deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

merge issues

Browse Source
This commit is contained in:
Greg Lindsay 2019-06-19 12:43:21 -07:00
commit 8ff0610e66
49 changed files with 15269 additions and 192 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15091
.openpublishing.redirection.json
View File

File diff suppressed because it is too large Load Diff

5
.vscode/extensions.json vendored Normal file
View File

@ -0,0 +1,5 @@
{
"recommendations": [
"docsmsft.docs-authoring-pack"
]
}

3
bcs/index.md
View File

@ -1,3 +0,0 @@
---
redirect_url: /microsoft-365/business/
---

3
bcs/support/microsoft-365-business-faqs.md
View File

@ -1,3 +0,0 @@
---
redirect_url: https://docs.microsoft.com/microsoft-365/business/support/microsoft-365-business-faqs
---

3
bcs/support/transition-csp-subscription.md
View File

@ -1,3 +0,0 @@
---
redirect_url: https://docs.microsoft.com/microsoft-365/business/support/transition-csp-subscription
---

2
browsers/edge/emie-to-improve-compatibility.md
View File

@ -41,7 +41,7 @@ If you're having trouble deciding whether Microsoft Edge is right for your organ
|Microsoft Edge |IE11 |
|---------|---------|
|Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.<ul><li>**Web Note.** Microsoft Edge lets you annotate, highlight, and call things out directly on web pages.</li><li>**Reading view.** Microsoft Edge lets you enjoy and print online articles in a distraction-free layout optimized for your screen size. While in reading view, you can also save web pages or PDF files to your reading list, for later viewing.</li><li>**Cortana.** Enabled by default in Microsoft Edge, Cortona lets you highlight words for more info and gives you one-click access to things like restaurant reservations and reviews, without leaving the webpage.</li><li>**Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls.</li></ul> |IE11 offers enterprises additional security, manageability, performance, backward compatibility, and modern standards support.<ul><li>**Backward compatibility.** IE11 supports 9 document modes that include high-fidelity emulations for older versions of IE.</li><li>**Modern web standards.** IE11 supports modern web technologies like HTML5, CSS3, and WebGL, which help to ensure today's modern websites and apps work just as well as your old, legacy websites and apps.</li><li>**More secure.** IE11 was designed with security in mind and is more secure than older versions. Using security features like SmartScreen and Enhanced Protected Mode can help IE11 reduce your risk.</li><li>**Faster.** IE11 is significantly faster than previous versions of Internet Explorer, taking advantage of network optimization and hardware-accelerated text, graphics, and JavaScript rendering.</li><li>**Easier migration to Windows 10.** IE11 is the only version of IE that runs on Windows 7, Windows 8.1, and Windows 10. Upgrading to IE11 on Windows 7 can also help your organization support the next generation of software, services, and devices.</li><li>**Administration.** IE11 can use the Internet Explorer Administration Kit (IEAK) 11 or MSIs for deployment and includes more than 1,600 Group Policies and preferences for granular control.</li></ul> |
|Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.<ul><li>**Web Note.** Microsoft Edge lets you annotate, highlight, and call things out directly on web pages.</li><li>**Reading view.** Microsoft Edge lets you enjoy and print online articles in a distraction-free layout optimized for your screen size. While in reading view, you can also save web pages or PDF files to your reading list, for later viewing.</li><li>**Cortana.** Enabled by default in Microsoft Edge, Cortana lets you highlight words for more info and gives you one-click access to things like restaurant reservations and reviews, without leaving the webpage.</li><li>**Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls.</li></ul> |IE11 offers enterprises additional security, manageability, performance, backward compatibility, and modern standards support.<ul><li>**Backward compatibility.** IE11 supports 9 document modes that include high-fidelity emulations for older versions of IE.</li><li>**Modern web standards.** IE11 supports modern web technologies like HTML5, CSS3, and WebGL, which help to ensure today's modern websites and apps work just as well as your old, legacy websites and apps.</li><li>**More secure.** IE11 was designed with security in mind and is more secure than older versions. Using security features like SmartScreen and Enhanced Protected Mode can help IE11 reduce your risk.</li><li>**Faster.** IE11 is significantly faster than previous versions of Internet Explorer, taking advantage of network optimization and hardware-accelerated text, graphics, and JavaScript rendering.</li><li>**Easier migration to Windows 10.** IE11 is the only version of IE that runs on Windows 7, Windows 8.1, and Windows 10. Upgrading to IE11 on Windows 7 can also help your organization support the next generation of software, services, and devices.</li><li>**Administration.** IE11 can use the Internet Explorer Administration Kit (IEAK) 11 or MSIs for deployment and includes more than 1,600 Group Policies and preferences for granular control.</li></ul> |
## Configure the Enterprise Mode Site List

3
devices/surface/advanced-uefi-security-features-for-surface.md
View File

@ -1,3 +0,0 @@
---
redirect_url: https://technet.microsoft.com/itpro/surface/advanced-uefi-security-features-for-surface-pro-3
---

4
education/get-started/finish-setup-and-other-tasks.md
View File

@ -105,7 +105,7 @@ If you need to make changes or updates to any of the apps or settings for the gr
After completing the basic setup for your cloud infrastructure and confirming that it is up and running, it's time to prepare for additional devices to be added and enable capabilities for the user to use.
### Enable many devices to be added by a single person
When a device is owned by the school, you may need to have a single persion adding many devices to your cloud infrastructure.
When a device is owned by the school, you may need to have a single person adding many devices to your cloud infrastructure.
Follow the steps in this section to enable a single person to add many devices to your cloud infrastructure.
@ -198,7 +198,7 @@ Adding a new device to your cloud-based tenant is easy. For new devices, you can
Depending on the organization's policy, the user may be asked to update the password.
5. After the user's credentails are validated, the window will refresh and will now include an entry that shows the device is now connected to the organization's MDM. This means the device is now enrolled in Intune for Education MDM and the account should have access to the organization's resources.
5. After the user's credentials are validated, the window will refresh and will now include an entry that shows the device is now connected to the organization's MDM. This means the device is now enrolled in Intune for Education MDM and the account should have access to the organization's resources.
**Figure 8** - Device is connected to organization's MDM

2
education/get-started/inclusive-classroom-it-admin.md
View File

@ -22,7 +22,7 @@ You will also learn how to deploy apps using Microsoft Intune, turn on or off Ea
1. [Inclusive Classroom features](#features)
2. [Deploying apps with Microsoft Intune](#intune)
3. [How to show/hide the Ease of Accesss settings for text in Windows 10](#ease)
3. [How to show/hide the Ease of Access settings for text in Windows 10](#ease)
4. [How to change your Office 365 account from monthly, semi-annual, or yearly](#account)
## <a name="features"></a>Inclusive Classroom features

2
education/get-started/use-school-data-sync.md
View File

@ -74,7 +74,7 @@ To learn more about the CSV files that are required and the info you need to inc
5. In the **Sync options** screen:
1. In the **Select new or existing users** section, you can select either **Existing users** or **New users** based on the scenaro that applies to you. For this walkthrough, select **New users**.
1. In the **Select new or existing users** section, you can select either **Existing users** or **New users** based on the scenario that applies to you. For this walkthrough, select **New users**.
2. In the **Import data** section, click **Upload Files** to bring up the **Select data files to be uploaded** window.
3. In the **Select data files to be uploaded** window, click **+ Add Files** and navigate to the directory where you saved the six CSV files required for data import.
4. In the File Explorer window, you will see a folder for the sample CSV files for the UK and six sample CSV files for the US. Select the CSV files that match your region/locale, and then click **Open**.

