQL Server instance. @@ -90,7 +90,7 @@ This feature is configured on a computer running Windows Server and supported SQ The **Reports** provide recovery audit data for the client computers in your enterprise. You can view reports from the Configuration Manager console or directly from SQL Server Reporting Services. -### Configuration Manager Primary Site Server +### Configuration Manager primary site server System Center Configuration Manager Integration feature @@ -102,19 +102,19 @@ System Center Configuration Manager Integration feature - The **Configuration Manager console** must be installed on the same computer on which you install the MBAM Server software. -### Administration and Monitoring Server +### Administration and monitoring server -#### Administration and Monitoring Website +#### Administration and monitoring website This feature is configured on a computer running Windows Server. -The **Administration and Monitoring Website** is used to: +The **Administration and monitoring website** is used to: - Help end users regain access to their computers when they are locked out. (This area of the Website is commonly called the Help Desk.) - View the Recovery Audit Report, which shows recovery activity for client computers. Other reports are viewed from the Configuration Manager console. -#### Self-Service Portal +#### Self-service portal This feature is configured on a computer running Windows Server. @@ -126,21 +126,19 @@ This feature is installed on a computer running Windows Server. The **monitoring web services** are used by the MBAM Client and the websites to communicate to the database. -**Important**   -The Monitoring Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since the MBAM Client and the websites communicate directly with the Recovery Database. +**Important**
The Monitoring Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since the MBAM websites communicate directly with the Recovery Database.   -### Management Workstation +### Management workstation -#### MBAM Group Policy Templates +#### MBAM group policy templates - The **MBAM Group Policy Templates** are Group Policy settings that define implementation settings for MBAM, which enable you to manage BitLocker drive encryption. - Before you run MBAM, you must download the Group Policy Templates from [How to Get MDOP Group Policy (.admx) Templates](https://go.microsoft.com/fwlink/p/?LinkId=393941) and copy them to a server or workstation that is running a supported Windows Server or Windows operating system. - **Note**   - The workstation does not have to be a dedicated computer. + **NOTE**
The workstation does not have to be a dedicated computer.   diff --git a/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-stand-alone-topology.md b/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-stand-alone-topology.md index c494392cfe..1287ee6b02 100644 --- a/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-stand-alone-topology.md +++ b/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-stand-alone-topology.md @@ -109,7 +109,7 @@ This feature is configured on a computer running Windows Server. The **monitoring web services** are used by the MBAM Client and the websites to communicate to the database. **Important**   -The Monitoring Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since the MBAM Client and the websites communicate directly with the Recovery Database. +The Monitoring Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since the MBAM websites communicate directly with the Recovery Database.   diff --git a/windows/application-management/TOC.md b/windows/application-management/TOC.md index b3f1796488..a57f6f1a55 100644 --- a/windows/application-management/TOC.md +++ b/windows/application-management/TOC.md @@ -4,7 +4,8 @@ ## [Enable or block Windows Mixed Reality apps in the enterprise](manage-windows-mixed-reality.md) ## [Understand apps in Windows 10](apps-in-windows-10.md) ## [Add apps and features in Windows 10](add-apps-and-features.md) -### [Repackage win32 apps in the MSIX format](msix-app-packaging-tool.md) +## [Repackage win32 apps in the MSIX format](msix-app-packaging-tool.md) +### [Learn how to repackage win32 apps in the MSIX format](msix-app-packaging-tool-walkthrough.md) ## [Application Virtualization (App-V) for Windows](app-v/appv-for-windows.md) ### [Getting Started with App-V](app-v/appv-getting-started.md) #### [What's new in App-V for Windows 10, version 1703 and earlier](app-v/appv-about-appv.md) diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index 0f95642dd0..af6faf50b6 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -8,7 +8,7 @@ ms.pagetype: mobile ms.author: elizapo author: lizap ms.localizationpriority: medium -ms.date: 07/10/2018 +ms.date: 08/23/2018 --- # Understand the different apps included in Windows 10 @@ -20,7 +20,7 @@ The following types of apps run on Windows 10: Digging into the Windows apps, there are two categories: - System apps - Apps that are installed in the c:\Windows\* directory. These apps are integral to the OS. - Apps - All other apps, installed in c:\Program Files\WindowsApps. There are two classes of apps: - - Provisioned: Installed the first time you sign into Windows. You'll see a tile or Start menu item for these apps, but they aren't installed until the first sign-in. + - Provisioned: Installed in user account the first time you sign in with a new user account. - Installed: Installed as part of the OS. The following tables list the system apps, installed Windows apps, and provisioned Windows apps in a standard Windows 10 Enterprise installation. (If you have a custom image, your specific apps might differ.) The tables list the app, the full name, show the app's status in Windows 10 version 1607, 1703, and 1709, and indicate whether an app can be uninstalled through the UI. @@ -30,7 +30,7 @@ Some of the apps show up in multiple tables - that's because their status change > [!TIP] > Want to see a list of the apps installed on your specific image? You can run the following PowerShell cmdlet: > ```powershell -> Get-AppxPackage |Select Name,PackageFamilyName +> Get-AppxPackage | select Name,PackageFamilyName > Get-AppxProvisionedPackage -Online | select DisplayName,PackageName > ``` @@ -38,66 +38,116 @@ Some of the apps show up in multiple tables - that's because their status change System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1703, 1709, and 1803. -| Name | Full name |1703 | 1709 | 1803 |Uninstall through UI? | -|------------------|-------------------------------------------|:------:|:------:|:------:|-------------------------------------------------------| -| Cortana UI | CortanaListenUIApp | x | | |No | -| | Desktop Learning | x | | |No | -| | DesktopView | x | | |No | -| | EnvironmentsApp | x | | |No | -| Mixed Reality + | HoloCamera | x | | |No | -| Mixed Reality + | HoloItemPlayerApp | x | | |No | -| Mixed Reality + | HoloShell | x | | |No | -| | InputApp | | x | x |No | -| | Microsoft.AAD.Broker.Plugin | x | x | x |No | -| | Microsoft.AccountsControl | x | x | x |No | -| Hello setup UI | Microsoft.BioEnrollment | x | x | x |No | -| | Microsoft.CredDialogHost | x | x | x |No | -| | Microsoft.ECApp | | x | x |No | -| | Microsoft.LockApp | x | x | x |No | -| Microsoft Edge | Microsoft.Microsoft.Edge | x | x | x |No | -| | Microsoft.PPIProjection | x | x | x |No | -| | Microsoft.Windows. Apprep.ChxApp | x | x | x |No | -| | Microsoft.Windows. AssignedAccessLockApp | x | x | x |No | -| | Microsoft.Windows. CloudExperienceHost | x | x | x |No | -| | Microsoft.Windows. ContentDeliveryManager | x | x | x |No | -| Cortana | Microsoft.Windows.Cortana | x | x | x |No | -| | Microsoft.Windows. Holographic.FirstRun | x | x | x |No | -| | Microsoft.Windows. ModalSharePickerHost | x | | |No | -| | Microsoft.Windows. OOBENetworkCaptivePort | x | x | x |No | -| | Microsoft.Windows. OOBENetworkConnectionFlow | x | x | x |No | -| | Microsoft.Windows. ParentalControls | x | x | x |No | -| People Hub | Microsoft.Windows. PeopleExperienceHost | | x | x |No | -| | Microsoft.Windows. PinningConfirmationDialog | | x | x |No | -| | Microsoft.Windows. SecHealthUI | x | x | x |No | -| | Microsoft.Windows. SecondaryTileExperience | x | x | |No | -| | Microsoft.Windows. SecureAssessmentBrowser | x | x | x |No | -| Start | Microsoft.Windows. ShellExperienceHost | x | x | x |No | -| Windows Feedback | Microsoft.WindowsFeedback | * | * | |No | -| | Microsoft.XboxGameCallableUI | x | x | x |No | -| Contact Support* | Windows.ContactSupport | x | * | |Through the Optional Features app | -| Settings | Windows.ImmersiveControlPanel | x | x | |No | -| Connect | Windows.MiracastView | x | | |No | -| Print 3D | Windows.Print3D | | x | |Yes | -| Print UI | Windows.PrintDialog | x | x | x |No | -| Purchase UI | Windows.PurchaseDialog | | | x |No | -| | Microsoft.AsyncTextService | | | x |No | -| | Microsoft.MicrosoftEdgeDevToolsClient | | | x |No | -| | Microsoft.Win32WebViewHost | | | x |No | -| | Microsoft.Windows.CapturePicker | | | x |No | -| | Windows.CBSPreview | | | x |No | -|File Picker | 1527c705-839a-4832-9118-54d4Bd6a0c89 | | | x |No | -|File Explorer | c5e2524a-ea46-4f67-841f-6a9465d9d515 | | | x |No | -|App Resolver | E2A4F912-2574-4A75-9BB0-0D023378592B | | | x |No | -|Add Suggested folder Dialog box| F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE|| | x |No | +| Name | Full name | 1703 | 1709 | 1803 |Uninstall through UI? | +|------------------|--------------------------------------------|:----:|:----:|:----:|:----------------------------------:| +| Cortana UI | CortanaListenUIApp | x | | |No | +| | Desktop Learning | x | | |No | +| | DesktopView | x | | |No | +| | EnvironmentsApp | x | | |No | +| Mixed Reality + | HoloCamera | x | | |No | +| Mixed Reality + | HoloItemPlayerApp | x | | |No | +| Mixed Reality + | HoloShell | x | | |No | +| | InputApp | | x | x |No | +| | Microsoft.AAD.BrokerPlugin | x | x | x |No | +| | Microsoft.AccountsControl | x | x | x |No | +| Hello setup UI | Microsoft.BioEnrollment | x | x | x |No | +| | Microsoft.CredDialogHost | x | x | x |No | +| | Microsoft.ECApp | | x | x |No | +| | Microsoft.LockApp | x | x | x |No | +| Microsoft Edge | Microsoft.MicrosoftEdge | x | x | x |No | +| | Microsoft.PPIProjection | x | x | x |No | +| | Microsoft.Windows.Apprep.ChxApp | x | x | x |No | +| | Microsoft.Windows.AssignedAccessLockApp | x | x | x |No | +| | Microsoft.Windows.CloudExperienceHost | x | x | x |No | +| | Microsoft.Windows.ContentDeliveryManager | x | x | x |No | +| Cortana | Microsoft.Windows.Cortana | x | x | x |No | +| | Microsoft.Windows.Holographic.FirstRun | x | x | x |No | +| | Microsoft.Windows.ModalSharePickerHost | x | | |No | +| | Microsoft.Windows.OOBENetworkCaptivePort | x | x | x |No | +| | Microsoft.Windows.OOBENetworkConnectionFlow| x | x | x |No | +| | Microsoft.Windows.ParentalControls | x | x | x |No | +| People Hub | Microsoft.Windows.PeopleExperienceHost | | x | x |No | +| | Microsoft.Windows.PinningConfirmationDialog| | x | x |No | +| | Microsoft.Windows.SecHealthUI | x | x | x |No | +| | Microsoft.Windows.SecondaryTileExperience | x | x | |No | +| | Microsoft.Windows.SecureAssessmentBrowser | x | x | x |No | +| Start | Microsoft.Windows.ShellExperienceHost | x | x | x |No | +| Windows Feedback | Microsoft.WindowsFeedback | * | * | |No | +| | Microsoft.XboxGameCallableUI | x | x | x |No | +| Contact Support\* | Windows.ContactSupport | x | * | |via Optional Features app | +| Settings | Windows.ImmersiveControlPanel | x | x | |No | +| Connect | Windows.MiracastView | x | | |No | +| Print 3D | Windows.Print3D | | x | |Yes | +| Print UI | Windows.PrintDialog | x | x | x |No | +| Purchase UI | Windows.PurchaseDialog | | | x |No | +| | Microsoft.AsyncTextService | | | x |No | +| | Microsoft.MicrosoftEdgeDevToolsClient | | | x |No | +| | Microsoft.Win32WebViewHost | | | x |No | +| | Microsoft.Windows.CapturePicker | | | x |No | +| | Windows.CBSPreview | | | x |No | +|File Picker | 1527c705-839a-4832-9118-54d4Bd6a0c89 | | | x |No | +|File Explorer | c5e2524a-ea46-4f67-841f-6a9465d9d515 | | | x |No | +|App Resolver | E2A4F912-2574-4A75-9BB0-0D023378592B | | | x |No | +|Add Suggested folder Dialog box| F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE|| | x |No | + +>[!NOTE] +>\* The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support). + +## Provisioned Windows apps + +Here are the typical provisioned Windows apps in Windows 10 versions 1703, 1709, and 1803. + +| App Name (Canonical) | Display Name | 1703 | 1709 | 1803 | Uninstall via UI? | +|--------------------------------|------------------------|:-----:|:----:|:----:|:-----------------:| +| 3D Builder | [Microsoft.3DBuilder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | x | | | Yes | +| App Installer | [Microsoft.DesktopAppInstaller](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | Via Settings App | +| Feedback Hub | [Microsoft.WindowsFeedbackHub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | Yes | +| Get Help | [Microsoft.GetHelp](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | | x | x | No | +| Get Office | [Microsoft.MicrosoftOfficeHub](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | Yes | +| Groove Music | [Microsoft.ZuneMusic](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | No | +| Mail and Calendar | [Microsoft.windowscommunicationsapps](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | No | +| Microsoft Messaging | [Microsoft.Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | No | +| Microsoft People | [Microsoft.People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | No | +| Microsoft Photos | [Microsoft.Windows.Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | No | +| Microsoft Solitaire Collection | [Microsoft.MicrosoftSolitaireCollection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | Yes | +| Microsoft Sticky Notes | [Microsoft.MicrosoftStickyNotes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | No | +| Microsoft Tips | [Microsoft.Getstarted](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | Yes | +| Mixed Reality Viewer | [Microsoft.Microsoft3DViewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | No | +| Movies & TV | [Microsoft.ZuneVideo](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | No | +| MSN Weather (BingWeather | [Microsoft.BingWeather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | Yes | +| One Note | [Microsoft.Office.OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | Yes | +| Paid Wi-Fi & Cellular | [Microsoft.OneConnect](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | Yes | +| Paint 3D | [Microsoft.MSPaint](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | No | +| Print 3D | [Microsoft.Print3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | | x | x | No | +| Skype | [Microsoft.SkypeApp](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | Yes | +| Store Purchase App\* | App not available in store | x | x | x | No | +| Wallet | App not available in store | x | x | x | No | +| Web Media Extensions | [Microsoft.WebMediaExtensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | | | x | No | +| Windows Alarms & Clock | [Microsoft.WindowsAlarms](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | No | +| Windows Calculator | [Microsoft.WindowsCalculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | No | +| Windows Camera | [Microsoft.WindowsCamera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | No | +| Windows Maps | [Microsoft.WindowsMaps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | No | +| Windows Store | [Microsoft.WindowsStore](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | No | +| Windows Voice Recorder | [Microsoft.SoundRecorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | No | +| Xbox | [Microsoft.XboxApp](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | No | +| Xbox Game Bar | [Microsoft.XboxGameOverlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | No | +| Xbox Gaming Overlay | [Microsoft.XboxGamingOverlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | | | x | No | +| Xbox Identity Provider | [Microsoft.XboxIdentityProvider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | No | +| Xbox Speech to Text Overlay | App not available in store | x | x | x | No | +| Xbox TCUI | [Microsoft.Xbox.TCUI](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | | x | x | No | + +>[!NOTE] +>\* The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it. + + -> [!NOTE] -> - The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support). ## Installed Windows apps + Here are the typical installed Windows apps in Windows 10 versions 1703, 1709, and 1803. -| Name | Full name | 1703 | 1709 | 1803 |Uninstall through UI? | -|--------------------|------------------------------------------|:----:|:----:|:----:|----------------------| +| Name | DisplayName | 1703 | 1709 | 1803 |Uninstall through UI? | +|--------------------|------------------------------------------|:----:|:----:|:----:|:----------------------:| | Remote Desktop | Microsoft.RemoteDesktop | x | x | | Yes | | PowerBI | Microsoft.Microsoft PowerBIforWindows | x | | | Yes | | Code Writer | ActiproSoftwareLLC.562882FEEB491 | x | x | x | Yes | @@ -106,7 +156,7 @@ Here are the typical installed Windows apps in Windows 10 versions 1703, 1709, a | Photoshop Express | AdobeSystemIncorporated. AdobePhotoshop | x | x | x | Yes | | Duolingo | D5EA27B7.Duolingo- LearnLanguagesforFree | x | x | x | Yes | | Network Speed Test | Microsoft.NetworkSpeedTest | x | x | x | Yes | -| News | Microsoft.BingNews | x | x | x | Yes | +| News | Microsoft.BingNews | x | x | x | Yes | | Flipboard | | | | | Yes | | | Microsoft.Advertising.Xaml | x | x | x | Yes | | | Microsoft.NET.Native.Framework.1.2 | x | x | x | Yes | @@ -177,3 +227,4 @@ Here are the typical provisioned Windows apps in Windows 10 versions 1703, 1709, >The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it. +--- diff --git a/windows/application-management/images/Createpackage.PNG b/windows/application-management/images/Createpackage.PNG new file mode 100644 index 0000000000..4ae246a743 Binary files /dev/null and b/windows/application-management/images/Createpackage.PNG differ diff --git a/windows/application-management/images/Installation.PNG b/windows/application-management/images/Installation.PNG new file mode 100644 index 0000000000..9c3197ada5 Binary files /dev/null and b/windows/application-management/images/Installation.PNG differ diff --git a/windows/application-management/images/Managefirstlaunchtasks.PNG b/windows/application-management/images/Managefirstlaunchtasks.PNG new file mode 100644 index 0000000000..edcf1a23e8 Binary files /dev/null and b/windows/application-management/images/Managefirstlaunchtasks.PNG differ diff --git a/windows/application-management/images/PackageSupport.PNG b/windows/application-management/images/PackageSupport.PNG new file mode 100644 index 0000000000..1bbca6865a Binary files /dev/null and b/windows/application-management/images/PackageSupport.PNG differ diff --git a/windows/application-management/images/Packageinfo.PNG b/windows/application-management/images/Packageinfo.PNG new file mode 100644 index 0000000000..be3b9b98dd Binary files /dev/null and b/windows/application-management/images/Packageinfo.PNG differ diff --git a/windows/application-management/images/Selectinstaller.PNG b/windows/application-management/images/Selectinstaller.PNG new file mode 100644 index 0000000000..7ffd984bed Binary files /dev/null and b/windows/application-management/images/Selectinstaller.PNG differ diff --git a/windows/application-management/images/donemonitoring..PNG b/windows/application-management/images/donemonitoring..PNG new file mode 100644 index 0000000000..d39102b961 Binary files /dev/null and b/windows/application-management/images/donemonitoring..PNG differ diff --git a/windows/application-management/images/preparecomputer.PNG b/windows/application-management/images/preparecomputer.PNG new file mode 100644 index 0000000000..43b2e3e965 Binary files /dev/null and b/windows/application-management/images/preparecomputer.PNG differ diff --git a/windows/application-management/images/preparingpackagestep.PNG b/windows/application-management/images/preparingpackagestep.PNG new file mode 100644 index 0000000000..5b06e11d0d Binary files /dev/null and b/windows/application-management/images/preparingpackagestep.PNG differ diff --git a/windows/application-management/images/selectEnvironmentThiscomputer.PNG b/windows/application-management/images/selectEnvironmentThiscomputer.PNG new file mode 100644 index 0000000000..bf6f3b4bf0 Binary files /dev/null and b/windows/application-management/images/selectEnvironmentThiscomputer.PNG differ diff --git a/windows/application-management/images/selectEnvironmentVM.PNG b/windows/application-management/images/selectEnvironmentVM.PNG new file mode 100644 index 0000000000..dd6e1f9168 Binary files /dev/null and b/windows/application-management/images/selectEnvironmentVM.PNG differ diff --git a/windows/application-management/images/welcomescreen.PNG b/windows/application-management/images/welcomescreen.PNG new file mode 100644 index 0000000000..cd551740a8 Binary files /dev/null and b/windows/application-management/images/welcomescreen.PNG differ diff --git a/windows/application-management/msix-app-packaging-tool-walkthrough.md b/windows/application-management/msix-app-packaging-tool-walkthrough.md new file mode 100644 index 0000000000..b85a15753e --- /dev/null +++ b/windows/application-management/msix-app-packaging-tool-walkthrough.md @@ -0,0 +1,160 @@ +--- +title: Learn how to repackage your existing win32 applications to the MSIX format. This walkthrough provides in-depth detail on how the MSIX app packaging tool can be used. +description: Learn how to use the MSIX packaging tool with this in-depth walkthrough. +keywords: ["MSIX", "application", "app", "win32", "packaging tool"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: medium +ms.author: mikeblodge +ms.topic: article +ms.date: 08/027/2018 +--- + +# MSIX Packaging tool walkthrough + +Learn how to repackage your legacy win32 application installers to MSIX, without the need for making code changes to your apps. The MSIX Packaging Tool allows you to modernize your app to take adavantage of Microsoft Store or Microsoft Store for Business to deploy apps on Windows 10 in S mode. + +## Terminology + + +|Term |Definition | +|---------|---------| +|MPT | MSIX Packaging Tool. An enterprise grade tool that allows to package apps in the enterprise easily as MSIX without app code changes. | +|PSF | Package Support Framework. An open source framework to allow the packaging tool and the IT Admin to apply targeted fixes to the app in order to bypass some of the modern environment constrains. Some fixes will be added automatically by the tool and some will be added manually. | +|Modification Package | MSIX package to stores app preferences/settings and add-ins, decoupled from the main package. | +|Installer | Application installer can be an MSI, EXE, App-V , ClickOnce. | +|Project template file | Template file that saves the settings and parameters used for a certain package conversion. Information captured in the template includes general Tooling packaging options, settings in the options menus like exclusion lists, package deployment settings, application install location, package manifest information like Package Family Name, publisher, version and package properties like capabilities and advanced enterprise features. | + +## Creating an Application package + +![Create a package](images/welcomescreen.png) + +When the tool is first launched, you will be prompted to provide consent to sending telemtry data. It's important to note that the diagnostic data you share only comes from the app and is never used to identify or contact you. This just helps us fix things faster for you. + +![creating an application package](images/Selectinstaller.png) + +Creating an Application package is the most commonly used option. This is where you will create an MSIX package from an installer, or by manual installation of application payload. +- If an installer is being used, browse to and select the desired application installer and click **Next**. + - This field accepts a valid existing file path. + - The field can be empty if you are manually packaging. +- If there is no installer (manual packaging) click **Next**. + +*Optionally* +- Check the box under "Use Existing MSIX Package", browse, and select an existing MSIX package you'd like to update. +- Check the box under "Use installer Preferences" and enter the desired argument in the provided field. This field accepts any string. + +### Packaging method +![selecting the package environment](images/selectenvironmentthiscomputer.png) +- Select the packaging environment by selecting one of the radio buttons: + - "Create package on an existing virtual machine" if you plan to do the package creation on a VM. Click **Next**. (You will be presented with user and password fields to provide credentials for the VM if there are any). + - "Create package on this computer" if you plan to package the application on the current machine where the tool is installed. Click **Next**. + +### Create package on this computer + +![Create a package on this computer](images/packageinfo.png) + +You've selected to package your application on the current machine where the tool is installed. Nice job! Provide the information pertaining to the app. The tool will try to auto-fill these fields based on the information available from the installer. You will always have a choice to update the entries as needed. If the field as an asterisk*, it's required, but you already knew that. Inline help is provided if the entry is not valid. + +- Package name: + - Required and corresponds to package identity Name in the manifest to describe the contents of the package. + - Must match the Name subject information of the certificate used to sign a package. + - Is not shown to the end user. + - Is case-sensitive and cannot have a space. + - Can accept string between 3 and 50 characters in length that consists of alpha-numeric, period, and dash characters. + - Cannot end with a period and be one of these: "CON", "PRN", "AUX", "NUL", "COM1", "COM2", "COM3", "COM4", "COM5", "COM6", "COM7", "COM8", "COM9", "LPT1", "LPT2", "LPT3", "LPT4", "LPT5", "LPT6", "LPT7", "LPT8", and "LPT9." +- Package display name: + - Required and corresponds to package in the manifest to display a friendly package name to the user, in start menu and settings pages. + - Field accepts A string between 1 and 256 characters in length and is localizable. +- Publisher name + - Required and corresponds to package that describes the publisher information. + - The Publisher attribute must match the publisher subject information of the certificate used to sign a package. + - This field accepts a string between 1 and 8192 characters in length that fits the regular expression of a distinguished name : "(CN | L | O | OU | E | C | S | STREET | T | G | I | SN | DC | SERIALNUMBER | Description | PostalCode | POBox | Phone | X21Address | dnQualifier | (OID.(0 | [1-9][0-9])(.(0 | [1-9][0-9]))+))=(([^,+="<>#;])+ | ".")(, ((CN | L | O | OU | E | C | S | STREET | T | G | I | SN | DC | SERIALNUMBER | Description | PostalCode | POBox | Phone | X21Address | dnQualifier | (OID.(0 | [1-9][0-9])(.(0 | [1-9][0-9]))+))=(([^,+="<>#;])+ | ".")))