diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index f897a39dbc..6dbc487f58 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -4,81 +4,9 @@ "need_generate_intellisense": false, "docsets_to_publish": [ { - "docset_name": "education", - "build_source_folder": "education", - "build_output_subfolder": "education", - "locale": "en-us", - "monikers": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes", - "version": 0 - }, - { - "docset_name": "internet-explorer", - "build_source_folder": "browsers/internet-explorer", - "build_output_subfolder": "browsers/internet-explorer", - "locale": "en-us", - "monikers": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes", - "version": 0 - }, - { - "docset_name": "itpro-hololens", - "build_source_folder": "devices/hololens", - "build_output_subfolder": "devices/hololens", - "locale": "en-us", - "monikers": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes", - "version": 0 - }, - { - "docset_name": "mdop", + "docset_name": "mdop-VSTS", "build_source_folder": "mdop", - "build_output_subfolder": "mdop", - "locale": "en-us", - "monikers": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes", - "version": 0 - }, - { - "docset_name": "microsoft-edge", - "build_source_folder": "browsers/edge", - "build_output_subfolder": "browsers/edge", - "locale": "en-us", - "monikers": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes", - "version": 0 - }, - { - "docset_name": "smb", - "build_source_folder": "smb", - "build_output_subfolder": "smb", + "build_output_subfolder": "mdop-VSTS", "locale": "en-us", "monikers": [], "open_to_public_contributors": true, @@ -92,216 +20,12 @@ "version": 0 }, { - "docset_name": "store-for-business", - "build_source_folder": "store-for-business", - "build_output_subfolder": "store-for-business", - "locale": "en-us", - "monikers": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes", - "version": 0 - }, - { - "docset_name": "surface", - "build_source_folder": "devices/surface", - "build_output_subfolder": "devices/surface", - "locale": "en-us", - "monikers": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes", - "version": 0 - }, - { - "docset_name": "surface-hub", - "build_source_folder": "devices/surface-hub", - "build_output_subfolder": "devices/surface-hub", - "locale": "en-us", - "monikers": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes", - "version": 0 - }, - { - "docset_name": "win-access-protection", - "build_source_folder": "windows/access-protection", - "build_output_subfolder": "win-access-protection", - "locale": "en-us", - "monikers": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes", - "version": 0 - }, - { - "docset_name": "win-app-management", - "build_source_folder": "windows/application-management", - "build_output_subfolder": "win-app-management", - "locale": "en-us", - "monikers": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes", - "version": 0 - }, - { - "docset_name": "win-client-management", - "build_source_folder": "windows/client-management", - "build_output_subfolder": "win-client-management", - "locale": "en-us", - "monikers": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes", - "version": 0 - }, - { - "docset_name": "win-configuration", - "build_source_folder": "windows/configuration", - "build_output_subfolder": "win-configuration", - "locale": "en-us", - "monikers": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes", - "version": 0 - }, - { - "docset_name": "win-development", - "build_source_folder": "windows/deployment", - "build_output_subfolder": "win-development", - "locale": "en-us", - "monikers": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes", - "version": 0 - }, - { - "docset_name": "win-device-security", - "build_source_folder": "windows/device-security", - "build_output_subfolder": "win-device-security", - "locale": "en-us", - "monikers": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes", - "version": 0 - }, - { - "docset_name": "windows-hub", - "build_source_folder": "windows/hub", - "build_output_subfolder": "windows-hub", - "locale": "en-us", - "monikers": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes", - "version": 0 - }, - { - "docset_name": "win-threat-protection", - "build_source_folder": "windows/threat-protection", - "build_output_subfolder": "win-threat-protection", - "locale": "en-us", - "monikers": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes", - "version": 