2
education/trial-in-a-box/itadmin-tib-get-started.md
View File

@ -104,7 +104,7 @@ If you've previously used Set up School PCs to provision student devices, you ca
- This setting also increases the maximum storage to 100% of the available disk space. This prevents the student's account from being erased if the student stores a lot of files or data or if the student doesn't use the PC over a prolonged period.
- **Let guests sign-in to these PCs** allows guests to use student PCs without a school account. If you select this option, a **Guest** account button will be added in the PC's sign-in screen to allow anyone to use the PC.
- **Enable Windows 10 Autopilot Reset** enables IT admins to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment the student PC is returned to a fully configured or known approved state. For more info, see [Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset).
- **Lock screen background** shows the default backgroudn used for student PCs provisioned by Set up School PCs. Select **Browse** to change the default.
- **Lock screen background** shows the default background used for student PCs provisioned by Set up School PCs. Select **Browse** to change the default.
7. **Set up the Take a Test app** configures the device for taking quizzes and high-stakes assessments by some providers like Smarter Balanced. Windows will lock down the student PC so that students can't access anything else while taking the test.

33
education/windows/create-tests-using-microsoft-forms.md
View File

@ -1,33 +0,0 @@
---
title: Create tests using Microsoft Forms
ms.reviewer:
manager: dansimp
description: Learn how to use Microsoft Forms with the Take a Test app to prevent access to other computers or online resources while completing a test.
keywords: school, Take a Test, Microsoft Forms
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: edu
author: levinec
ms.author: ellevin
redirect_url: https://support.microsoft.com/help/4000711/windows-10-create-tests-using-microsoft-forms
---
# Create tests using Microsoft Forms
**Applies to:**
- Windows 10
For schools that have an Office 365 Education subscription, teachers can use [Microsoft Forms](https://support.office.com/article/What-is-Microsoft-Forms-6b391205-523c-45d2-b53a-fc10b22017c8) to create a test and then require that students use the Take a Test app to block access to other computers or online resources while completing the test created through Microsoft Forms.
To do this, teachers can select a check box to make it a secure test. Microsoft Forms will generate a link that you can use to embed into your OneNote or class website. When students are ready to take a test, they can click on the link to start the test.
Microsoft Forms will perform checks to ensure students are taking the test in a locked down Take a Test session. If not, students are not permitted access to the assessment.
[Learn how to block Internet access while students complete your form](https://support.office.com/article/6bd7e31d-5be0-47c9-a0dc-c0a74fc48959)
## Related topics
[Take tests in Windows 10](take-tests-in-windows-10.md)

2
mdop/appv-v4/support-for-client-reporting-over-http.md
View File

@ -34,7 +34,7 @@ The client starts collecting data when it receives a “REPORTING=”TRUE””a
The following schema gives specific details of the package and the application data that is sent to the server.
``` syntax
```xml
<?xml version="1.0"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">

2
mdop/appv-v5/about-the-connection-group-virtual-environment.md
View File

@ -38,7 +38,7 @@ The connection group that is used is based on the order in which a package appea
Consider the following example section:
``` syntax
```xml
<appv:Packages><appv:PackagePackageId="A8731008-4523-4713-83A4-CD1363907160"VersionId="E889951B-7F30-418B-A69C-B37283BC0DB9"/><appv:PackagePackageId="1DC709C8-309F-4AB4-BD47-F75926D04276"VersionId="01F1943B-C778-40AD-BFAD-AC34A695DF3C"/><appv:PackagePackageId="04220DCA-EE77-42BE-A9F5-96FD8E8593F2"VersionId="E15EFFE9-043D-4C01-BC52-AD2BD1E8BAFA"/></appv:Packages>
```

2
mdop/appv-v5/about-the-connection-group-virtual-environment51.md
View File

@ -38,7 +38,7 @@ The connection group that is used is based on the order in which a package appea
Consider the following example section:
``` syntax
```xml
<appv:Packages><appv:PackagePackageId="A8731008-4523-4713-83A4-CD1363907160"VersionId="E889951B-7F30-418B-A69C-B37283BC0DB9"/><appv:PackagePackageId="1DC709C8-309F-4AB4-BD47-F75926D04276"VersionId="01F1943B-C778-40AD-BFAD-AC34A695DF3C"/><appv:PackagePackageId="04220DCA-EE77-42BE-A9F5-96FD8E8593F2"VersionId="E15EFFE9-043D-4C01-BC52-AD2BD1E8BAFA"/></appv:Packages>
```

14
mdop/appv-v5/application-publishing-and-client-interaction.md
View File

@ -811,7 +811,7 @@ This document focuses on App-V Full Infrastructure solutions. For specific infor
The App-V application lifecycle tasks are triggered at user login (default), machine startup, or as background timed operations. The settings for the App-V Client operations, including Publishing Servers, refresh intervals, package script enablement, and others, are configured during setup of the client or post-setup with PowerShell commands. See the How to Deploy the Client section on TechNet at: [How to Deploy the App-V Client](how-to-deploy-the-app-v-client-gb18030.md) or utilize the PowerShell:
``` syntax
```powershell
get-command *appv*
```
@ -1174,7 +1174,7 @@ The short cut is one of the basic elements of integration with the OS and is the
From the package manifest and dynamic configuration XML files, the path to a specific application executable can be found in a section similar to the following:
``` syntax
```xml
<Extension Category="AppV.Shortcut">
<Shortcut>
<File>[{Common Desktop}]\Adobe Reader 9.lnk</File>
@ -1194,7 +1194,7 @@ As mentioned previously, the App-V shortcuts are placed by default in the user
The App-V Client manages the local operating system File Type Associations during publishing, which enables users to use file type invocations or to open a file with a specifically registered extension (.docx) to start an App-V application. File type associations are present in the manifest and dynamic configuration files as represented in the example below:
``` syntax
```xml
<Extension Category="AppV.FileTypeAssociation">
<FileTypeAssociation>
<FileExtension MimeAssociation="true">
@ -1323,7 +1323,7 @@ App-V supports specific software clients and application capabilities extension
Example of software client registration of an App-V based mail client.
``` syntax
```xml
<SoftwareClients Enabled="true">
<ClientConfiguration EmailEnabled="true" />
<Extensions>
@ -1510,7 +1510,7 @@ The example below shows the combination of the Manifest, Deployment Configuratio
**Manifest**
``` syntax
```xml
<appv:Extension Category="AppV.Shortcut">
<appv:Shortcut>
<appv:File>[{Common Programs}]\7-Zip\7-Zip File Manager.lnk</appv:File>
@ -1522,7 +1522,7 @@ The example below shows the combination of the Manifest, Deployment Configuratio
**Deployment Configuration**
``` syntax
```xml
<MachineConfiguration>
<Subsystems>
<Registry>
@ -1537,7 +1537,7 @@ The example below shows the combination of the Manifest, Deployment Configuratio
**User Configuration**
``` syntax
```xml
<UserConfiguration>
<Subsystems>
<appv:ExtensionCategory="AppV.Shortcut">

14
mdop/appv-v5/application-publishing-and-client-interaction51.md
View File

@ -811,7 +811,7 @@ This document focuses on App-V Full Infrastructure solutions. For specific infor
The App-V application lifecycle tasks are triggered at user login (default), machine startup, or as background timed operations. The settings for the App-V Client operations, including Publishing Servers, refresh intervals, package script enablement, and others, are configured during setup of the client or post-setup with PowerShell commands. See the How to Deploy the Client section on TechNet at: [How to Deploy the App-V Client](how-to-deploy-the-app-v-client-51gb18030.md) or utilize the PowerShell:
``` syntax
```powershell
get-command *appv*
```
@ -1174,7 +1174,7 @@ The short cut is one of the basic elements of integration with the OS and is the
From the package manifest and dynamic configuration XML files, the path to a specific application executable can be found in a section similar to the following:
``` syntax
```xml
<Extension Category="AppV.Shortcut">
<Shortcut>
<File>[{Common Desktop}]\Adobe Reader 9.lnk</File>
@ -1194,7 +1194,7 @@ As mentioned previously, the App-V shortcuts are placed by default in the user
The App-V Client manages the local operating system File Type Associations during publishing, which enables users to use file type invocations or to open a file with a specifically registered extension (.docx) to start an App-V application. File type associations are present in the manifest and dynamic configuration files as represented in the example below:
``` syntax
```xml
<Extension Category="AppV.FileTypeAssociation">
<FileTypeAssociation>
<FileExtension MimeAssociation="true">
@ -1323,7 +1323,7 @@ App-V supports specific software clients and application capabilities extension
Example of software client registration of an App-V based mail client.
``` syntax
```xml
<SoftwareClients Enabled="true">
<ClientConfiguration EmailEnabled="true" />
<Extensions>
@ -1510,7 +1510,7 @@ The example below shows the combination of the Manifest, Deployment Configuratio
**Manifest**
``` syntax
```xml
<appv:Extension Category="AppV.Shortcut">
<appv:Shortcut>
<appv:File>[{Common Programs}]\7-Zip\7-Zip File Manager.lnk</appv:File>
@ -1522,7 +1522,7 @@ The example below shows the combination of the Manifest, Deployment Configuratio
**Deployment Configuration**
``` syntax
```xml
<MachineConfiguration>
<Subsystems>
<Registry>
@ -1537,7 +1537,7 @@ The example below shows the combination of the Manifest, Deployment Configuratio
**User Configuration**
``` syntax
```xml
<UserConfiguration>
<Subsystems>
<appv:ExtensionCategory="AppV.Shortcut">