*". +- Publisher display name + - Reuqired and corresponds to package in the manifest to display a friendly publisher name to the user, in App installer and settings pages. + - Field accepts A string between 1 and 256 characters in length and is localizable. +- Version + - Required and corresponds to package in the manifest to describe the The version number of the package. + - This field accepts a version string in quad notation, "Major.Minor.Build.Revision". +- Install location + - This is the location that the installer is going to copy the application payload to (usually Programs Files folder). + - This field is optional but recommended. + - Browse to and select a folder path. + - Make sure this filed matches Installers Install location while you go through the application install operation. + +### Prepare computer + +![prepare your computer](images/preparecomputer.png) + +- You are provided with options to prepare the computer for packaging. +- MSIX Packaging Tool Driver is required and the tool will automatically try to enable it if it is not enabled. + > [!NOTE] + > MSIX Packaging tool driver monitors the system to capture the changes that an installer is making on the system which allows MSIX Packaging Tool to create a package based on those changes. + - The tool will first check with DISM to see if the driver is installed. +- [Optional] Check the box for “Windows Search is Active” and select “disable selected” if you choose to disable the search service. + - This is not required, only recommended. + - Once disabled, the tool will update the status field to “disabled” +- [Optional] Check the box for “Windows Update is Active” and select “disable selected” if you choose to disable the Update service. + - This is not required, only recommended. + - Once disabled, the tool will update the status field to “disabled” +- “Pending reboot” checkbox is disabled by default. You'll need to manually restart the machine and then launch the tool again if you are prompted that pending operations need a reboot. + - This not required, only recommended. +When you're done preparing the machine, click **Next**. + +### Installation + +![Installation phase for capturing the install operations](images/installation.png) + +- This is installation phase where the tool is monitoring and capturing the application install operations. +- If you've provided an installer, the tool will launch the installer and you'll need to go through the installer wizard to install the application. + - Make sure the installation path matches what was defined earlier in the package information page. + - You'll need to create a shortcut in desktop for the newly installed application. + - Once you're done with the application installation wizard, make sure you finish or close on the installation wizard. + - If you need to run multiple installers you can do that manually at this point. + - If the app needs other pre-reqs, you need to install them now. + - If the application needs .Net 3.5/20, add the optional feature to Windows. +- If installer was not provided, manually copy the application binaries to the install location that you've defined earlier in package information. +- When you've completed installing the application, click **Next**. + +### Manage first launch tasks + +![Managing first launch tasks](images/managefirstlaunchtasks.png) + +- This page shows application executables that the tool captured. +- We recommended launching the application at least once to capture any first launch tasks. +- If there are multiple applications, check the box that corresponds to the main entry point. +- If you don't see the application .exe here, manually browse to and run it. +- Click **Next** + +![pop up asking for confirmation you are done monitoring](images/donemonitoring..png) + +You'll be prompted with a pop up asking for confirmation that you're finished with application installation and managing first launch tasks. +- If you're done, click **Yes, move on**. +- If you're not done, click **No, I'm not done**. You'll be taken back to the last page to where you can launch applications, install or copy other files, and dlls/executables. + +### Package support report + +![Package support, runtime fixes that might be appliciable to the app](images/packagesupport.png) + +- Here you'll have a chance to add PSF runtime fixes that might be applicable to the application. *(not supported in preview)* + - The tool will make some suggestions and apply fixes that it thinks are applicable. + - You'll have the opportunity to add, remove or edit PSF runtime fixes + - You can see a list of PSFs provided by the community from Github. + - You'll also see a packaging report on this page. The report will call out noteworthy items for example: + - If certain restricted capabilities like allowElevation is added + - If certain files were excluded from the package. + - Etc +Once done, click **Next**. + +## Create package + +![Creating the new package](images/createpackage.png) + +- Provide a location to save the MSIX package. +- By default, packages are saved in local app data folder. +- You can define the default save location in Settings menu. +- If you'd like to continue to edit the content and properties of the package before saving the MSIX package, you can select “Package editor” and be taken to package editor. +- If you prefer to sign the package with a pre-made certificate for testing, browse to and select the certificate. +- Click **Create** to create the MSIX package. + +You'll be presented with the pop up when the package is created. This pop up will include the name, publisher, and save location of the newly created package. You can close this pop up and get redirected to the welcome page. You can also select package editor to see and modify the package content and properties. diff --git a/windows/application-management/msix-app-packaging-tool.md b/windows/application-management/msix-app-packaging-tool.md index a147f74977..9fbf85d99b 100644 --- a/windows/application-management/msix-app-packaging-tool.md +++ b/windows/application-management/msix-app-packaging-tool.md @@ -67,6 +67,20 @@ Examples: - MsixPackagingTool.exe create-package --template c:\users\documents\ConversionTemplate.xml - MSIXPackagingTool.exe create-package --template c:\users\documents\ConversionTemplate.xml --virtualMachinePassword pswd112893 +## Creating an application package using virtual machines + +You can select to perform the packaging steps on a virtual machine. To do this: +- Click on Application package and select “Create package on an existing virtual machine” in the select environment page. +- The tool will then query for existing Virtual machines and allows you to select one form a drop down menu. +- Once a VM is selected the tool will ask for user and password. The username field accepts domain\user entries as well. + +When using local virtual machines as conversion environment, the tool leverages an authenticated remote PowerShell connection to configure the virtual machine. A lightweight WCF server then provides bidirectional communication between the host and target environment. + +Requirements: +- Virtual Machine need to have PSRemoting enabled. (Enable-PSRemoting command should be run on the VM) +- Virtual Machine needs to be configured for Windows Insider Program similar to the host machine. Minimum Windows 10 build 17701 + + ## Conversion template file @@ -168,7 +182,7 @@ Examples: ``` ## Conversion template parameter reference -Here is the complete list of parameters that you can use in the Conversion template file. +Here is the complete list of parameters that you can use in the Conversion template file. When a virtual machine is conversion environment, all file paths(installer, savelocation, etc) should be declared relative to the host, where the tool is running) |ConversionSettings entries |Description | @@ -189,7 +203,7 @@ Here is the complete list of parameters that you can use in the Conversion templ |SaveLocation |[optional] An element to specify the save location of the tool. If not specified, the package will be saved under the Desktop folder. | |SaveLocation::Path |The path to the folder where the resulting MSIX package is saved. | |Installer::Path |The path to the application installer. | -|Installer::Arguments |The arguments to pass to the installer. You must pass the arguments to force your installer to run unattended/silently. | +|Installer::Arguments |The arguments to pass to the installer. You must pass the arguments to force your installer to run unattended/silently. If the installer is an msi or appv, pass an empty argument ie Installer=””. | |Installer::InstallLocation |[optional] The full path to your application's root folder for the installed files if it were installed (e.g. "C:\Program Files (x86)\MyAppInstalllocation"). | |VirtualMachine |[optional] An element to specify that the conversion will be run on a local Virtual Machine. | |VrtualMachine::Name |The name of the Virtual Machine to be used for the conversion environment. | diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md index 675af55231..01387c62d6 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/mandatory-user-profile.md @@ -7,7 +7,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms ms.author: jdecker -ms.date: 10/16/2017 +ms.date: 08/28/2018 --- # Create mandatory user profiles @@ -39,7 +39,7 @@ The name of the folder in which you store the mandatory profile must use the cor | Windows 8 | Windows Server 2012 | v3 | | Windows 8.1 | Windows Server 2012 R2 | v4 | | Windows 10, versions 1507 and 1511 | N/A | v5 | -| Windows 10, version 1607 (Anniversary Update) and version 1703 (Creators Update) | Windows Server 2016 | v6 | +| Windows 10, versions 1607, 1703, 1709, and 1803 | Windows Server 2016 | v6 | For more information, see [Deploy Roaming User Profiles, Appendix B](https://technet.microsoft.com/library/jj649079.aspx) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/kb/3056198). diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 622256b740..fb005e7c58 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -14,7 +14,7 @@ ms.date: 07/16/2018 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. +The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, next major version, it is also supported in Windows 10 Pro. > [!Note] > Settings are enforced only at the time encryption is started. Encryption is not restarted with settings changes. diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 7128dc2808..9b8ec08886 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 08/17/2018 +ms.date: 08/27/2018 --- # Configuration service provider reference @@ -276,7 +276,7 @@ Footnotes: cross mark - cross mark + check mark5 check mark2 check mark2 check mark2 diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 1184e33d18..aa4a9bb4f1 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 08/17/2018 +ms.date: 08/24/2018 --- # Policy CSP @@ -3114,6 +3114,9 @@ The following diagram shows the Policy configuration service provider in tree fo
System/AllowBuildPreview
+
+ System/AllowDeviceNameInDiagnosticData +
System/AllowEmbeddedMode
@@ -3138,12 +3141,21 @@ The following diagram shows the Policy configuration service provider in tree fo
System/BootStartDriverInitialization
+
+ System/ConfigureMicrosoft365UploadEndpoint +
System/ConfigureTelemetryOptInChangeNotification
System/ConfigureTelemetryOptInSettingsUx
+
+ System/DisableDeviceDelete +
+
+ System/DisableDiagnosticDataViewer +
System/DisableEnterpriseAuthProxy
@@ -4839,12 +4851,16 @@ The following diagram shows the Policy configuration service provider in tree fo - [Storage/AllowDiskHealthModelUpdates](./policy-csp-storage.md#storage-allowdiskhealthmodelupdates) - [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices) - [System/AllowBuildPreview](./policy-csp-system.md#system-allowbuildpreview) +- [System/AllowDeviceNameInDiagnosticData](./policy-csp-system.md#system-allowdevicenameindiagnosticdata) - [System/AllowFontProviders](./policy-csp-system.md#system-allowfontproviders) - [System/AllowLocation](./policy-csp-system.md#system-allowlocation) - [System/AllowTelemetry](./policy-csp-system.md#system-allowtelemetry) - [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization) +- [System/ConfigureMicrosoft365UploadEndpoint](./policy-csp-system.md#system-configuremicrosoft365uploadendpoint) - [System/ConfigureTelemetryOptInChangeNotification](./policy-csp-system.md#system-configuretelemetryoptinchangenotification) - [System/ConfigureTelemetryOptInSettingsUx](./policy-csp-system.md#system-configuretelemetryoptinsettingsux) +- [System/DisableDeviceDelete](./policy-csp-system.md#system-disabledevicedelete) +- [System/DisableDiagnosticDataViewer](./policy-csp-system.md#system-disablediagnosticdataviewer) - [System/DisableEnterpriseAuthProxy](./policy-csp-system.md#system-disableenterpriseauthproxy) - [System/DisableOneDriveFileSync](./policy-csp-system.md#system-disableonedrivefilesync) - [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore) diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index a88b2464f6..5886443c5d 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -793,7 +793,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:".  Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons. +Added in Windows 10, version 1703. Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:".  Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:bluetooth", the page identifier used in the policy will be just "bluetooth". Multiple page identifiers are separated by semicolons. The following example illustrates a policy that would allow access only to the about and bluetooth pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively: @@ -807,17 +807,17 @@ The format of the PageVisibilityList value is as follows: - There are two variants: one that shows only the given pages and one which hides the given pages. - The first variant starts with the string "showonly:" and the second with the string "hide:". - Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace. -- Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:wi-fi" would be just "wi-fi". +- Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:network-wifi" would be just "network-wifi". The default value for this setting is an empty string, which is interpreted as show everything. -Example 1, specifies that only the wifi and bluetooth pages should be shown (they have URIs ms-settings:wi-fi and ms-settings:bluetooth). All other pages (and the categories they're in) will be hidden: +Example 1, specifies that only the wifi and bluetooth pages should be shown (they have URIs ms-settings:network-wifi and ms-settings:bluetooth). All other pages (and the categories they're in) will be hidden: -showonly:wi-fi;bluetooth +showonly:network-wifi;bluetooth Example 2, specifies that the wifi page should not be shown: -hide:wifi +hide:network-wifi diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 63649af40c..77421bcad4 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -1,1198 +1,1443 @@ ---- -title: Policy CSP - System -description: Policy CSP - System -ms.author: maricia -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: MariciaAlforque -ms.date: 07/30/2018 ---- - -# Policy CSP - System - -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - - -
- - -## System policies - -
-
- System/AllowBuildPreview -
-
- System/AllowEmbeddedMode -
-
- System/AllowExperimentation -
-
- System/AllowFontProviders -
-
- System/AllowLocation -
-
- System/AllowStorageCard -
-
- System/AllowTelemetry -
-
- System/AllowUserToResetPhone -
-
- System/BootStartDriverInitialization -
-
- System/ConfigureTelemetryOptInChangeNotification -
-
- System/ConfigureTelemetryOptInSettingsUx -
-
- System/DisableEnterpriseAuthProxy -
-
- System/DisableOneDriveFileSync -
-
- System/DisableSystemRestore -
-
- System/FeedbackHubAlwaysSaveDiagnosticsLocally -
-
- System/LimitEnhancedDiagnosticDataWindowsAnalytics -
-
- System/TelemetryProxy -
-
- - -