0 - }, - { - "docset_name": "win-whats-new", - "build_source_folder": "windows/whats-new", - "build_output_subfolder": "win-whats-new", - "locale": "en-us", - "monikers": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes", - "version": 0 - }, - { - "docset_name": "keep-secure", - "build_source_folder": "windows/keep-secure", - "build_output_subfolder": "keep-secure", - "locale": "en-us", - "monikers": [], - "open_to_public_contributors": false, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes", - "version": 0 - }, - { - "docset_name": "windows-manage", + "docset_name": "windows-manage-VSTS", "build_source_folder": "windows/manage", - "build_output_subfolder": "windows-manage", + "build_output_subfolder": "windows-manage-VSTS", "locale": "en-us", "monikers": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -312,12 +36,76 @@ "version": 0 }, { - "docset_name": "windows-plan", + "docset_name": "smb-VSTS", + "build_source_folder": "smb", + "build_output_subfolder": "smb-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 + }, + { + "docset_name": "surface-hub-VSTS", + "build_source_folder": "devices/surface-hub", + "build_output_subfolder": "surface-hub-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 + }, + { + "docset_name": "microsoft-edge-VSTS", + "build_source_folder": "browsers/edge", + "build_output_subfolder": "microsoft-edge-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 + }, + { + "docset_name": "win-development-VSTS", + "build_source_folder": "windows/deployment", + "build_output_subfolder": "win-development-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 + }, + { + "docset_name": "windows-plan-VSTS", "build_source_folder": "windows/plan", - "build_output_subfolder": "windows-plan", + "build_output_subfolder": "windows-plan-VSTS", "locale": "en-us", "monikers": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -328,12 +116,12 @@ "version": 0 }, { - "docset_name": "windows-update", - "build_source_folder": "windows/update", - "build_output_subfolder": "windows-update", + "docset_name": "win-client-management-VSTS", + "build_source_folder": "windows/client-management", + "build_output_subfolder": "win-client-management-VSTS", "locale": "en-us", "monikers": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -344,12 +132,44 @@ "version": 0 }, { - "docset_name": "windows-deploy", + "docset_name": "win-threat-protection-VSTS", + "build_source_folder": "windows/threat-protection", + "build_output_subfolder": "win-threat-protection-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 + }, + { + "docset_name": "win-app-management-VSTS", + "build_source_folder": "windows/application-management", + "build_output_subfolder": "win-app-management-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 + }, + { + "docset_name": "windows-deploy-VSTS", "build_source_folder": "windows/deploy", - "build_output_subfolder": "windows-deploy", + "build_output_subfolder": "windows-deploy-VSTS", "locale": "en-us", "monikers": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -360,12 +180,12 @@ "version": 0 }, { - "docset_name": "windows-configure", - "build_source_folder": "windows/configure", - "build_output_subfolder": "windows-configure", + "docset_name": "keep-secure-VSTS", + "build_source_folder": "windows/keep-secure", + "build_output_subfolder": "keep-secure-VSTS", "locale": "en-us", "monikers": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -376,9 +196,57 @@ "version": 0 }, { - "docset_name": "bcs", + "docset_name": "surface-VSTS", + "build_source_folder": "devices/surface", + "build_output_subfolder": "surface-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 + }, + { + "docset_name": "windows-hub-VSTS", + "build_source_folder": "windows/hub", + "build_output_subfolder": "windows-hub-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 + }, + { + "docset_name": "internet-explorer-VSTS", + "build_source_folder": "browsers/internet-explorer", + "build_output_subfolder": "internet-explorer-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 + }, + { + "docset_name": "bcs-VSTS", "build_source_folder": "bcs", - "build_output_subfolder": "bcs", + "build_output_subfolder": "bcs-VSTS", "locale": "en-us", "monikers": [], "open_to_public_contributors": false, @@ -390,6 +258,150 @@ "build_entry_point": "docs", "template_folder": "_themes", "version": 0 + }, + { + "docset_name": "win-access-protection-VSTS", + "build_source_folder": "windows/access-protection", + "build_output_subfolder": "win-access-protection-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 + }, + { + "docset_name": "win-device-security-VSTS", + "build_source_folder": "windows/device-security", + "build_output_subfolder": "win-device-security-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 + }, + { + "docset_name": "education-VSTS", + "build_source_folder": "education", + "build_output_subfolder": "education-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 + }, + { + "docset_name": "store-for-business-VSTS", + "build_source_folder": "store-for-business", + "build_output_subfolder": "store-for-business-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 + }, + { + "docset_name": "win-configuration-VSTS", + "build_source_folder": "windows/configuration", + "build_output_subfolder": "win-configuration-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 + }, + { + "docset_name": "windows-update-VSTS", + "build_source_folder": "windows/update", + "build_output_subfolder": "windows-update-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 + }, + { + "docset_name": "win-whats-new-VSTS", + "build_source_folder": "windows/whats-new", + "build_output_subfolder": "win-whats-new-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 + }, + { + "docset_name": "itpro-hololens-VSTS", + "build_source_folder": "devices/hololens", + "build_output_subfolder": "itpro-hololens-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 + }, + { + "docset_name": "windows-configure-VSTS", + "build_source_folder": "windows/configure", + "build_output_subfolder": "windows-configure-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 } ], "notification_subscribers": [ @@ -398,7 +410,7 @@ "branches_to_filter": [ "" ], - "git_repository_url_open_to_public_contributors": "https://github.com/Microsoft/win-cpub-itpro-docs", + "git_repository_url_open_to_public_contributors": "https://cpubwin.visualstudio.com/_git/it-client", "skip_source_output_uploading": false, "need_preview_pull_request": true, "dependent_repositories": [ @@ -428,9 +440,9 @@ "Publish", "Pdf" ] - }, "need_generate_pdf_url_template": true, + "resolve_user_profile_using_github": true, "Targets": { "Pdf": { "template_folder": "_themes.pdf" diff --git a/bcs/docfx.json b/bcs/docfx.json index 9901c08bd0..4e3f166ece 100644 --- a/bcs/docfx.json +++ b/bcs/docfx.json @@ -29,7 +29,13 @@ ], "overwrite": [], "externalReference": [], - "globalMetadata": {}, + "globalMetadata": { + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "TechNet.bcs" + } + } + }, "fileMetadata": {}, "template": [], "dest": "bcs" diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json index 48a4dd1620..a699361d13 100644 --- a/browsers/edge/docfx.json +++ b/browsers/edge/docfx.json @@ -19,7 +19,13 @@ "ROBOTS": "INDEX, FOLLOW", "ms.technology": "microsoft-edge", "ms.topic": "article", - "ms.author": "lizross" + "ms.author": "lizross", + "ms.date": "04/05/2017", + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "Win.microsoft-edge" + } + } }, "externalReference": [ ], diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json index b19b1d7f96..056939a089 100644 --- a/browsers/internet-explorer/docfx.json +++ b/browsers/internet-explorer/docfx.json @@ -20,7 +20,13 @@ "ms.author": "lizross", "author": "eross-msft", "ms.technology": "internet-explorer", - "ms.topic": "article" + "ms.topic": "article", + "ms.date": "04/05/2017", + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "Win.internet-explorer" + } + } }, "externalReference": [ ], diff --git a/devices/hololens/docfx.json b/devices/hololens/docfx.json index e3ef216bfb..91c25a934c 100644 --- a/devices/hololens/docfx.json +++ b/devices/hololens/docfx.json @@ -33,7 +33,13 @@ "breadcrumb_path": "/hololens/breadcrumb/toc.json", "ms.technology": "windows", "ms.topic": "article", - "ms.author": "jdecker" + "ms.author": "jdecker", + "ms.date": "04/05/2017", + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "Win.itpro-hololens" + } + } }, "fileMetadata": {}, "template": [ diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md index 8e368555cc..240bcc485e 100644 --- a/devices/surface-hub/TOC.md +++ b/devices/surface-hub/TOC.md @@ -31,6 +31,7 @@ #### [Use fully qualified domain name with Surface Hub](use-fully-qualified-domain-name-surface-hub.md) #### [Wireless network