4
mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md
View File

@ -227,7 +227,7 @@ The XML file that is included in the Office Deployment Tool specifies the produc
2. With the sample configuration.xml file open and ready for editing, you can specify products, languages, and the path to which you save the Office 2013 applications. The following is a basic example of the configuration.xml file:
``` syntax
```xml
<Configuration>
<Add SourcePath= \\Server\Office2013” OfficeClientEdition="32" >
<Product ID="O365ProPlusRetail ">
@ -688,7 +688,7 @@ To exclude specific Office applications (for example, Access and InfoPath) when
5. Add the Office 2013 App-V Package with the new Deployment Configuration File.
``` syntax
```xml
<Application Id="[{AppVPackageRoot)]\officefl5\INFOPATH.EXE" Enabled="true">
<VisualElements>
<Name>InfoPath Filler 2013</Name>

4
mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md
View File

@ -229,7 +229,7 @@ The XML file that is included in the Office Deployment Tool specifies the produc
2. With the sample configuration.xml file open and ready for editing, you can specify products, languages, and the path to which you save the Office 2013 applications. The following is a basic example of the configuration.xml file:
``` syntax
```xml
<Configuration>
<Add SourcePath= \\Server\Office2013” OfficeClientEdition="32" >
<Product ID="O365ProPlusRetail ">
@ -696,7 +696,7 @@ To exclude specific Office applications (for example, Access and InfoPath) when
5. Add the Office 2013 App-V Package with the new Deployment Configuration File.
``` syntax
```xml
<Application Id="[{AppVPackageRoot)]\officefl5\INFOPATH.EXE" Enabled="true">
<VisualElements>
<Name>InfoPath Filler 2013</Name>

4
mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md
View File

@ -222,7 +222,7 @@ The XML file that is included in the Office Deployment Tool specifies the produc
2. With the sample configuration.xml file open and ready for editing, you can specify products, languages, and the path to which you save the Office 2016 applications. The following is a basic example of the configuration.xml file:
``` syntax
```xml
<Configuration>
<Add SourcePath= \\Server\Office2016” OfficeClientEdition="32" >
<Product ID="O365ProPlusRetail ">
@ -633,7 +633,7 @@ You may want to disable specific applications in your Office App-V package. For
5. Add the Office 2016 App-V Package with the new Deployment Configuration File.
``` syntax
```xml
<Application Id="[{AppVPackageRoot}]\officel6\lync.exe" Enabled="true">
<VisualElements>
<Name>Lync 2016</Name>

20
mdop/appv-v5/how-to-deploy-the-app-v-client-gb18030.md
View File

@ -43,17 +43,17 @@ Use the following procedure to install the Microsoft Application Virtualization
3. Review the locations for client registry, log, and troubleshooting information:
#### Client registry information
<ul><li>By default, after you install the App-V 5.0 client, the client information is stored in the registry in the following registry key:<p><p><code>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\APPV\CLIENT</code></li><li>When you deploy a virtualized package to a computer that is running the App-V client, the associated package data is stored in the following location:<p><p><code>C:\ProgramData\App-V</code><p><p>However, you can reconfigure this location with the following registry key:<p><p><code>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SOFTWARE\MICROSOFT\APPV\CLIENT\STREAMING\PACKAGEINSTALLATIONROOT</code></li></ul>
| | |
|-------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Client registry information | <ul><li>By default, after you install the App-V 5.0 client, the client information is stored in the registry in the following registry key:<p><p><code>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\APPV\CLIENT</code></li><li>When you deploy a virtualized package to a computer that is running the App-V client, the associated package data is stored in the following location:<p><p><code>C:\ProgramData\App-V</code><p><p>However, you can reconfigure this location with the following registry key:<p><p><code>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SOFTWARE\MICROSOFT\APPV\CLIENT\STREAMING\PACKAGEINSTALLATIONROOT</code></li></ul> |
| Client log files | <ul><li>For log file information that is associated with the App-V 5.0 Client, search in the following log:<p><p><code>Event logs/Applications and Services Logs/Microsoft/AppV</code></li><li>In App-V 5.0 SP3, some logs have been consolidated and moved to the following location:<p><p><code>Event logs/Applications and Services Logs/Microsoft/AppV/ServiceLog</code><p><p>For a list of the moved logs, see [About App-V 5.0 SP3](about-app-v-50-sp3.md#bkmk-event-logs-moved).</li><li>Packages that are currently stored on computers that run the App-V 5.0 Client are saved to the following location:<p><p><code>C:\ProgramData\App-V\<<em>package id</em>>\<<em>version id</em>></code></li></ul> |
| Client installation troubleshooting information | See the error log in the **%temp%** folder. To review the log files, click **Start**, type **%temp%**, and then look for the **appv_ log**. |
#### Client log files
<ul><li>For log file information that is associated with the App-V 5.0 Client, search in the following log:<p><p><code>Event logs/Applications and Services Logs/Microsoft/AppV</code></li><li>In App-V 5.0 SP3, some logs have been consolidated and moved to the following location:<p><p><code>Event logs/Applications and Services Logs/Microsoft/AppV/ServiceLog</code><p><p>For a list of the moved logs, see [About App-V 5.0 SP3](about-app-v-50-sp3.md#bkmk-event-logs-moved).</li><li>Packages that are currently stored on computers that run the App-V 5.0 Client are saved to the following location:<p><p><code>C:\ProgramData\App-V\<<em>package id</em>>\<<em>version id</em>></code></li></ul>
---
#### Client installation troubleshooting information
- See the error log in the **%temp%** folder.
- To review the log files, click **Start**, type **%temp%**, and then look for the **appv_ log**.
**To install the App-V 5.0 Client**
## To install the App-V 5.0 Client
1. Copy the App-V 5.0 client installation file to the computer on which it will be installed.<p><p>Choose from the following client types:
@ -83,7 +83,7 @@ Use the following procedure to install the Microsoft Application Virtualization
>After the installation, only the .exe file can be uninstalled.
**To install the App-V 5.0 client using a script**
## To install the App-V 5.0 client using a script
1. Install all of the required prerequisite software on the target computers. See [What to do before you start](#bkmk-clt-install-prereqs). If you install the client by using an .msi file, the installation will fail if any prerequisites are missing.
@ -127,7 +127,7 @@ Use the following procedure to install the Microsoft Application Virtualization
---
**To install the App-V 5.0 client by using the Windows Installer (.msi) file**
## To install the App-V 5.0 client by using the Windows Installer (.msi) file
1. Install the required prerequisites on the target computers. See [What to do before you start](#bkmk-clt-install-prereqs). If any prerequisites are not met, the installation will fail.