- - -**System/AllowBuildPreview** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise. - - -This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software. - -If you enable or do not configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable. - - - -ADMX Info: -- GP English name: *Toggle user control over Insider builds* -- GP name: *AllowBuildPreview* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *AllowBuildPreview.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. The item "Get Insider builds" is unavailable, users are unable to make their devices available for preview software. -- 1 – Allowed. Users can make their devices available for downloading and installing preview software. -- 2 (default) – Not configured. Users can make their devices available for downloading and installing preview software. - - - - -
- - -**System/AllowEmbeddedMode** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Specifies whether set general purpose device to be in embedded mode. - -Most restricted value is 0. - - - -The following list shows the supported values: - -- 0 (default) – Not allowed. -- 1 – Allowed. - - - - -
- - -**System/AllowExperimentation** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -> [!NOTE] -> This policy is not supported in Windows 10, version 1607. - -This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior. - - -Most restricted value is 0. - - - -The following list shows the supported values: - -- 0 – Disabled. -- 1 (default) – Permits Microsoft to configure device settings only. -- 2 – Allows Microsoft to conduct full experimentations. - - - - -
- - -**System/AllowFontProviders** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts. - -This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value is not set by default, so the default behavior is true (enabled). - -This setting is used by lower-level components for text display and fond handling and has not direct effect on web browsers, which may download web fonts used in web content. - -> [!Note] -> Reboot is required after setting the policy; alternatively you can stop and restart the FontCache service. - - - -ADMX Info: -- GP English name: *Enable Font Providers* -- GP name: *EnableFontProviders* -- GP path: *Network/Fonts* -- GP ADMX file name: *GroupPolicy.admx* - - - -The following list shows the supported values: - -- 0 - false - No traffic to fs.microsoft.com and only locally-installed fonts are available. -- 1 - true (default) - There may be network traffic to fs.microsoft.com and downloadable fonts are available to apps that support them. - - - -To verify if System/AllowFontProviders is set to true: - -- After a client machine is rebooted, check whether there is any network traffic from client machine to fs.microsoft.com. - - - - -
- - -**System/AllowLocation** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Specifies whether to allow app access to the Location service. - - -Most restricted value is 0. - -While the policy is set to 0 (Force Location Off) or 2 (Force Location On), any Location service call from an app would trigger the value set by this policy. - -When switching the policy back from 0 (Force Location Off) or 2 (Force Location On) to 1 (User Control), the app reverts to its original Location service setting. - -For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off. - - - -ADMX Info: -- GP English name: *Turn off location* -- GP name: *DisableLocation_2* -- GP path: *Windows Components/Location and Sensors* -- GP ADMX file name: *Sensors.admx* - - - -The following list shows the supported values: - -- 0 – Force Location Off. All Location Privacy settings are toggled off and greyed out. Users cannot change the settings, and no apps are allowed access to the Location service, including Cortana and Search. -- 1 (default) – Location service is allowed. The user has control and can change Location Privacy settings on or off. -- 2 – Force Location On. All Location Privacy settings are toggled on and greyed out. Users cannot change the settings and all consent permissions will be automatically suppressed. - - - - -
- - -**System/AllowStorageCard** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card. - -Most restricted value is 0. - - - -The following list shows the supported values: - -- 0 – SD card use is not allowed and USB drives are disabled. This setting does not prevent programmatic access to the storage card. -- 1 (default) – Allow a storage card. - - - - -
- - -**System/AllowTelemetry** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
- - - -Allow the device to send diagnostic and usage telemetry data, such as Watson. - -The following tables describe the supported values: - -Windows 8.1 Values: - -- 0 - Not allowed. -- 1 – Allowed, except for Secondary Data Requests. -- 2 (default) – Allowed. - - - -Windows 10 Values: - -- 0 – Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. - Note: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. -- 1 – Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level. -- 2 – Enhanced. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels. -- 3 – Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels. - - - - -> [!IMPORTANT] -> If you are using Windows 8.1 MDM server and set a value of 0 using the legacy AllowTelemetry policy on a Windows 10 Mobile device, then the value is not respected and the telemetry level is silently set to level 1. - - -Most restricted value is 0. - - - -ADMX Info: -- GP English name: *Allow Telemetry* -- GP name: *AllowTelemetry* -- GP element: *AllowTelemetry* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - -
- - -**System/AllowUserToResetPhone** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination. - -Most restricted value is 0. - - - -The following list shows the supported values: -orted values: - -- 0 – Not allowed. -- 1 (default) – Allowed to reset to factory default settings. - - - - -
- - -**System/BootStartDriverInitialization** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: -- Good: The driver has been signed and has not been tampered with. -- Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized. -- Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. -- Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. - -If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. - -If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped. - -If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Boot-Start Driver Initialization Policy* -- GP name: *POL_DriverLoadPolicy_Name* -- GP path: *System/Early Launch Antimalware* -- GP ADMX file name: *earlylauncham.admx* - - - - -
- - -**System/ConfigureTelemetryOptInChangeNotification** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark4check mark4check mark4check mark4
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting determines whether a device shows notifications about telemetry levels to people on first logon or when changes occur in Settings.  -If you set this policy setting to "Disable telemetry change notifications", telemetry level notifications stop appearing. -If you set this policy setting to "Enable telemetry change notifications" or don't configure this policy setting, telemetry notifications appear at first logon and when changes occur in Settings. - - - -ADMX Info: -- GP English name: *Configure telemetry opt-in change notifications.* -- GP name: *ConfigureTelemetryOptInChangeNotification* -- GP element: *ConfigureTelemetryOptInChangeNotification* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - - - - - - - - - - -
- - -**System/ConfigureTelemetryOptInSettingsUx** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark4check mark4check mark4check mark4
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting determines whether people can change their own telemetry levels in Settings. This setting should be used in conjunction with the Allow Telemetry settings. - -If you set this policy setting to "Disable Telemetry opt-in Settings", telemetry levels are disabled in Settings, preventing people from changing them. - -If you set this policy setting to "Enable Telemetry opt-in Setings" or don't configure this policy setting, people can change their own telemetry levels in Settings. - -Note: -Set the Allow Telemetry policy setting to prevent people from sending diagnostic data to Microsoft beyond your organization's limit. - - - -ADMX Info: -- GP English name: *Configure telemetry opt-in setting user interface.* -- GP name: *ConfigureTelemetryOptInSettingsUx* -- GP element: *ConfigureTelemetryOptInSettingsUx* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - - - - - - - - - - -
- - -**System/DisableEnterpriseAuthProxy** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy. - - - -ADMX Info: -- GP English name: *Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service* -- GP name: *DisableEnterpriseAuthProxy* -- GP element: *DisableEnterpriseAuthProxy* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - -
- - -**System/DisableOneDriveFileSync** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting: - -* Users cannot access OneDrive from the OneDrive app or file picker. -* Microsoft Store apps cannot access OneDrive using the WinRT API. -* OneDrive does not appear in the navigation pane in File Explorer. -* OneDrive files are not kept in sync with the cloud. -* Users cannot automatically upload photos and videos from the camera roll folder. - -If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage. - - - -ADMX Info: -- GP English name: *Prevent the usage of OneDrive for file storage* -- GP name: *PreventOnedriveFileSync* -- GP path: *Windows Components/OneDrive* -- GP ADMX file name: *SkyDrive.admx* - - - -The following list shows the supported values: - -- 0 (default) – False (sync enabled). -- 1 – True (sync disabled). - - - -To validate on Desktop, do the following: - -1. Enable policy. -2. Restart machine. -3. Verify that OneDrive.exe is not running in Task Manager. - - - - -
- - -**System/DisableSystemRestore** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Allows you to disable System Restore. - -This policy setting allows you to turn off System Restore. - -System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume. - -If you enable this policy setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled. - -If you disable or do not configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection. - -Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Turn off System Restore* -- GP name: *SR_DisableSR* -- GP path: *System/System Restore* -- GP ADMX file name: *systemrestore.admx* - - - - -
- - -**System/FeedbackHubAlwaysSaveDiagnosticsLocally** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark4check mark4check mark4check mark4check mark4
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Added in Windows 10, version 1803. When filing feedback in the Feedback Hub, diagnostic logs are collected for certain types of feedback. We now offer the option for users to save it locally, in addition to sending it to Microsoft. This policy will allow enterprises to mandate that all diagnostics are saved locally for use in internal investigations. - - - -The following list shows the supported values: - -- 0 (default) - False. The Feedback Hub will not always save a local copy of diagnostics that may be created when a feedback is submitted. The user will have the option to do so. -- 1 - True. The Feedback Hub should always save a local copy of diagnostics that may be created when a feedback is submitted. - - - - -
- - -**System/LimitEnhancedDiagnosticDataWindowsAnalytics** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark3check mark3check mark3check mark3check mark3check mark3
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -This policy setting, in combination with the System/AllowTelemetry - policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. - -To enable this behavior you must complete two steps: -
    -
  • Enable this policy setting
    • -
  • Set Allow Telemetry to level 2 (Enhanced)
    • -
- -When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](https://go.microsoft.com/fwlink/?linkid=847594). - -Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. - -If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. - - - -ADMX Info: -- GP English name: *Limit Enhanced diagnostic data to the minimum required by Windows Analytics* -- GP name: *LimitEnhancedDiagnosticDataWindowsAnalytics* -- GP element: *LimitEnhancedDiagnosticDataWindowsAnalytics* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - -
- - -**System/TelemetryProxy** - - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
- - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device. - -If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration. - - - -ADMX Info: -- GP English name: *Configure Connected User Experiences and Telemetry* -- GP name: *TelemetryProxy* -- GP element: *TelemetryProxyName* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - -
- -Footnote: - -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. - - - - - +--- +title: Policy CSP - System +description: Policy CSP - System +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 08/24/2018 +--- + +# Policy CSP - System + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ + +## System policies + +
+
+ System/AllowBuildPreview +
+
+ System/AllowDeviceNameInDiagnosticData +
+
+ System/AllowEmbeddedMode +
+
+ System/AllowExperimentation +
+
+ System/AllowFontProviders +
+
+ System/AllowLocation +
+
+ System/AllowStorageCard +
+
+ System/AllowTelemetry +
+
+ System/AllowUserToResetPhone +
+
+ System/BootStartDriverInitialization +
+
+ System/ConfigureMicrosoft365UploadEndpoint +
+
+ System/ConfigureTelemetryOptInChangeNotification +
+
+ System/ConfigureTelemetryOptInSettingsUx +
+
+ System/DisableDeviceDelete +
+
+ System/DisableDiagnosticDataViewer +
+
+ System/DisableEnterpriseAuthProxy +
+
+ System/DisableOneDriveFileSync +
+
+ System/DisableSystemRestore +
+
+ System/FeedbackHubAlwaysSaveDiagnosticsLocally +
+
+ System/LimitEnhancedDiagnosticDataWindowsAnalytics +
+
+ System/TelemetryProxy +
+
+ + +