2
mdop/dart-v10/how-to-recover-remote-computers-by-using-the-dart-recovery-image-dart-10.md
View File

@ -138,7 +138,7 @@ A file is provided that is named inv32.xml and contains remote connection inform
2. The following is an example of a winpeshl.ini file that is customized to open the **Remote Connection** tool as soon as an attempt is made to boot into DaRT:
``` syntax
```ini
[LaunchApps]
"%windir%\system32\netstart.exe -network -remount"
"cmd /C start %windir%\system32\RemoteRecovery.exe -nomessage"

2
mdop/dart-v7/how-to-recover-remote-computers-using-the-dart-recovery-image-dart-7.md
View File

@ -131,7 +131,7 @@ A file is provided that is named inv32.xml and contains remote connection inform
2. The following is an example of a winpeshl.ini file that is customized to open the **Remote Connection** tool as soon as an attempt is made to boot into DaRT:
``` syntax
```ini
[LaunchApps]
"%windir%\system32\netstart.exe -network -remount"
"cmd /C start %windir%\system32\RemoteRecovery.exe -nomessage"

2
mdop/dart-v8/how-to-recover-remote-computers-by-using-the-dart-recovery-image-dart-8.md
View File

@ -138,7 +138,7 @@ A file is provided that is named inv32.xml and contains remote connection inform
2. The following is an example of a winpeshl.ini file that is customized to open the **Remote Connection** tool as soon as an attempt is made to boot into DaRT:
``` syntax
```ini
[LaunchApps]
"%windir%\system32\netstart.exe -network -remount"
"cmd /C start %windir%\system32\RemoteRecovery.exe -nomessage"

2
mdop/mbam-v2/release-notes-for-mbam-20-mbam-2.md
View File

@ -38,7 +38,7 @@ If you are using the MBAM Stand-alone topology, and you upgrade the server infra
WORKAROUND: After the upgrade, run the following script on the Compliance and Audit Database:
``` syntax
```sql
-- =============================================
-- Script Template
-- =============================================

2
mdop/mbam-v25/mbam-25-security-considerations.md
View File

@ -134,7 +134,7 @@ You can configure the MBAM Recovery and Hardware Service with the name of this s
- Configure the group after the MBAM Recovery and Hardware Service has been installed by editing the web.config file in the &lt;inetpub&gt;\\Microsoft Bitlocker Management Solution\\Recovery and Hardware Service\\ folder.
``` syntax
```xml
<add key="DataMigrationUsersGroupName" value="<groupName>|<empty>" />
```

2
store-for-business/add-profile-to-devices.md
View File

@ -21,7 +21,7 @@ ms.localizationpriority: medium
Windows Autopilot simplifies device set up for IT Admins. For an overview of benefits, scenarios, and prerequisites, see [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot).
Watch this video to learn more about Windows Autopilot in Micrsoft Store for Business. </br>
Watch this video to learn more about Windows Autopilot in Microsoft Store for Business. </br>
> [!video https://www.microsoft.com/en-us/videoplayer/embed/3b30f2c2-a3e2-4778-aa92-f65dbc3ecf54?autoplay=false]

3
windows/access-protection/index.md
View File

@ -1,3 +0,0 @@
---
redirect_url: https://docs.microsoft.com/windows/security/identity-protection/
---

6
windows/client-management/mdm/alljoynmanagement-csp.md
View File

@ -80,7 +80,7 @@ Boolean value indicating whether AllJoyn router service (AJRouter.dll) is enable
Set adapter configuration
``` syntax
```xml
<?xml version="1.0" encoding="utf-8"?>
SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -104,7 +104,7 @@ You should replace \_ALLJOYN\_DEVICE\_ID\_ with an actual device ID. Note that t
Get PIN data
``` syntax
```xml
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -123,7 +123,7 @@ Get PIN data
Get the firewall PrivateProfile
``` syntax
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>

2
windows/client-management/mdm/applocker-ddf-file.md
View File

@ -19,7 +19,7 @@ This topic shows the OMA DM device description framework (DDF) for the **AppLock
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
``` syntax
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"

2
windows/client-management/mdm/applocker-xsd.md
View File

@ -17,7 +17,7 @@ ms.date: 06/26/2017
Here's the XSD for the AppLocker CSP.
``` syntax
```xml
<?xml version="1.0"?>
<xs:schema attributeFormDefault="unqualified"

18
windows/client-management/mdm/appv-deploy-and-config.md
View File

@ -97,7 +97,7 @@ manager: dansimp
<p>This example shows how to enable App-V on the device.</p>
``` syntax
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
@ -117,7 +117,7 @@ manager: dansimp
<p>This example shows how to allow package scripts to run during package operations (publish, run, and unpublish). Allowing package scripts assists in package deployments (add and publish of App-V apps).</p>
``` syntax
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
@ -141,7 +141,7 @@ manager: dansimp
<p>This SyncML example shows how to publish a package globally on an MDM enrolled device for all device users.</p>
``` syntax
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
@ -183,7 +183,7 @@ manager: dansimp
<p>This SyncML example shows how to publish a package globally, with a policy that adds two shortcuts for the package, on an MDM enrolled device.</p>
``` syntax
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
@ -277,7 +277,7 @@ manager: dansimp
<p>This SyncML example shows how to publish a package for a specific MDM user.</p>
``` syntax
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
@ -320,7 +320,7 @@ manager: dansimp
> [!NOTE]
> The user connection group has the user-only package as optional in this example, which implies users without the optional package can continue to launch the global package within the same connection group.
``` syntax
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
@ -397,7 +397,7 @@ manager: dansimp
<p>This SyncML example shows how to unpublish all global packages on the device by sending an empty package and connection group list in the SyncML.</p>
``` syntax
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
@ -433,7 +433,7 @@ manager: dansimp
<p>These SyncML examples return all global, and user-published packages on the device.</p>
``` syntax
```xml
<Get>
<CmdID>$CmdID$</CmdID>
<Item>
@ -444,7 +444,7 @@ manager: dansimp
</Get>
```
``` syntax
```xml
<Get>
<CmdID>$CmdID$</CmdID>
<Item>

26
windows/client-management/mdm/assignedaccess-csp.md
View File

@ -166,7 +166,7 @@ This MDM alert header is defined as follows:
KioskModeApp Add
``` syntax
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Add>
@ -188,7 +188,7 @@ KioskModeApp Add
KioskModeApp Delete
``` syntax
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Delete>
@ -206,7 +206,7 @@ KioskModeApp Delete
KioskModeApp Get
``` syntax
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Get>
@ -224,7 +224,7 @@ KioskModeApp Get
KioskModeApp Replace
``` syntax
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Replace>
@ -246,7 +246,7 @@ KioskModeApp Replace
## AssignedAccessConfiguration XSD
``` syntax
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
elementFormDefault="qualified"
@ -390,7 +390,7 @@ KioskModeApp Replace
## Example AssignedAccessConfiguration XML
``` syntax
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
<Profiles>
@ -698,7 +698,7 @@ Example of the Delete command.
## StatusConfiguration XSD
``` syntax
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
elementFormDefault="qualified"
@ -731,7 +731,7 @@ Example of the Delete command.
StatusConfiguration Add OnWithAlerts
``` syntax
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Add>
@ -760,7 +760,7 @@ StatusConfiguration Add OnWithAlerts
StatusConfiguration Delete
``` syntax
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Delete>
@ -778,7 +778,7 @@ StatusConfiguration Delete
StatusConfiguration Get
``` syntax
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Get>
@ -826,7 +826,7 @@ StatusConfiguration Replace On
## Status example
Status Get
``` syntax
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Get>
@ -844,7 +844,7 @@ Status Get
## ShellLauncherConfiguration XSD
``` syntax
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
elementFormDefault="qualified"
@ -1195,7 +1195,7 @@ ShellLauncherConfiguration Get
This example configures the following apps: Skype, Learning, Feedback Hub, and Calibration, for first line workers. Use this XML in a provisioning package using Windows Configuration Designer. For instructions, see [Configure HoloLens using a provisioning package](https://docs.microsoft.com/hololens/hololens-provisioning).
``` syntax
```xml
<?xml version="1.0" encoding="utf-8" ?>
<!--
This is a sample Assigned Access XML file. The Profile specifies which apps are allowed

2
windows/client-management/mdm/assignedaccess-ddf.md
View File

@ -24,7 +24,7 @@ You can download the DDF files from the links below:
The XML below is for Windows 10, version 1803.
``` syntax
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"

42
windows/client-management/mdm/bitlocker-csp.md
View File

@ -66,7 +66,7 @@ The following diagram shows the BitLocker configuration service provider in tree
<p style="margin-left: 20px">If you want to disable this policy use the following SyncML:</p>
``` syntax
```xml
<SyncML>
<SyncBody>
<Replace>
@ -116,7 +116,7 @@ The following diagram shows the BitLocker configuration service provider in tree
<p style="margin-left: 20px">If you want to disable this policy use the following SyncML:</p>
``` syntax
```xml
<SyncML>
<SyncBody>
<Replace>
@ -178,7 +178,7 @@ The following diagram shows the BitLocker configuration service provider in tree
<p style="margin-left: 20px"> Sample value for this node to enable this policy and set the encryption methods is:</p>
``` syntax
```xml
<enabled/><data id="EncryptionMethodWithXtsOsDropDown_Name" value="xx"/><data id="EncryptionMethodWithXtsFdvDropDown_Name" value="xx"/><data id="EncryptionMethodWithXtsRdvDropDown_Name" value="xx"/>
```
@ -198,7 +198,7 @@ The following diagram shows the BitLocker configuration service provider in tree
<p style="margin-left: 20px"> If you want to disable this policy use the following SyncML:</p>
``` syntax
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
@ -269,7 +269,7 @@ The following diagram shows the BitLocker configuration service provider in tree
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
``` syntax
```xml
<enabled/><data id="ConfigureNonTPMStartupKeyUsage_Name" value="xx"/><data id="ConfigureTPMStartupKeyUsageDropDown_Name" value="yy"/><data id="ConfigurePINUsageDropDown_Name" value="yy"/><data id="ConfigureTPMPINKeyUsageDropDown_Name" value="yy"/><data id="ConfigureTPMUsageDropDown_Name" value="yy"/>
```
<p style="margin-left: 20px">Data id:</p>
@ -296,7 +296,7 @@ The following diagram shows the BitLocker configuration service provider in tree
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
``` syntax
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
@ -358,13 +358,13 @@ The following diagram shows the BitLocker configuration service provider in tree
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
``` syntax
```xml
<enabled/><data id="MinPINLength" value="xx"/>
```
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
``` syntax
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
@ -425,7 +425,7 @@ The following diagram shows the BitLocker configuration service provider in tree
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
``` syntax
```xml
<enabled/><data id="PrebootRecoveryInfoDropDown_Name" value="xx"/><data id="RecoveryMessage_Input" value="yy"/><data id="RecoveryUrl_Input" value="zz"/>
```
<p style="margin-left: 20px">The possible values for &#39;xx&#39; are:</p>
@ -442,7 +442,7 @@ The following diagram shows the BitLocker configuration service provider in tree
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
``` syntax
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
@ -515,7 +515,7 @@ The following diagram shows the BitLocker configuration service provider in tree
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
``` syntax
```xml
<enabled/><data id="OSAllowDRA_Name" value="xx"/><data id="OSRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="OSRecoveryKeyUsageDropDown_Name" value="yy"/><data id="OSHideRecoveryPage_Name" value="xx"/><data id="OSActiveDirectoryBackup_Name" value="xx"/><data id="OSActiveDirectoryBackupDropDown_Name" value="zz"/><data id="OSRequireActiveDirectoryBackup_Name" value="xx"/>
```
@ -542,7 +542,7 @@ The following diagram shows the BitLocker configuration service provider in tree
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
``` syntax
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
@ -614,7 +614,7 @@ The following diagram shows the BitLocker configuration service provider in tree
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
``` syntax
```xml
<enabled/><data id="FDVAllowDRA_Name" value="xx"/><data id="FDVRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="FDVRecoveryKeyUsageDropDown_Name" value="yy"/><data id="FDVHideRecoveryPage_Name" value="xx"/><data id="FDVActiveDirectoryBackup_Name" value="xx"/><data id="FDVActiveDirectoryBackupDropDown_Name" value="zz"/><data id="FDVRequireActiveDirectoryBackup_Name" value="xx"/>
```
@ -640,7 +640,7 @@ The following diagram shows the BitLocker configuration service provider in tree
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
``` syntax
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
@ -696,13 +696,13 @@ The following diagram shows the BitLocker configuration service provider in tree
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
``` syntax
```xml
<enabled/>
```
<p style="margin-left: 20px">If you disable or do not configure this setting, all fixed data drives on the computer will be mounted with read and write access. If you want to disable this policy use the following SyncML:</p>
``` syntax
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
@ -764,7 +764,7 @@ The following diagram shows the BitLocker configuration service provider in tree
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
``` syntax
```xml
<enabled/><data id="RDVCrossOrg" value="xx"/>
```
@ -776,7 +776,7 @@ The following diagram shows the BitLocker configuration service provider in tree
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
``` syntax
```xml
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
@ -827,7 +827,7 @@ The following diagram shows the BitLocker configuration service provider in tree
- 0 Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0.
- 1 (default) Warning prompt allowed.
``` syntax
```xml
<Replace>
<CmdID>110</CmdID>
<Item>
@ -869,7 +869,7 @@ The expected values for this policy are:
If you want to disable this policy use the following SyncML:
``` syntax
```xml
<Replace>
<CmdID>111</CmdID>
<Item>
@ -887,7 +887,7 @@ If you want to disable this policy use the following SyncML:
The following example is provided to show proper format and should not be taken as a recommendation.
``` syntax
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>