+ + +**System/AllowBuildPreview** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +> [!NOTE] +> This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise. + + +This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software. + +If you enable or do not configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable. + + + +ADMX Info: +- GP English name: *Toggle user control over Insider builds* +- GP name: *AllowBuildPreview* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *AllowBuildPreview.admx* + + + +The following list shows the supported values: + +- 0 – Not allowed. The item "Get Insider builds" is unavailable, users are unable to make their devices available for preview software. +- 1 – Allowed. Users can make their devices available for downloading and installing preview software. +- 2 (default) – Not configured. Users can make their devices available for downloading and installing preview software. + + + + +
+ + +**System/AllowDeviceNameInDiagnosticData** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark5check mark5check mark5check mark5
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data. + + + +ADMX Info: +- GP English name: *Allow device name to be sent in Windows diagnostic data* +- GP name: *AllowDeviceNameInDiagnosticData* +- GP element: *AllowDeviceNameInDiagnosticData* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + + + + + + + + + + +
+ + +**System/AllowEmbeddedMode** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Specifies whether set general purpose device to be in embedded mode. + +Most restricted value is 0. + + + +The following list shows the supported values: + +- 0 (default) – Not allowed. +- 1 – Allowed. + + + + +
+ + +**System/AllowExperimentation** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +> [!NOTE] +> This policy is not supported in Windows 10, version 1607. + +This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior. + + +Most restricted value is 0. + + + +The following list shows the supported values: + +- 0 – Disabled. +- 1 (default) – Permits Microsoft to configure device settings only. +- 2 – Allows Microsoft to conduct full experimentations. + + + + +
+ + +**System/AllowFontProviders** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts. + +This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value is not set by default, so the default behavior is true (enabled). + +This setting is used by lower-level components for text display and fond handling and has not direct effect on web browsers, which may download web fonts used in web content. + +> [!Note] +> Reboot is required after setting the policy; alternatively you can stop and restart the FontCache service. + + + +ADMX Info: +- GP English name: *Enable Font Providers* +- GP name: *EnableFontProviders* +- GP path: *Network/Fonts* +- GP ADMX file name: *GroupPolicy.admx* + + + +The following list shows the supported values: + +- 0 - false - No traffic to fs.microsoft.com and only locally-installed fonts are available. +- 1 - true (default) - There may be network traffic to fs.microsoft.com and downloadable fonts are available to apps that support them. + + + +To verify if System/AllowFontProviders is set to true: + +- After a client machine is rebooted, check whether there is any network traffic from client machine to fs.microsoft.com. + + + + +
+ + +**System/AllowLocation** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Specifies whether to allow app access to the Location service. + + +Most restricted value is 0. + +While the policy is set to 0 (Force Location Off) or 2 (Force Location On), any Location service call from an app would trigger the value set by this policy. + +When switching the policy back from 0 (Force Location Off) or 2 (Force Location On) to 1 (User Control), the app reverts to its original Location service setting. + +For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off. + + + +ADMX Info: +- GP English name: *Turn off location* +- GP name: *DisableLocation_2* +- GP path: *Windows Components/Location and Sensors* +- GP ADMX file name: *Sensors.admx* + + + +The following list shows the supported values: + +- 0 – Force Location Off. All Location Privacy settings are toggled off and greyed out. Users cannot change the settings, and no apps are allowed access to the Location service, including Cortana and Search. +- 1 (default) – Location service is allowed. The user has control and can change Location Privacy settings on or off. +- 2 – Force Location On. All Location Privacy settings are toggled on and greyed out. Users cannot change the settings and all consent permissions will be automatically suppressed. + + + + +
+ + +**System/AllowStorageCard** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card. + +Most restricted value is 0. + + + +The following list shows the supported values: + +- 0 – SD card use is not allowed and USB drives are disabled. This setting does not prevent programmatic access to the storage card. +- 1 (default) – Allow a storage card. + + + + +
+ + +**System/AllowTelemetry** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + + +Allow the device to send diagnostic and usage telemetry data, such as Watson. + +The following tables describe the supported values: + +Windows 8.1 Values: + +- 0 - Not allowed. +- 1 – Allowed, except for Secondary Data Requests. +- 2 (default) – Allowed. + + + +Windows 10 Values: + +- 0 – Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. + Note: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. +- 1 – Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level. +- 2 – Enhanced. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels. +- 3 – Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels. + + + + +> [!IMPORTANT] +> If you are using Windows 8.1 MDM server and set a value of 0 using the legacy AllowTelemetry policy on a Windows 10 Mobile device, then the value is not respected and the telemetry level is silently set to level 1. + + +Most restricted value is 0. + + + +ADMX Info: +- GP English name: *Allow Telemetry* +- GP name: *AllowTelemetry* +- GP element: *AllowTelemetry* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + +
+ + +**System/AllowUserToResetPhone** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination. + +Most restricted value is 0. + + + +The following list shows the supported values: +orted values: + +- 0 – Not allowed. +- 1 (default) – Allowed to reset to factory default settings. + + + + +
+ + +**System/BootStartDriverInitialization** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: +- Good: The driver has been signed and has not been tampered with. +- Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized. +- Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. +- Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. + +If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. + +If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped. + +If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Boot-Start Driver Initialization Policy* +- GP name: *POL_DriverLoadPolicy_Name* +- GP path: *System/Early Launch Antimalware* +- GP ADMX file name: *earlylauncham.admx* + + + + +
+ + +**System/ConfigureMicrosoft365UploadEndpoint** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark5check mark5check mark5check mark5
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy sets the upload endpoint for this device’s diagnostic data as part of the Microsoft 365 Update Readiness program. + +If your organization is participating in the program and has been instructed to configure a custom upload endpoint, then use this setting to define that endpoint. + +The value for this setting will be provided by Microsoft as part of the onboarding process for the program. + +Value type is string. + + +ADMX Info: +- GP English name: *Configure Microsoft 365 Update Readiness upload endpoint* +- GP name: *ConfigureMicrosoft365UploadEndpoint* +- GP element: *ConfigureMicrosoft365UploadEndpoint* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + + + + + + + + + + +
+ + +**System/ConfigureTelemetryOptInChangeNotification** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark4check mark4check mark4check mark4
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting determines whether a device shows notifications about telemetry levels to people on first logon or when changes occur in Settings.  +If you set this policy setting to "Disable telemetry change notifications", telemetry level notifications stop appearing. +If you set this policy setting to "Enable telemetry change notifications" or don't configure this policy setting, telemetry notifications appear at first logon and when changes occur in Settings. + + + +ADMX Info: +- GP English name: *Configure telemetry opt-in change notifications.* +- GP name: *ConfigureTelemetryOptInChangeNotification* +- GP element: *ConfigureTelemetryOptInChangeNotification* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + +
+ + +**System/ConfigureTelemetryOptInSettingsUx** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark4check mark4check mark4check mark4
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting determines whether people can change their own telemetry levels in Settings. This setting should be used in conjunction with the Allow Telemetry settings. + +If you set this policy setting to "Disable Telemetry opt-in Settings", telemetry levels are disabled in Settings, preventing people from changing them. + +If you set this policy setting to "Enable Telemetry opt-in Setings" or don't configure this policy setting, people can change their own telemetry levels in Settings. + +Note: +Set the Allow Telemetry policy setting to prevent people from sending diagnostic data to Microsoft beyond your organization's limit. + + + +ADMX Info: +- GP English name: *Configure telemetry opt-in setting user interface.* +- GP name: *ConfigureTelemetryOptInSettingsUx* +- GP element: *ConfigureTelemetryOptInSettingsUx* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + +
+ + +**System/DisableDeviceDelete** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark5check mark5check mark5check mark5
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting controls whether the Delete diagnostic data button is enabled in Diagnostic & Feedback Settings page. +If you enable this policy setting, the Delete diagnostic data button will be disabled in Settings page, preventing the deletion of diagnostic data collected by Microsoft from the device. +If you disable or don't configure this policy setting, the Delete diagnostic data button will be enabled in Settings page, which allows people to erase all diagnostic data collected by Microsoft from that device. + + + +ADMX Info: +- GP English name: *Disable deleting diagnostic data * +- GP name: *DisableDeviceDelete* +- GP element: *DisableDeviceDelete* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + + + + + + + + + + +
+ + +**System/DisableDiagnosticDataViewer** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark5check mark5check mark5check mark5
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting controls whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page. +If you enable this policy setting, the Diagnostic Data Viewer will not be enabled in Settings page, and it will prevent the viewer from showing diagnostic data collected by Microsoft from the device. +If you disable or don't configure this policy setting, the Diagnostic Data Viewer will be enabled in Settings page. + + + +ADMX Info: +- GP English name: *Disable diagnostic data viewer. * +- GP name: *DisableDiagnosticDataViewer* +- GP element: *DisableDiagnosticDataViewer* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + + + + + + + + + + +
+ + +**System/DisableEnterpriseAuthProxy** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy. + + + +ADMX Info: +- GP English name: *Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service* +- GP name: *DisableEnterpriseAuthProxy* +- GP element: *DisableEnterpriseAuthProxy* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + +
+ + +**System/DisableOneDriveFileSync** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting: + +* Users cannot access OneDrive from the OneDrive app or file picker. +* Microsoft Store apps cannot access OneDrive using the WinRT API. +* OneDrive does not appear in the navigation pane in File Explorer. +* OneDrive files are not kept in sync with the cloud. +* Users cannot automatically upload photos and videos from the camera roll folder. + +If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage. + + + +ADMX Info: +- GP English name: *Prevent the usage of OneDrive for file storage* +- GP name: *PreventOnedriveFileSync* +- GP path: *Windows Components/OneDrive* +- GP ADMX file name: *SkyDrive.admx* + + + +The following list shows the supported values: + +- 0 (default) – False (sync enabled). +- 1 – True (sync disabled). + + + +To validate on Desktop, do the following: + +1. Enable policy. +2. Restart machine. +3. Verify that OneDrive.exe is not running in Task Manager. + + + + +
+ + +**System/DisableSystemRestore** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Allows you to disable System Restore. + +This policy setting allows you to turn off System Restore. + +System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume. + +If you enable this policy setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled. + +If you disable or do not configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection. + +Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off System Restore* +- GP name: *SR_DisableSR* +- GP path: *System/System Restore* +- GP ADMX file name: *systemrestore.admx* + + + + +
+ + +**System/FeedbackHubAlwaysSaveDiagnosticsLocally** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark4check mark4check mark4check mark4check mark4
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Added in Windows 10, version 1803. When filing feedback in the Feedback Hub, diagnostic logs are collected for certain types of feedback. We now offer the option for users to save it locally, in addition to sending it to Microsoft. This policy will allow enterprises to mandate that all diagnostics are saved locally for use in internal investigations. + + + +The following list shows the supported values: + +- 0 (default) - False. The Feedback Hub will not always save a local copy of diagnostics that may be created when a feedback is submitted. The user will have the option to do so. +- 1 - True. The Feedback Hub should always save a local copy of diagnostics that may be created when a feedback is submitted. + + + + +
+ + +**System/LimitEnhancedDiagnosticDataWindowsAnalytics** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark3check mark3check mark3check mark3check mark3check mark3