28
windows/configuration/kiosk-shelllauncher.md
View File

@ -110,7 +110,7 @@ The following XML sample works for **Shell Launcher v1**:
</ShellLauncherConfiguration>
```
For **Shell Launcher v2**, you will use a different schema reference and a different app type for `Shell`, as shown in the following example.
For **Shell Launcher v2**, you can use UWP app type for `Shell` by specifying the v2 namespace, and use `v2:AppType` to specify the type, as shown in the following example. If `v2:AppType` is not specified, it implies the shell is Win32 app.
```
<?xml version="1.0" encoding="utf-8"?>
@ -138,7 +138,7 @@ In your MDM service, you can create a [custom OMA-URI setting](https://docs.micr
The OMA-URI path is `./Device/Vendor/MSFT/AssignedAccess/ShellLauncher`.
For the value, you can select data type `String` and paste the desired configuration file content into the value box. If you wish to upload the xml instead of pasting the content, choose data type `String (XML file)` instead.
For the value, you can select data type `String` and paste the desired configuration file content into the value box. If you wish to upload the xml instead of pasting the content, choose data type `String (XML file)`.
![Screenshot of custom OMA-URI settings](images/slv2-oma-uri.png)
@ -282,3 +282,27 @@ $IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
```
## default action, custom action, exit code
Shell launcher defines 4 actions to handle app exits, you can customize shell launcher and use these actions based on different exit code.
Value|Description
--- | ---
0|Restart the shell
1|Restart the device
2|Shut down the device
3|Do nothing
These action can be used as default action, or can be mapped to a specific exit code. Refer to [Shell Launcher](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/wesl-usersettingsetcustomshell) to see how these codes with Shell Launcher WMI.
To configure these action with Shell Launcher CSP, use below syntax in the shell launcher configuration xml. You can specify at most 4 custom actions mapping to 4 exit codes, and one default action for all other exit codes. When app exits and if the exit code is not found in the custom action mapping, or there is no default action defined, it will be no-op, i.e. nothing happens. So it's recommeded to at least define DefaultAction. [Get XML examples for different Shell Launcher v2 configurations.](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2)
``` xml
<ReturnCodeActions>
<ReturnCodeAction ReturnCode="0" Action="RestartShell"/>
<ReturnCodeAction ReturnCode="-1" Action="RestartDevice"/>
<ReturnCodeAction ReturnCode="255" Action="ShutdownDevice"/>
<ReturnCodeAction ReturnCode="1" Action="DoNothing"/>
</ReturnCodeActions>
<DefaultAction Action="RestartDevice"/>
```

3
windows/deployment/upgrade/troubleshoot-upgrade-readiness.md
View File

@ -1,3 +0,0 @@
---
redirect_url: /windows/deployment/update/windows-analytics-FAQ-troubleshooting
---

9
windows/deployment/upgrade/upgrade-readiness-release-notes.md
View File

@ -1,9 +0,0 @@
---
title: Upgrade Readiness release notes (Windows 10)
ms.reviewer:
manager: laurawi
ms.author: greglin
author: greg-lindsay
description: Provides tips and limitations about Upgrade Readiness.
redirect_url: https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-requirements#important-information-about-this-release
---

2
windows/deployment/vda-subscription-activation.md
View File

@ -42,7 +42,7 @@ Deployment instructions are provided for the following scenarios:
### Scenario 2
- The Hyper-V host and the VM are both running Windows 10, version 1803 or later.
[Inherited Activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation#inherited-activation) is enabled. All VMs created by a user with a Windows 10 E3 or E5 license are automatically activated independent of whether a user signs in iwth a local account or using an Azure Active Directory account.
[Inherited Activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation#inherited-activation) is enabled. All VMs created by a user with a Windows 10 E3 or E5 license are automatically activated independent of whether a user signs in with a local account or using an Azure Active Directory account.
### Scenario 3
- The VM is running Windows 10, version 1703 or 1709, or the hoster is not an authorized [QMTH](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) partner.

11
windows/deployment/windows-autopilot/existing-devices.md
View File

@ -19,12 +19,12 @@ ms.topic: article
**Applies to: Windows 10**
Modern desktop management with Windows Autopilot enables you to easily deploy the latest version of Windows 10 to your existing devices. The apps you need for work can be automatically installed. Your work profile is synchronized, so you can resume working right away.
Modern desktop deployment with Windows Autopilot enables you to easily deploy the latest version of Windows 10 to your existing devices. The apps you need for work can be automatically installed. Your work profile is synchronized, so you can resume working right away.
This topic describes how to convert Windows 7 or Windows 8.1 domain-joined computers to Azure Active Directory-joined computers running Windows 10 by using Windows Autopilot.
This topic describes how to convert Windows 7 or Windows 8.1 domain-joined computers to Windows 10 devices joined to either Azure Active Directory or Active Directory (Hybrid Azure AD Join) by using Windows Autopilot.
>[!NOTE]
>Windows Autopilot for existing devices only supports user-driven Azure Active Directory profiles. Hybrid AAD joined devices and self-deploying profiles are not supported.
>Windows Autopilot for existing devices only supports user-driven Azure Active Directory and Hybrid Azure AD profiles. Self-deploying profiles are not supported.
## Prerequisites
@ -117,7 +117,7 @@ See the following examples.
| CloudAssignedTenantId (guid, required) | The Azure Active Directory tenant ID that should be used. This is the GUID for the tenant, and can be found in properties of the tenant. The value should not include braces. |
| CloudAssignedTenantDomain (string, required) | The Azure Active Directory tenant name that should be used, e.g. tenant.onmicrosoft.com. |
| CloudAssignedOobeConfig (number, required) | This is a bitmap that shows which Autopilot settings were configured. Values include: SkipCortanaOptIn = 1, OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4, SkipOemRegistration = 8, SkipEula = 16 |
| CloudAssignedDomainJoinMethod (number, required) | This property should be set to 0 and specifies that the device should join Azure AD. |
| CloudAssignedDomainJoinMethod (number, required) | This property specifies whether the device should join Azure Active Directory or Active Directory (Hybrid Azure AD Join). Values include: Active AD Join = 0, Hybrid Azure AD Join = 1 |
| CloudAssignedForcedEnrollment (number, required) | Specifies that the device should require AAD Join and MDM enrollment. <br>0 = not required, 1 = required. |
| ZtdCorrelationId (guid, required) | A unique GUID (without braces) that will be provided to Intune as part of the registration process. ZtdCorrelationId will be included in enrollment message as “OfflineAutoPilotEnrollmentCorrelator”. This attribute will be present only if the enrollment is taking place on a device registered with Zero Touch Provisioning via offline registration. |
| CloudAssignedAadServerData (encoded JSON string, required) | An embedded JSON string used for branding. It requires AAD corp branding enabled. <br> Example value: "CloudAssignedAadServerData": "{\"ZeroTouchConfig\":{\"CloudAssignedTenantUpn\":\"\",\"CloudAssignedTenantDomain\":\"tenant.onmicrosoft.com\"}}" |
@ -301,6 +301,9 @@ The Task Sequence will download content, reboot, format the drives and install W
![refresh-2](images/up-2.png)
![refresh-3](images/up-3.png)
>[!NOTE]
>If joining devices to Active Directory (Hybrid Azure AD Join), it is necessary to create a Domain Join device configuration profile that is targeted to "All Devices" (since there is no Azure Active Directory device object for the computer to do group-based targeting). See [User-driven mode for hybrid Azure Active Directory join](https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/user-driven#user-driven-mode-for-hybrid-azure-active-directory-join) for more information.
### Register the device for Windows Autopilot
Devices provisioned through Autopilot will only receive the guided OOBE Autopilot experience on first boot. Once updated to Windows 10, the device should be registered to ensure a continued Autopilot experience in the event of PC reset. You can enable automatic registration for an assigned group using the **Convert all targeted devices to Autopilot** setting. For more information, see [Create an Autopilot deployment profile](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-deployment-profile).

4
windows/privacy/manage-windows-1809-endpoints.md
View File

@ -457,6 +457,10 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op
| svchost | HTTPS | *.update.microsoft.com |
| svchost | HTTPS | *.delivery.mp.microsoft.com |
These are dependent on enabling:
- [Device authentication](manage-windows-1809-endpoints.md#device-authentication)
- [Microsoft account](manage-windows-1809-endpoints.md#microsoft-account)
The following endpoint is used for content regulation.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.

2
windows/security/identity-protection/credential-guard/additional-mitigations.md
View File

@ -334,7 +334,7 @@ write-host "There are no issuance policies which are not mapped to groups"
Save the script file as set-IssuancePolicyToGroupLink.ps1.
``` syntax
```powershell
#######################################
## Parameters to be defined ##
## by the user ##

8
windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
View File

@ -85,7 +85,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
| A | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.<br>Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA services provides the second factor of authentication. If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.<br>Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
| B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv). |
| C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application, which represents the end of user key registration. |
| D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.<br> The application sends the certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.<br> After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys. |
| D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.<br> The application sends the certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.<br> After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentialsLink for a list of registered public keys. |
| E | The registration authority validates the public key in the certificate request matches a registered key for the user.<br> If the public key in the certificate is not found in the list of registered public keys, certificate enrollment is deferred until Phase F completes. The application is informed of the deferment and exits to the user's desktop. The automatic certificate enrollment client triggers the Azure AD Web Account Manager plug-in to retry the certificate enrollment at 24, 85, 145, 205, 265, and 480 minutes after phase C successfully completes. The user must remain signed in for automatic certificate enrollment to trigger certificate enrollment. If the user signs out, automatic certificate enrollment is triggered approximately 30 minutes after the user's next sign in.<br> After validating the public key, the registration authority signs the certificate request using its enrollment agent certificate. |
| G | The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application. |
| H | The application receives the newly issued certificate and installs the it into the Personal store of the user. This signals the end of provisioning. |
@ -105,7 +105,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
| A | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.<br>Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA services provides the second factor of authentication. If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.<br>Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
| B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv). |
| C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID and a key receipt to the application, which represents the end of user key registration. |
| D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.<br> The application sends the key receipt and certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.<br> After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys. |
| D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.<br> The application sends the key receipt and certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.<br> After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentialsLink for a list of registered public keys. |
| E | The registration authority validates the public key in the certificate request matches a registered key for the user.<br> If the public key in the certificate is not found in the list of registered public keys, it then validates the key receipt to confirm the key was securely registered with Azure.<br>After validating the key receipt or public key, the registration authority signs the certificate request using its enrollment agent certificate. |
| F | The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application. |
| G | The application receives the newly issued certificate and installs the it into the Personal store of the user. This signals the end of provisioning. |
@ -124,7 +124,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
| A | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.<br> In a federated environment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services. The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.<br>Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA services (or a third party MFA service) provides the second factor of authentication.<br> The on-premises STS server issues a enterprise token on successful MFA. The application sends the token to Azure Active Directory.<br>Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
| B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv). |
| C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID and a key receipt to the application, which represents the end of user key registration. |
| D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.<br> The application sends the key receipt and certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.<br> After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys. |
| D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.<br> The application sends the key receipt and certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.<br> After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentialsLink for a list of registered public keys. |
| E | The registration authority validates the public key in the certificate request matches a registered key for the user.<br> If the public key in the certificate is not found in the list of registered public keys, it then validates the key receipt to confirm the key was securely registered with Azure.<br>After validating the key receipt or public key, the registration authority signs the certificate request using its enrollment agent certificate. |
| F | The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application. |
| G | The application receives the newly issued certificate and installs the it into the Personal store of the user. This signals the end of provisioning. |
@ -152,7 +152,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
|A| The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Enterprise Device Registration Service (EDRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.<br> In an on-premises deployment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services. The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.<br>Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA server (or a third party MFA service) provides the second factor of authentication.<br> The on-premises STS server issues a enterprise DRS token on successful MFA.|
| B| After receiving a EDRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv).|
|C | The application sends the EDRS token, ukpub, attestation data, and device information to the Enterprise DRS for user key registration. Enterprise DRS validates the MFA claim remains current. On successful validation, the Enterprise DRS locates the user's object in Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. The Enterprise DRS returns a key ID to the application, which represents the end of user key registration.|
|D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.<br> The application sends the certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.<br> After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys.|
|D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.<br> The application sends the certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.<br> After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentialsLink for a list of registered public keys.|
|E | The registration authority validates the public key in the certificate request matches a registered key for the user.<br> After validating the public key, the registration authority signs the certificate request using its enrollment agent certificate.|
|F |The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.|
|G | The application receives the newly issued certificate and installs it into the Personal store of the user. This signals the end of provisioning.|

14
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
View File

@ -29,6 +29,9 @@ Your environment is federated and you are ready to configure device registration
> [!IMPORTANT]
> If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment.
>[!TIP]
>Refer to the [Tutorial: Configure hybrid Azure Active Directory join for federated domains](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-federated-domains) to learn more about setting up Azure Active Directory Connect for a simplified join flow for Azure AD device registration.