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting, in combination with the System/AllowTelemetry + policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. + +To enable this behavior you must complete two steps: +
    +
  • Enable this policy setting
    • +
  • Set Allow Telemetry to level 2 (Enhanced)
    • +
+ +When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](https://go.microsoft.com/fwlink/?linkid=847594). + +Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. + +If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. + + + +ADMX Info: +- GP English name: *Limit Enhanced diagnostic data to the minimum required by Windows Analytics* +- GP name: *LimitEnhancedDiagnosticDataWindowsAnalytics* +- GP element: *LimitEnhancedDiagnosticDataWindowsAnalytics* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + +
+ + +**System/TelemetryProxy** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck markcheck mark
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device. + +If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration. + + + +ADMX Info: +- GP English name: *Configure Connected User Experiences and Telemetry* +- GP name: *TelemetryProxy* +- GP element: *TelemetryProxyName* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. + + + diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index 00b49c54f7..ead54a0bfb 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -12,6 +12,61 @@ ms.date: 03/12/2018 # Policy CSP - UserRights +
+ +User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as SIDs or strings. Here is a list for reference, [Well-Known SID Structures](https://msdn.microsoft.com/en-us/library/cc980032.aspx). Even though strings are supported for well-known accounts and groups, it is better to use SIDs because strings are localized for different languages. Some user rights allow things, like AccessFromNetwork, while others disallow things, like DenyAccessFromNetwork. + +Here is an example syncml for setting the user right BackupFilesAndDirectories for Administrators and Authenticated Users groups. + +```syntax + + + + + 2 + + + chr + text/plain + + + ./Device/Vendor/MSFT/Policy/Config/UserRights/BackupFilesAndDirectories + + Authenticated UsersAdministrators + + + + + +``` + +Here are examples of data fields. The encoded 0xF000 is the standard delimiter/separator + +- Grant an user right to Administrators group via SID: + ``` + *S-1-5-32-544 + ``` + +- Grant an user right to multiple groups (Administrators, Authenticated Users) via SID + ``` + *S-1-5-32-544*S-1-5-11 + ``` + +- Grant an user right to multiple groups (Administrators, Authenticated Users) via a mix of SID and Strings + ``` + *S-1-5-32-544Authenticated Users + ``` + +- Grant an user right to multiple groups (Authenticated Users, Administrators) via strings + ``` + Authenticated UsersAdministrators + ``` + +- Empty input indicates that there are no users configured to have that user right + ``` + + ``` +
diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md index dad54fdffa..f0a6f2503a 100644 --- a/windows/configuration/TOC.md +++ b/windows/configuration/TOC.md @@ -28,7 +28,7 @@ ## [Configure cellular settings for tablets and PCs](provisioning-apn.md) ## [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md) ### [Configure Windows Spotlight on the lock screen](windows-spotlight.md) -### [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) +### [Manage Windows 10 and Microsoft Store tips, "fun facts", and suggestions](manage-tips-and-suggestions.md) ### [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) #### [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) #### [Customize and export Start layout](customize-and-export-start-layout.md) diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index a032dc458d..eff3c3a789 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -75,7 +75,7 @@ Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh stat > > 1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer. >2. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18). ->3. Insert the null character string in between each URL (e.g www.bing.comwww.contoso.com). +>3. Insert the null character string in between each URL (e.g www.bing.com``www.contoso.com). >4. Save the XML file. >5. Open the project again in Windows Configuration Designer. >6. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed. diff --git a/windows/configuration/manage-tips-and-suggestions.md b/windows/configuration/manage-tips-and-suggestions.md index 4f327eb125..0c704c06f5 100644 --- a/windows/configuration/manage-tips-and-suggestions.md +++ b/windows/configuration/manage-tips-and-suggestions.md @@ -1,5 +1,5 @@ --- -title: Manage Windows 10 and Microsoft Store tips, tricks, and suggestions (Windows 10) +title: Manage Windows 10 and Microsoft Store tips, fun facts, and suggestions (Windows 10) description: Windows 10 provides organizations with various options to manage user experiences to provide a consistent and predictable experience for employees. keywords: ["device management"] ms.prod: w10 @@ -13,7 +13,7 @@ ms.localizationpriority: medium ms.date: 09/20/2017 --- -# Manage Windows 10 and Microsoft Store tips, tricks, and suggestions +# Manage Windows 10 and Microsoft Store tips, "fun facts", and suggestions **Applies to** @@ -21,7 +21,7 @@ ms.date: 09/20/2017 - Windows 10 -Since its inception, Windows 10 has included a number of user experience features that provide useful tips, tricks, and suggestions as you use Windows, as well as app suggestions from the Microsoft Store. These features are designed to help people get the most out of their Windows 10 experience by, for example, sharing new features, providing more details on the features they use, or sharing content available in the Microsoft Store. Examples of such user experiences include: +Since its inception, Windows 10 has included a number of user experience features that provide useful tips, "fun facts", and suggestions as you use Windows, as well as app suggestions from the Microsoft Store. These features are designed to help people get the most out of their Windows 10 experience by, for example, sharing new features, providing more details on the features they use, or sharing content available in the Microsoft Store. Examples of such user experiences include: * **Windows Spotlight on the lock screen**. Daily updated images on the lock screen that can include additional facts and tips in “hotspots” that are revealed on hover. @@ -34,11 +34,11 @@ Since its inception, Windows 10 has included a number of user experience feature * **Microsoft account notifications**. For users who have a connected Microsoft account, toast notifications about their account like parental control notifications or subscription expiration. >[!TIP] -> On all Windows desktop editions, users can directly enable and disable Windows 10 tips, tricks, and suggestions and Microsoft Store suggestions. For example, users are able to select personal photos for the lock screen as opposed to the images provided by Microsoft, or turn off tips, tricks, or suggestions as they use Windows. +> On all Windows desktop editions, users can directly enable and disable Windows 10 tips, "fun facts", and suggestions and Microsoft Store suggestions. For example, users are able to select personal photos for the lock screen as opposed to the images provided by Microsoft, or turn off tips, "fun facts", or suggestions as they use Windows. Windows 10, version 1607 (also known as the Anniversary Update), provides organizations the ability to centrally manage the type of content provided by these features through Group Policy or mobile device management (MDM). The following table describes how administrators can manage suggestions and tips in Windows 10 commercial and education editions. -## Options available to manage Windows 10 tips and tricks and Microsoft Store suggestions +## Options available to manage Windows 10 tips and "fun facts" and Microsoft Store suggestions | Windows 10 edition | Disable |Show Microsoft apps only | Show Microsoft and popular third-party apps | | --- | --- | --- | --- | diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index 1acc77b4c2..4783fe006b 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -108,7 +108,7 @@ $sharedPC.KioskModeAUMID = "" $sharedPC.KioskModeUserTileDisplayText = "" $sharedPC.InactiveThreshold = 0 Set-CimInstance -CimInstance $sharedPC -Get-CimInstance -Namespace $namespaceName -ClassName $MDM_SharedPCClass +Get-CimInstance -Namespace $namespaceName -ClassName MDM_SharedPC ``` ### Create a provisioning package for shared use diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index 80adf12056..fdb33ba268 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -238,6 +238,7 @@ ### [Change history for Update Windows 10](update/change-history-for-update-windows-10.md) ## [Windows Analytics](update/windows-analytics-overview.md) +### [Windows Analytics in the Azure Portal](update/windows-analytics-azure-portal.md) ### [Windows Analytics and privacy](update/windows-analytics-privacy.md) ### [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) #### [Upgrade Readiness architecture](upgrade/upgrade-readiness-architecture.md) diff --git a/windows/deployment/planning/act-technical-reference.md b/windows/deployment/planning/act-technical-reference.md index a84f82eb0a..ecdf8207f7 100644 --- a/windows/deployment/planning/act-technical-reference.md +++ b/windows/deployment/planning/act-technical-reference.md @@ -39,7 +39,7 @@ Use Upgrade Analytics to get: The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. For more information about Upgrade Analytics, see [Manage Windows upgrades with Upgrade Analytics](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics) -At the same time, we've kept the Standard User Analyzer tool, which helps you test your apps and to monitor API calls for potential compatibility issues, and the Compatiblility Administrator, which helps you to resolve potential compatibility issues. +At the same time, we've kept the Standard User Analyzer tool, which helps you test your apps and to monitor API calls for potential compatibility issues, and the Compatibility Administrator, which helps you to resolve potential compatibility issues. ## In this section @@ -47,4 +47,4 @@ At the same time, we've kept the Standard User Analyzer tool, which helps you te |------|------------| |[Standard User Analyzer (SUA) User's Guide](sua-users-guide.md) |The Standard User Analyzer (SUA) helps you test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows. | |[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) |The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. | -|[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) |You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions. | \ No newline at end of file +|[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) |You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions. | diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md index c32997aca0..3121b56334 100644 --- a/windows/deployment/update/device-health-get-started.md +++ b/windows/deployment/update/device-health-get-started.md @@ -5,7 +5,7 @@ keywords: Device Health, oms, operations management suite, prerequisites, requir ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.date: 06/12/2018 +ms.date: 08/21/2018 ms.pagetype: deploy author: jaimeo ms.author: jaimeo @@ -14,6 +14,9 @@ ms.localizationpriority: medium # Get started with Device Health +>[!IMPORTANT] +>**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences. See [Windows Analytics in the Azure Portal](windows-analytics-azure-portal.md) for steps to use Windows Analytics in the Azure portal. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition). + This topic explains the steps necessary to configure your environment for Windows Analytics: Device Health. Steps are provided in sections that follow the recommended setup process: diff --git a/windows/deployment/update/images/azure-portal-LA-wkspcsumm.PNG b/windows/deployment/update/images/azure-portal-LA-wkspcsumm.PNG new file mode 100644 index 0000000000..cd44ab666c Binary files /dev/null and b/windows/deployment/update/images/azure-portal-LA-wkspcsumm.PNG differ diff --git a/windows/deployment/update/images/azure-portal-LA-wkspcsumm_sterile.png b/windows/deployment/update/images/azure-portal-LA-wkspcsumm_sterile.png new file mode 100644 index 0000000000..7b1b17ac18 Binary files /dev/null and b/windows/deployment/update/images/azure-portal-LA-wkspcsumm_sterile.png differ diff --git a/windows/deployment/update/images/azure-portal-LAfav.PNG b/windows/deployment/update/images/azure-portal-LAfav.PNG new file mode 100644 index 0000000000..8ad9f63fd0 Binary files /dev/null and b/windows/deployment/update/images/azure-portal-LAfav.PNG differ diff --git a/windows/deployment/update/images/azure-portal-LAfav1.png b/windows/deployment/update/images/azure-portal-LAfav1.png new file mode 100644 index 0000000000..64ae8b1d74 Binary files /dev/null and b/windows/deployment/update/images/azure-portal-LAfav1.png differ diff --git a/windows/deployment/update/images/azure-portal-LAmain-sterile.png b/windows/deployment/update/images/azure-portal-LAmain-sterile.png new file mode 100644 index 0000000000..1cdeffa2b7 Binary files /dev/null and b/windows/deployment/update/images/azure-portal-LAmain-sterile.png differ diff --git a/windows/deployment/update/images/azure-portal-LAmain-wkspc-subname-sterile.png b/windows/deployment/update/images/azure-portal-LAmain-wkspc-subname-sterile.png new file mode 100644 index 0000000000..b9cfa6bbc1 Binary files /dev/null and b/windows/deployment/update/images/azure-portal-LAmain-wkspc-subname-sterile.png differ diff --git a/windows/deployment/update/images/azure-portal-LAmain.PNG b/windows/deployment/update/images/azure-portal-LAmain.PNG new file mode 100644 index 0000000000..1cebfa9b8c Binary files /dev/null and b/windows/deployment/update/images/azure-portal-LAmain.PNG differ diff --git a/windows/deployment/update/images/azure-portal-LAsearch.PNG b/windows/deployment/update/images/azure-portal-LAsearch.PNG new file mode 100644 index 0000000000..1d446241d5 Binary files /dev/null and b/windows/deployment/update/images/azure-portal-LAsearch.PNG differ diff --git a/windows/deployment/update/images/azure-portal-UR-settings.png b/windows/deployment/update/images/azure-portal-UR-settings.png new file mode 100644 index 0000000000..c716134e9a Binary files /dev/null and b/windows/deployment/update/images/azure-portal-UR-settings.png differ diff --git a/windows/deployment/update/images/azure-portal-create-resource-boxes.png b/windows/deployment/update/images/azure-portal-create-resource-boxes.png new file mode 100644 index 0000000000..a90344e02d Binary files /dev/null and b/windows/deployment/update/images/azure-portal-create-resource-boxes.png differ diff --git a/windows/deployment/update/images/azure-portal-create-resource.PNG b/windows/deployment/update/images/azure-portal-create-resource.PNG new file mode 100644 index 0000000000..0f1b962e07 Binary files /dev/null and b/windows/deployment/update/images/azure-portal-create-resource.PNG differ diff --git a/windows/deployment/update/images/azure-portal1.PNG b/windows/deployment/update/images/azure-portal1.PNG new file mode 100644 index 0000000000..f4c2aff38a Binary files /dev/null and b/windows/deployment/update/images/azure-portal1.PNG differ diff --git a/windows/deployment/update/images/azure-portal1_allserv.png b/windows/deployment/update/images/azure-portal1_allserv.png new file mode 100644 index 0000000000..63e1bcbad3 Binary files /dev/null and b/windows/deployment/update/images/azure-portal1_allserv.png differ diff --git a/windows/deployment/update/images/temp-azure-portal-soltn-setting.png b/windows/deployment/update/images/temp-azure-portal-soltn-setting.png new file mode 100644 index 0000000000..e757a3d3c0 Binary files /dev/null and b/windows/deployment/update/images/temp-azure-portal-soltn-setting.png differ diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index 78aa48d1cf..89e5ebf0c7 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -8,12 +8,15 @@ ms.sitesec: library ms.pagetype: deploy author: Jaimeo ms.author: jaimeo -ms.date: 03/15/2018 +ms.date: 08/21/2018 ms.localizationpriority: medium --- # Get started with Update Compliance +>[!IMPORTANT] +>**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences. See [Windows Analytics in the Azure Portal](windows-analytics-azure-portal.md) for steps to use Windows Analytics in the Azure portal. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition). + This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance. Steps are provided in sections that follow the recommended setup process: diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md index 3b90be8d08..325a6a229a 100644 --- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md +++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md @@ -8,12 +8,15 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 07/20/2018 +ms.date: 08/21/2018 ms.localizationpriority: medium --- # Frequently asked questions and troubleshooting Windows Analytics +>[!IMPORTANT] +>**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences. See [Windows Analytics in the Azure Portal](windows-analytics-azure-portal.md) for steps to use Windows Analytics in the Azure portal. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition). + This topic compiles the most common issues encountered with configuring and using Windows Analytics, as well as general questions. This FAQ, along with the [Windows Analytics Technical Community](https://techcommunity.microsoft.com/t5/Windows-Analytics/ct-p/WindowsAnalytics), are recommended resources to consult before contacting Microsoft support. ## Troubleshooting common problems diff --git a/windows/deployment/update/windows-analytics-azure-portal.md b/windows/deployment/update/windows-analytics-azure-portal.md new file mode 100644 index 0000000000..d9296cb710 --- /dev/null +++ b/windows/deployment/update/windows-analytics-azure-portal.md @@ -0,0 +1,63 @@ +--- +title: Windows Analytics in the Azure Portal +description: Use the Azure Portal to add and configure Windows Analytics solutions +keywords: Device Health, oms, Azure, portal, operations management suite, add, manage, configure, Upgrade Readiness, Update Compliance +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.date: 08/21/2018 +ms.pagetype: deploy +author: jaimeo +ms.author: jaimeo +ms.localizationpriority: medium +--- + +# Windows Analytics in the Azure portal + +Windows Analytics uses Azure Log Analytics (formerly known as Operations Management Suite or OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. + +**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences, which this topic will explain. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition). + +## Navigation and permissions in the Azure portal + +Go to the [Azure portal](https://portal.azure.com), select **All services**, and search for *Log Analytics*. Once it appears, you can select the star to add it to your favorites for easy access in the future. + +[![Azure portal all services page with Log Analytics found and selected as favorite](images/azure-portal-LAfav1.png)](images/azure-portal-LAfav1.png) + +### Permissions + +>[!IMPORTANT] +>Unlike the OMS portal, the Azure portal requires access to both an Azure Log Analytics subscription and a linked Azure subscription. + +To check the Log Analytics workspaces you can access, select **Log Analytics**. You should see a grid control listing all workspaces, along with the Azure subscription each is linked to: + +[![Log Analytics workspace page showing accessible workspaces and linked Azure subscriptions](images/azure-portal-LAmain-wkspc-subname-sterile.png)](images/azure-portal-LAmain-wkspc-subname-sterile.png) + +If you do not see your workspace in this view, you do not have access to the underlying Azure subscription. To view and assign permissions for a workspace, select its name and then, in the flyout that opens, select **Access control (IAM)**. You can view and assign permissions for a subscription similarly by selecting the subscription name and selecting **Access control (IAM)**. + +Both the workspace and Azure subscription require at least "read" permissions. To make changes (for example, to set app importantance in Upgrade Readiness), both the subscription and workspace require "contributor" permissions. You can view your current role and make changes in other roles by using the **Access control (IAM)** tab in Azure. + +When permissions are configured, you can select the workspace and then select **Workspace summary** to see information similar to what was shown in the OMS overview page. + +[![Log Analytics workspace page showing workspace summary](images/azure-portal-LA-wkspcsumm_sterile.png)](images/azure-portal-LA-wkspcsumm_sterile.png) + +## Adding Windows Analytics solutions + +In the Azure portal, the simplest way to add Windows Analytics solutions (Upgrade Readiness, Update Compliance, and Device Health) is to select **+ Create a resource** and then type the solution name in the search box. In this example, the search is for "Device Health": + +[![Add WA solutions with "create a resource"](images/azure-portal-create-resource-boxes.png)](images/azure-portal-create-resource-boxes.png) + +Select the solution from the list that is returned by the search, and then select **Create** to add the solution. + +## Navigating to Windows Analytics solutions settings + +To adjust settings for a Windows Analytics solution, first navigate to the **Solutions** tab for your workspace, and then select the solution to configure. In this example, Upgrade Readiness is being adjusted by selecting **CompatibilityAssessment**: + +[![Select WA solution to adjust settings](images/temp-azure-portal-soltn-setting.png)](images/temp-azure-portal-soltn-setting.png) + +From there, select the settings page to adjust specific settings: + +[![Settings page for Upgrade Readiness in Azure portsl](images/azure-portal-UR-settings.png)](images/azure-portal-UR-settings.png) + +>[!NOTE] +>To adjust these settings, both the subscription and workspace require "contributor" permissions. You can view your current role and make changes in other roles by using the **Access control (IAM)** tab in Azure. \ No newline at end of file diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md index c7e84fc03b..20fbf1341c 100644 --- a/windows/deployment/upgrade/upgrade-readiness-get-started.md +++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md @@ -8,12 +8,15 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 06/12/2018 +ms.date: 08/21/2018 ms.localizationpriority: medium --- # Get started with Upgrade Readiness +>[!IMPORTANT] +>**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences. See [Windows Analytics in the Azure Portal](../update/windows-analytics-azure-portal.md) for steps to use Windows Analytics in the Azure portal. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition). + This topic explains how to obtain and configure Upgrade Readiness for your organization. You can use Upgrade Readiness to plan and manage your upgrade project end-to-end. Upgrade Readiness works by establishing communications between computers in your organization and Microsoft. Upgrade Readiness collects computer, application, and driver data for analysis. This data is used to identify compatibility issues that can block your upgrade and to suggest fixes that are known to Microsoft. diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index 8b4a54d9f3..6c4d5fad54 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -70,7 +70,7 @@ Some things that you can check on the device are: > [!NOTE] > Windows 10 and Windows Server 2016 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). -## Supported versions +## Supported versions for device health attestation | TPM version | Windows 10 | Windows Server 2016 | |-------------|-------------|---------------------| diff --git a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md index 8a5fc0d12d..805eeff313 100644 --- a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md +++ b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md @@ -1,15 +1,15 @@ --- -title: Windows Defender Application Control Configurable Code Integrity and Virtualization-based security (Windows 10) -description: Microsoft Windows 10 has a feature set that consists of both hardware and software system integrity hardening capabilites that revolutionize the Windows operating system’s security. +title: Device Guard is the combination of Windows Defender Application Control and Virtualization-based security (Windows 10) +description: Device Guard consists of both hardware and software system integrity hardening capabilites that can be deployed separately or in combination. keywords: virtualization, security, malware ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium author: mdsakibMSFT -ms.date: 04/19/2018 +ms.date: 08/23/2018 --- -# Windows Defender Application Control Configurable Code Integrity and Virtualization-based security (aka Windows Defender Device Guard) +# Device Guard: Windows Defender Application Control Configurable Code Integrity and Virtualization-based security **Applies to** - Windows 10 diff --git a/windows/security/threat-protection/intelligence/TOC.md b/windows/security/threat-protection/intelligence/TOC.md index 86d4f40296..cd09366bea 100644 --- a/windows/security/threat-protection/intelligence/TOC.md +++ b/windows/security/threat-protection/intelligence/TOC.md @@ -34,7 +34,7 @@ ## [Safety Scanner download](safety-scanner-download.md) -## [Industry antivirus tests](transparency-report.md) +## [Industry antivirus tests](top-scoring-industry-antivirus-tests.md) ## [Industry collaboration programs](cybersecurity-industry-partners.md) diff --git a/windows/security/threat-protection/intelligence/transparency-report.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md similarity index 52% rename from windows/security/threat-protection/intelligence/transparency-report.md rename to windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md index a89924060f..662286f60b 100644 --- a/windows/security/threat-protection/intelligence/transparency-report.md +++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md @@ -1,7 +1,7 @@ --- -title: Industry antivirus tests +title: Top scoring in industry antivirus tests description: Industry antivirus tests landing page -keywords: security, malware +keywords: security, malware, av-comparatives, av-test, av, antivirus ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library @@ -13,59 +13,55 @@ ms.date: 08/17/2018 # Top scoring in industry antivirus tests -[Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10?ocid=cx-blog-mmpc) **consistently achieves high scores** from independent tests, displaying how it is a top choice in the antivirus market. +[Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10?ocid=cx-docs-avreports) **consistently achieves high scores** from independent tests, displaying how it is a top choice in the antivirus market. We want to be transparent and have gathered top industry reports that demonstrate our enterprise antivirus capabilities. Note that these tests only provide results for antivirus and do not test for additional security protections. -In the real world, millions of devices are protected from cyberattacks every day, sometimes [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/). In many cases, customers might not even know they were protected. That's because Windows Defender ATP's [next generation protection](https://www.youtube.com/watch?v=Xy3MOxkX_o4) detects and stops malware at first sight by using predictive technologies, [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering/), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak/), behavioral analysis, and other advanced technologies. +In the real world, millions of devices are protected from cyberattacks every day, sometimes [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign?ocid=cx-docs-avreports). In many cases, customers might not even know they were protected. That's because Windows Defender Advanced Threat Protection ([Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)) [next generation protection](https://www.youtube.com/watch?v=Xy3MOxkX_o4) detects and stops malware at first sight by using predictive technologies, [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering?ocid=cx-docs-avreports), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak?ocid=cx-docs-avreports), behavioral analysis, and other advanced technologies. > [!TIP] -> Learn why [most enterprises use Windows Defender Antivirus](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). +> Learn why [Windows Defender Antivirus is the most deployed in the enterprise](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/22/why-windows-defender-antivirus-is-the-most-deployed-in-the-enterprise?ocid=cx-docs-avreports).



-![Logo](./images/av-test-logo.png) +![AV-TEST logo](./images/av-test-logo.png) ## AV-TEST: Perfect protection score of 6.0/6.0 in the latest test -**[Analysis of the latest AV-TEST results](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I)** +**[Analysis of the latest AV-TEST results](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I?ocid=cx-docs-avreports)** The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The scores listed below are for the protection category which has two scores: real world testing and the AV-TEST reference set (known as "prevalent malware"). -**Real-World testing** as defined by AV-TEST refers to protection against zero-day malware attacks, inclusive of web and email threats. +**Real-World testing** as defined by AV-TEST attempts to test protection against zero-day malware attacks, inclusive of web and email threats. -**Prevalent malware** as defined by AV-TEST refers to detection of widespread and prevalent malware discovered in the last four weeks. - -Note: Microsoft sees a wider and broader set of threats beyond just what’s tested in the AV-TEST evaluation. +**Prevalent malware** as defined by AV-TEST attempts to test detection of widespread and prevalent malware discovered in the last four weeks. The below scores are the results of AV-TEST's evaluations on **Windows Defender Antivirus**. |Month (2018)|Real-World test score| Prevalent malware test score | AV-TEST report| Microsoft analysis| |---|---|---|---|---| -|January| 100.00%| 99.92%| [Report (Jan-Feb)](https://www.av-test.org/en/antivirus/home-windows/windows-7/february-2018/kaspersky-lab-internet-security-18.0-180557/)| [Analysis (Jan-Feb)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE27O5A?ocid=cx-blog-mmpc)| -|February| 100.00% | 100.00%|[Report (Jan-Feb)](https://www.av-test.org/en/antivirus/home-windows/windows-7/february-2018/kaspersky-lab-internet-security-18.0-180557/)| [Analysis (Jan-Feb)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE27O5A?ocid=cx-blog-mmpc)| -March |98.00%| 100.00%|[Report (Mar-Apr)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2018/microsoft-windows-defender-antivirus-4.12-181574/)|[Analysis (Mar-Apr)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA)| -April|100.00%| 100.00%|[Report (Mar-Apr)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2018/microsoft-windows-defender-antivirus-4.12-181574/)|[Analysis (Mar-Apr)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA)| -May|100.00%| 100.00%| [Report (May-Jun)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2018/microsoft-windows-defender-antivirus-4.12-182374/) **Latest**|[Analysis (May-Jun)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I)| -June|100.00%| 100.00%| [Report (May-Jun)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2018/microsoft-windows-defender-antivirus-4.12-182374/) **Latest**|[Analysis (May-Jun)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I)| +|January| 100.00%| 99.92%| [Report (Jan-Feb)](https://www.av-test.org/en/antivirus/home-windows/windows-7/february-2018/kaspersky-lab-internet-security-18.0-180557/)| [Analysis (Jan-Feb)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE27O5A?ocid=cx-docs-avreports)| +|February| 100.00% | 100.00%|[Report (Jan-Feb)](https://www.av-test.org/en/antivirus/home-windows/windows-7/february-2018/kaspersky-lab-internet-security-18.0-180557/)| [Analysis (Jan-Feb)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE27O5A?ocid=cx-docs-avreports)| +March |98.00%| 100.00%|[Report (Mar-Apr)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2018/microsoft-windows-defender-antivirus-4.12-181574/)|[Analysis (Mar-Apr)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports)| +April|100.00%| 100.00%|[Report (Mar-Apr)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2018/microsoft-windows-defender-antivirus-4.12-181574/)|[Analysis (Mar-Apr)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports)| +May|100.00%| 100.00%| [Report (May-Jun)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2018/microsoft-windows-defender-antivirus-4.12-182374/) |[Analysis (May-Jun)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I?ocid=cx-docs-avreports) **Latest**| +June|100.00%| 100.00%| [Report (May-Jun)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2018/microsoft-windows-defender-antivirus-4.12-182374/)|[Analysis (May-Jun)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I?ocid=cx-docs-avreports) **Latest**| ||| |---|---| -|![Graph describing Real-World detection rate](./images/RealWorld-67-percent.png)|![Prevalent Malware](./images/PrevalentMalware-67-percent.png)| +|![Graph describing Real-World detection rate](./images/RealWorld-67-percent.png)|![Graph describing Prevalent Malware](./images/PrevalentMalware-67-percent.png)|

-![Logo](./images/av-comparatives-logo-3.png) +![AV-Comparatives Logo](./images/av-comparatives-logo-3.png) ## AV-Comparatives: Perfect protection rating of 100% in the latest test AV-Comparatives is an independent organization offering systematic testing for security software such as PC/Mac-based antivirus products and mobile security solutions. -The **Real-World Protection Test (Enterprise)** as defined by AV-Comparatives evaluates the “real-world” protection capabilities with default settings. The goal is to find out whether the security software protects the computer by either hindering the malware from changing any systems or remediating all changes if any were made. +The **Real-World Protection Test (Enterprise)** as defined by AV-Comparatives attempts to evaluate the “real-world” protection capabilities with default settings. The goal is to find out whether the security software protects the computer by either hindering the malware from changing any systems or remediating all changes if any were made. -The **Malware Protection Test Enterprise** as defined by AV-Comparatives assesses a security program’s ability to protect a system against infection by malicious files before, during or after execution. It is only tested every *six months*. +The **Malware Protection Test Enterprise** as defined by AV-Comparatives attempts to assesses a security program’s ability to protect a system against infection by malicious files before, during or after execution. It is only tested every six months. -Note: Microsoft sees a wider and broader set of threats beyond just what’s tested in the AV-Comparatives evaluation. - -The below scores are the results of AV-Comparatives tests on **Windows Defender Antivirus**. The scores are specifically for the ability to block malware. +The below scores are the results of AV-Comparatives tests on **Windows Defender Antivirus**. The scores represent the percentage of blocked malware. |Month (2018)| Real-World test score| Malware test score (every 6 months)| |---|---|---| @@ -76,18 +72,18 @@ The below scores are the results of AV-Comparatives tests on **Windows Defender |June| 99.50%| N/A| |July| 100.00%| N/A| -* [Real-World Protection Test (Enterprise) July 2018](https://www.av-comparatives.org/tests/real-world-protection-test-july-2018-factsheet/) - * [Real-World Protection Test (Enterprise) February - June 2018](https://www.av-comparatives.org/tests/real-world-protection-test-february-june-2018/) * [Malware Protection Test Enterprise March 2018](https://www.av-comparatives.org/tests/malware-protection-test-enterprise-march-2018-testresult/) +* [Real-World Protection Test (Enterprise) July 2018](https://www.av-comparatives.org/tests/real-world-protection-test-july-2018-factsheet/) **Latest** + ## To what extent are tests representative of protection in the real world? -It is important to remember that the capabilities within [Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-blog-mmpc) provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses/) that are not factored into AV tests. Using these tests, customer can view one aspect of their security suite but can't assess the complete protection of all the security features. +It is important to remember that Microsoft sees a wider and broader set of threats beyond just what’s tested in the AV evaluations highlighted above. The capabilities within [Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports) also provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses?ocid=cx-docs-avreports) that are not factored into AV tests. Using these tests, customer can view one aspect of their security suite but can't assess the complete protection of all the security features. -There are other technologies in nearly every endpoint security suite that address some of the latest and most sophisticated threats, but are not represented in AV tests. For example, the capabilities such as attack surface reduction and endpoint detection & response help prevent malware from getting onto devices in the first place. +There are other technologies in nearly every endpoint security suite not represented in AV tests that address some of the latest and most sophisticated threats. For example, the capabilities such as attack surface reduction and endpoint detection & response help prevent malware from getting onto devices in the first place. -Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate Windows Defender Advanced Threat Protection in their own networks by signing up for a [90-day trial of Windows Defender ATP](https://www.microsoft.com/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc), or [enabling Preview features on existing tenants](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection). +Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate Windows Defender Advanced Threat Protection in their own networks by signing up for a [90-day trial of Windows Defender ATP](https://www.microsoft.com/windowsforbusiness/windows-atp?ocid=cx-docs-avreports), or [enabling Preview features on existing tenants](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection?ocid=cx-docs-avreports). ![ATP](./images/wdatp-pillars2.png) diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md index e42efc4ec8..35ab89b19d 100644 --- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md +++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md @@ -108,7 +108,7 @@ Wecutil ss “testSubscription” /cf:Events ### How frequently are WEF events delivered? -Event delivery options are part of the WEF subscription configuration parameters – There are three built-in subscription delivery options: Normal, Minimize Bandwidth, and Minimize Latency. A fourth, catch-all called “Custom” is available but cannot be selected or configured through the WEF UI by using Event Ciewer. The Custom delivery option must be selected and configured using the WECUTIL.EXE command-line application. All subscription options define a maximum event count and maximum event age, if either limit is exceeded then the accumulated events are sent to the event collector. +Event delivery options are part of the WEF subscription configuration parameters – There are three built-in subscription delivery options: Normal, Minimize Bandwidth, and Minimize Latency. A fourth, catch-all called “Custom” is available but cannot be selected or configured through the WEF UI by using Event Viewer. The Custom delivery option must be selected and configured using the WECUTIL.EXE command-line application. All subscription options define a maximum event count and maximum event age, if either limit is exceeded then the accumulated events are sent to the event collector. This table outlines the built-in delivery options: diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md index 5eab19050c..fe09121625 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md @@ -29,6 +29,7 @@ ms.date: 04/30/2018 - System Center Configuration Manager - PowerShell cmdlets - Windows Management Instruction (WMI) +- Mobile Device Management (MDM) @@ -147,6 +148,9 @@ SignatureDefinitionUpdateFileSharesSouce See the following for more information: - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) +**Use Mobile Device Management (MDM) to manage the update location:** + +See [Policy CSP - Defender/SignatureUpdateFallbackOrder](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-signatureupdatefallbackorder) for details on configuring MDM. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md index 4cb0d0390a..8400f6cb17 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md @@ -6,8 +6,9 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: brianlic-msft -ms.date: 09/21/2017 +author: andreabichsel +msauthor: v-anbic +ms.date: 08/27/2018 --- # Working with AppLocker rules @@ -60,6 +61,8 @@ The AppLocker console is organized into rule collections, which are executable f When DLL rules are used, AppLocker must check each DLL that an application loads. Therefore, users may experience a reduction in performance if DLL rules are used. The DLL rule collection is not enabled by default. To learn how to enable the DLL rule collection, see [DLL rule collections](#bkmk-dllrulecollections). + +EXE rules apply to portable executable (PE) files. AppLocker checks whether a file is a valid PE file, rather than just applying rules based on file extension, which attackers can easily change. Regardless of the file extension, the AppLocker EXE rule collection will work on a file as long as it is a valid PE file.   ## Rule conditions