Use this three-phased approach for configuring device registration.
1. [Configure devices to register in Azure](#configure-azure-for-device-registration)
2. [Synchronize devices to on-premises Active Directory](#configure-active-directory-to-support-azure-device-synchronization)
@ -42,6 +45,9 @@ Use this three-phased approach for configuring device registration.
>
> You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](https://docs.microsoft.com/azure/active-directory/device-management-introduction)
>[!IMPORTANT]
> To use hybrid identity with Azure Active Directory and device WriteBack features, you must use the built-in GUI with the [latest updates for ADConnect](https://www.microsoft.com/download/details.aspx?id=47594).
## Configure Azure for Device Registration
Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD.
@ -66,7 +72,7 @@ To locate the schema master role holder, open and command prompt and type:
![Netdom example output](images/hello-cmd-netdom.png)
The command should return the name of the domain controller where you need to adprep.exe. Update the schema locally on the domain controller hosting the Schema master role.
The command should return the name of the domain controller where you need to run adprep.exe. Update the schema locally on the domain controller hosting the Schema master role.
#### Updating the Schema
@ -130,7 +136,6 @@ If your AD FS farm is not already configured for Device Authentication (you can
The above PSH creates the following objects:
- RegisteredDevices container under the AD domain partition
- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration
- Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration
@ -278,7 +283,8 @@ The definition helps you to verify whether the values are present or if you need
**`http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`** - This claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or 3rd party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that specific order after the ones above. Please note that one rule to explicitly issue the rule for users is necessary. In the rules below, a first rule identifying user vs. computer authentication is added.
@RuleName = "Issue account type with the value User when its not a computer"
@RuleName = "Issue account type with the value User when it is not a computer"
NOT EXISTS(
[
Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",
@ -473,6 +479,7 @@ The following script helps you with the creation of the issuance transform rules
Set-AdfsRelyingPartyTrust -TargetIdentifier urn:federation:MicrosoftOnline -IssuanceTransformRules $crSet.ClaimRulesString
#### Remarks
- This script appends the rules to the existing rules. Do not run the script twice because the set of rules would be added twice. Make sure that no corresponding rules exist for these claims (under the corresponding conditions) before running the script again.
@ -512,7 +519,6 @@ For your reference, below is a comprehensive list of the AD DS devices, containe
> [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
<br>
<hr>
## Follow the Windows Hello for Business hybrid certificate trust deployment guide

8
windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
View File

@ -22,6 +22,10 @@ The ideal for BitLocker management is to eliminate the need for IT admins to set
Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently-asked questions, and also provides BitLocker recommendations for different types of computers.
>[!IMPORTANT]
> Microsoft BitLocker Administration and Monitoring (MBAM) capabilities will be offered from [SCCM in on-prem scenarios](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/viewing-mbam-25-reports-for-the-configuration-manager-integration-topology) in the future.
## Managing domain-joined computers and moving to cloud
Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx).
@ -132,8 +136,10 @@ PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpace
<br />
<a id="powershell"></a>
**Powershell**
# **PowerShell**
[BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell)

2
windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
View File

@ -61,7 +61,7 @@ To lower down your threat and vulnerability exposure:
> There are two types of recommendations:
> - <i>Security update</i> which refers to recommendations that require a package installation
> - <i>Configuration</i> change which refers to recommendations that require a registry or GPO modification
> Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight ![threat insight](images/tvm_bug_icon.png) icon.
> Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight ![threat insight](images/tvm_bug_icon.png) icon or the possible alert activity [possible alert activity](images/tvm_alert_icon.png) icon.
2. In the **Security recommendations** page, you will see the description of what needs to be done and why. It shows the vulnerability details, such as the associated exploits affecting what machines and its business impact. Click **Open software page** option from the flyout menu. ![details in security recommendations page](images/tvm_security_recommendations_page.png)

34
windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
View File

@ -185,34 +185,34 @@ The following table describes how the wildcards can be used and provides some ex
<table>
<tr>
<th>Wildcard</th>
<th>Use in file and file extension exclusions</th>
<th>Use in file name and file extension exclusions</th>
<th>Use in folder exclusions</th>
<th>Example use</th>
<th>Example matches&gt;</th>
<th>Example matches</th>
</tr>
<tr>
<td><b><em></b> (asterisk)</td>
<td><b>*</b> (asterisk)</td>
<td>Replaces any number of characters. <br />Only applies to files in the last folder defined in the argument. </td>
<td>Replaces a single folder. <br />Use multiple <b></em></b> with folder slashes <b>\</b> to indicate multiple, nested folders. </br>After matching to the number of wilcarded and named folders, all subfolders will also be included.</td>
<td>Replaces a single folder. <br />Use multiple <b>*</b> with folder slashes <b>\</b> to indicate multiple, nested folders. </br>After matching the number of wilcarded and named folders, all subfolders will also be included.</td>
<td>
<ol>
<li>C:\MyData\<b><em></b>.txt</li>
<li>C:\somepath\<b></em></b>\Data</li>
<li>C:\Serv\<b><em></b>\<b></em></b>\Backup
<li>C:\MyData\<b>*</b>.txt</li>
<li>C:\somepath\<b>*</b>\Data</li>
<li>C:\Serv\<b>*</b>\<b>*</b>\Backup
</ol>
</td>
<td>
<ol>
<li><i>C:\MyData\<b>notes</b>.txt</i></li>
<li>C:\MyData\<b>notes</b>.txt</li>
<li>Any file in:
<ul>
<li><i>C:\somepath\<b>Archives</b>\Data</i> and its subfolders</li>
<li><i>C:\somepath\<b>Authorized</b>\Data</i> and its subfolders</li>
<li>C:\somepath\<b>Archives</b>\Data and its subfolders</li>
<li>C:\somepath\<b>Authorized</b>\Data and its subfolders</li>
</ul>
<li>Any file in:
<ul>
<li><i>C:\Serv\<b>Primary</b>\<b>Denied</b>\Backup</i> and its subfolders</li>
<li><i>C:\Serv\<b>Secondary</b>\<b>Allowed</b>\Backup</i> and its subfolders</li>
<li>C:\Serv\<b>Primary</b>\<b>Denied</b>\Backup and its subfolders</li>
<li>C:\Serv\<b>Secondary</b>\<b>Allowed</b>\Backup and its subfolders</li>
</ul>
</ol>
</td>
@ -227,7 +227,7 @@ The following table describes how the wildcards can be used and provides some ex
</td>
<td>
Replaces a single character in a folder name. </br>
After matching to the number of wilcarded and named folders, all subfolders will also be included.
After matching the number of wilcarded and named folders, all subfolders will also be included.
</td>
<td>
<ol>
@ -238,9 +238,9 @@ The following table describes how the wildcards can be used and provides some ex
</td>
<td>
<ol>
<li><i>C:\MyData\my<b>1</b>.zip</i></li>
<li>Any file in <i>C:\somepath\<b>P</b>\Data</i> and its subfolders</li>
<li>Any file in <i>C:\somepath\test0<b>1</b>\Data</i> and its subfolders</li>
<li>C:\MyData\my<b>1</b>.zip</li>
<li>Any file in C:\somepath\<b>P</b>\Data and its subfolders</li>
<li>Any file in C:\somepath\test0<b>1</b>\Data and its subfolders</li>
</ol>
</td>
</tr>
@ -255,7 +255,7 @@ The following table describes how the wildcards can be used and provides some ex
</td>
<td>
<ol>
<li><i><b>C:\ProgramData</b>\CustomLogFiles\Folder1\file1.txt</i></li>
<li><b>C:\ProgramData</b>\CustomLogFiles\Folder1\file1.txt</li>
</ol>
</td>
</tr>

1
windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
View File

@ -70,6 +70,7 @@ You can set several rule options within a WDAC policy. Table 2 describes each ru
| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsofts Intelligent Security Graph (ISG). |
| **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically re-validate the reputation for files that were authorized by the ISG.|
| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. |
| **17 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically-loaded libraries. |
## Windows Defender Application Control file rule levels

3
windows/threat-protection/index.md
View File

@ -1,3 +0,0 @@
---
redirect_url: https://docs.microsoft.com/windows/security/threat-protection/
---