management](wireless-network-management-for-surface-hub.md) ### [Install apps on your Surface Hub](install-apps-on-surface-hub.md) +### [Set up and use Whiteboard to Whiteboard collaboration](whiteboard-collaboration.md) ### [End a Surface Hub meeting with End session](i-am-done-finishing-your-surface-hub-meeting.md) ### [Save your BitLocker key](save-bitlocker-key-surface-hub.md) ### [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md) diff --git a/devices/surface-hub/accessibility-surface-hub.md b/devices/surface-hub/accessibility-surface-hub.md index 85230643d9..75d75ecc96 100644 --- a/devices/surface-hub/accessibility-surface-hub.md +++ b/devices/surface-hub/accessibility-surface-hub.md @@ -8,6 +8,8 @@ ms.mktglfcycl: manage ms.pagetype: surfacehub ms.sitesec: library author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/admin-group-management-for-surface-hub.md b/devices/surface-hub/admin-group-management-for-surface-hub.md index 1e55a9eb16..31c718d2cc 100644 --- a/devices/surface-hub/admin-group-management-for-surface-hub.md +++ b/devices/surface-hub/admin-group-management-for-surface-hub.md @@ -8,6 +8,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub, security author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md index 4a098672fb..cf0b708c03 100644 --- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md +++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md @@ -8,6 +8,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md index 59d826d7f7..216212e22c 100644 --- a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md +++ b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md @@ -8,6 +8,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md index 598c4e9807..f15a7db11b 100644 --- a/devices/surface-hub/change-history-surface-hub.md +++ b/devices/surface-hub/change-history-surface-hub.md @@ -7,6 +7,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- @@ -14,8 +16,12 @@ localizationpriority: medium This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md). +## June 2017 - +| New or changed topic | Description | +| --- | --- | +| [Set up and use Whiteboard to Whiteboard collaboration](whiteboard-collaboration.md) | New | +| [Manage settings with an MDM provider (Surface Hub)](manage-settings-with-mdm-for-surface-hub.md#whiteboard-collaboration-settings) | Added settings for managing Whiteboard collaboration | ## RELEASE: Windows 10, version 1703 diff --git a/devices/surface-hub/change-surface-hub-device-account.md b/devices/surface-hub/change-surface-hub-device-account.md index a0b6b56c7e..24401a121f 100644 --- a/devices/surface-hub/change-surface-hub-device-account.md +++ b/devices/surface-hub/change-surface-hub-device-account.md @@ -8,6 +8,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/connect-and-display-with-surface-hub.md b/devices/surface-hub/connect-and-display-with-surface-hub.md index 284bc892cf..3b707fc91d 100644 --- a/devices/surface-hub/connect-and-display-with-surface-hub.md +++ b/devices/surface-hub/connect-and-display-with-surface-hub.md @@ -7,6 +7,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md index 292db720ca..2738f245e6 100644 --- a/devices/surface-hub/create-a-device-account-using-office-365.md +++ b/devices/surface-hub/create-a-device-account-using-office-365.md @@ -8,6 +8,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md index e4e0e5ed95..5488c98164 100644 --- a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md +++ b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md @@ -8,6 +8,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md index 59d90772cc..a82f56d4f1 100644 --- a/devices/surface-hub/device-reset-surface-hub.md +++ b/devices/surface-hub/device-reset-surface-hub.md @@ -8,6 +8,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md index e6d812ea78..8ac7840f05 100644 --- a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md +++ b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md @@ -7,6 +7,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub author: isaiahng +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/docfx.json b/devices/surface-hub/docfx.json index df5f770c84..d6a3efaf96 100644 --- a/devices/surface-hub/docfx.json +++ b/devices/surface-hub/docfx.json @@ -22,7 +22,13 @@ "ms.mktglfcycl": "manage", "author": "jdeckerms", "ms.sitesec": "library", - "ms.author": "jdecker" + "ms.author": "jdecker", + "ms.date": "05/23/2017", + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "Win.surface-hub" + } + } }, "externalReference": [ ], diff --git a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md index 2aa8921e31..0de8a05437 100644 --- a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md +++ b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md @@ -8,6 +8,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/finishing-your-surface-hub-meeting.md b/devices/surface-hub/finishing-your-surface-hub-meeting.md index 1761472886..38967ea5fb 100644 --- a/devices/surface-hub/finishing-your-surface-hub-meeting.md +++ b/devices/surface-hub/finishing-your-surface-hub-meeting.md @@ -7,6 +7,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/first-run-program-surface-hub.md b/devices/surface-hub/first-run-program-surface-hub.md index 996a6eb1fd..6d783ca362 100644 --- a/devices/surface-hub/first-run-program-surface-hub.md +++ b/devices/surface-hub/first-run-program-surface-hub.md @@ -8,6 +8,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md index 296d5c330d..fd1ab47a02 100644 --- a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md @@ -8,6 +8,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/images/wb-collab-example.png b/devices/surface-hub/images/wb-collab-example.png new file mode 100644 index 0000000000..0ed67c03ea Binary files /dev/null and b/devices/surface-hub/images/wb-collab-example.png differ diff --git a/devices/surface-hub/images/wb-collab-link.png b/devices/surface-hub/images/wb-collab-link.png new file mode 100644 index 0000000000..9b0531d0c0 Binary files /dev/null and b/devices/surface-hub/images/wb-collab-link.png differ diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md index 31928b1a07..f8199feb73 100644 --- a/devices/surface-hub/index.md +++ b/devices/surface-hub/index.md @@ -7,6 +7,8 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/install-apps-on-surface-hub.md b/devices/surface-hub/install-apps-on-surface-hub.md index f38f6f73a7..0fd4a2c619 100644 --- a/devices/surface-hub/install-apps-on-surface-hub.md +++ b/devices/surface-hub/install-apps-on-surface-hub.md @@ -8,6 +8,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: surfacehub, store author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/local-management-surface-hub-settings.md b/devices/surface-hub/local-management-surface-hub-settings.md index fec4a3e0b9..904c44e890 100644 --- a/devices/surface-hub/local-management-surface-hub-settings.md +++ b/devices/surface-hub/local-management-surface-hub-settings.md @@ -7,6 +7,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md index d50f750484..71bf9ab39f 100644 --- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md +++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md @@ -8,6 +8,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub, mobility author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- @@ -22,6 +24,9 @@ Surface Hub has been validated with Microsoft’s first-party MDM providers: You can also manage Surface Hubs using any third-party MDM provider that can communicate with Windows 10 using the MDM protocol. +>[!NOTE] +>[Azure Active Directory conditional access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access) is not currently available for Surface Hub devices. + ## Enroll a Surface Hub into MDM You can enroll your Surface Hubs using bulk or manual enrollment. @@ -178,6 +183,28 @@ The following tables include info on Windows 10 settings that have been validate | Set Network proxy | Use to configure a proxy server for ethernet and Wi-Fi connections. | [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. +### Whiteboard collaboration settings + +MDM settings for Whiteboard collaboration use the **AppManagement/AppStore** node of the [EnterpriseModernAppManagement CSP](https://docs.microsoft.com/windows/client-management/mdm/enterprisemodernappmanagement-csp#appmanagement-appstore) to configure an **AppSettingPolicy**. + +The value for each setting can be **True** or **False**. The default value for each setting is **False**. + +The OMA URI for each setting consists of `./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/Microsoft.Office.Whiteboard_8wekyb3d8bbwe/AppSettingPolicy/` and the string from the **OMA URI** column in the table. For example, the full OMA URI for **Enable sign-in** is `./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/Microsoft.Office.Whiteboard_8wekyb3d8bbwe/AppSettingPolicy/EnableSignIn`. + + +| Setting | Details | OMA URI | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML*? | +| --- | ---- | --- |---- | --- | --- | +| Enable sign-in | Users can sign in and authenticate | EnableSignIn | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Disable sign-in | Users are unable to sign in and access collaboration or education features | DisableSignIn | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Disable Collaboration | Users can sign in but not create or join collaborative sessions | DisableCollaboration | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Disable Sharing | Hide entry points for the Share button, hiding export in the Share charm and Collaboration | DisableSharing | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Disable Export | Users cannot send whiteboards using email, thumb drives, or other mechanisms through the Share charm | DisableExport | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Enable Ink to Shape | **Ink to Shape** is on by default when users open Whiteboard | EnableInkShapes | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Disable Ink to Shape | **Ink to Shape** is off by default when users open Whiteboard | DisableInkShapes | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Enable Ink to Table | **Ink to Table** is on by default when users open Whiteboard | EnableInkTables | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Disable Search | Hide entry points for Bing Search | DisableSearch | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. + ### Generate OMA URIs for settings You need to use a setting’s OMA URI to create a custom policy in Intune, or a custom setting in System Center Configuration Manager. diff --git a/devices/surface-hub/manage-surface-hub-settings.md b/devices/surface-hub/manage-surface-hub-settings.md index fe030602b9..5226843d3a 100644 --- a/devices/surface-hub/manage-surface-hub-settings.md +++ b/devices/surface-hub/manage-surface-hub-settings.md @@ -7,6 +7,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md index 56340d14d0..14df9d6b63 100644 --- a/devices/surface-hub/manage-surface-hub.md +++ b/devices/surface-hub/manage-surface-hub.md @@ -8,6 +8,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- @@ -30,6 +32,7 @@ Learn about managing and updating Surface Hub. | [Remote Surface Hub management](remote-surface-hub-management.md) |Topics related to managing your Surface Hub remotely. Include install apps, managing settings with MDM and monitoring with Operations Management Suite. | | [Manage Surface Hub settings](manage-surface-hub-settings.md) |Topics related to managing Surface Hub settings: accessibility, device account, device reset, fully qualified domain name, Windows Update settings, and wireless network | | [Install apps on your Surface Hub]( https://technet.microsoft.com/itpro/surface-hub/install-apps-on-surface-hub) | Admins can install apps can from either the Microsoft Store or the Microsoft Store for Business.| +| [Set up and use Whiteboard to Whiteboard collaboration](whiteboard-collaboration.md) | Microsoft Whiteboard’s latest update includes the capability for two Surface Hubs to collaborate in real time on the same board. | | [End a meeting with End session](https://technet.microsoft.com/itpro/surface-hub/i-am-done-finishing-your-surface-hub-meeting) | At the end of a meeting, users can tap **End session** to clean up any sensitive data and prepare the device for the next meeting.| | [Save your BitLocker key](https://technet.microsoft.com/itpro/surface-hub/save-bitlocker-key-surface-hub) | Every Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys.| | [Connect other devices and display with Surface Hub](https://technet.microsoft.com/itpro/surface-hub/connect-and-display-with-surface-hub) | You can connect other device to your Surface Hub to display content.| diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md index f2a401a497..102a9c8006 100644 --- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md +++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md @@ -8,6 +8,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/miracast-over-infrastructure.md b/devices/surface-hub/miracast-over-infrastructure.md index e83c80a62a..69095fd26e 100644 --- a/devices/surface-hub/miracast-over-infrastructure.md +++ b/devices/surface-hub/miracast-over-infrastructure.md @@ -6,6 +6,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/miracast-troubleshooting.md b/devices/surface-hub/miracast-troubleshooting.md index fae1f30463..942887f020 100644 --- a/devices/surface-hub/miracast-troubleshooting.md +++ b/devices/surface-hub/miracast-troubleshooting.md @@ -6,6 +6,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/monitor-surface-hub.md b/devices/surface-hub/monitor-surface-hub.md index 93b9b743e0..2fac6d72e5 100644 --- a/devices/surface-hub/monitor-surface-hub.md +++ b/devices/surface-hub/monitor-surface-hub.md @@ -8,6 +8,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md index 40f04195dd..538c8ab8e7 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md @@ -8,6 +8,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md index bba5bfaa28..71b1557cdc 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md @@ -7,6 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md index e33fd2889a..971d34f236 100644 --- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md @@ -8,6 +8,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md index 87823e452f..a21cbe75c4 100644 --- a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md +++ b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md @@ -8,6 +8,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub, security author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/physically-install-your-surface-hub-device.md b/devices/surface-hub/physically-install-your-surface-hub-device.md index e187e19cb7..881d35d5e5 100644 --- a/devices/surface-hub/physically-install-your-surface-hub-device.md +++ b/devices/surface-hub/physically-install-your-surface-hub-device.md @@ -8,6 +8,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub, readiness author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index 36062f36a4..938be33bfe 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -8,6 +8,8 @@ ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/provisioning-packages-for-surface-hub.md b/devices/surface-hub/provisioning-packages-for-surface-hub.md index 5bd004e345..f5c44be7e4 100644 --- a/devices/surface-hub/provisioning-packages-for-surface-hub.md +++ b/devices/surface-hub/provisioning-packages-for-surface-hub.md @@ -8,6 +8,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/remote-surface-hub-management.md b/devices/surface-hub/remote-surface-hub-management.md index f1369c5c26..2239f33b52 100644 --- a/devices/surface-hub/remote-surface-hub-management.md +++ b/devices/surface-hub/remote-surface-hub-management.md @@ -7,6 +7,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/save-bitlocker-key-surface-hub.md b/devices/surface-hub/save-bitlocker-key-surface-hub.md index 27ca1f3ef9..98bcf798cc 100644 --- a/devices/surface-hub/save-bitlocker-key-surface-hub.md +++ b/devices/surface-hub/save-bitlocker-key-surface-hub.md @@ -8,6 +8,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub, security author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/set-up-your-surface-hub.md b/devices/surface-hub/set-up-your-surface-hub.md index 15231f9a9d..350ad29527 100644 --- a/devices/surface-hub/set-up-your-surface-hub.md +++ b/devices/surface-hub/set-up-your-surface-hub.md @@ -8,6 +8,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/setup-worksheet-surface-hub.md b/devices/surface-hub/setup-worksheet-surface-hub.md index 49ef04d184..e689a49798 100644 --- a/devices/surface-hub/setup-worksheet-surface-hub.md +++ b/devices/surface-hub/setup-worksheet-surface-hub.md @@ -8,6 +8,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/skype-hybrid-voice.md b/devices/surface-hub/skype-hybrid-voice.md index fbd3d455a1..aab82e172f 100644 --- a/devices/surface-hub/skype-hybrid-voice.md +++ b/devices/surface-hub/skype-hybrid-voice.md @@ -6,7 +6,9 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: surfacehub -author: jdeckerMS +author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/surface-hub-downloads.md b/devices/surface-hub/surface-hub-downloads.md index f5b6fa0c35..b66f0125d8 100644 --- a/devices/surface-hub/surface-hub-downloads.md +++ b/devices/surface-hub/surface-hub-downloads.md @@ -6,6 +6,8 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/surface-hub-wifi-direct.md b/devices/surface-hub/surface-hub-wifi-direct.md index e4ce72ed1d..8746e4fbf0 100644 --- a/devices/surface-hub/surface-hub-wifi-direct.md +++ b/devices/surface-hub/surface-hub-wifi-direct.md @@ -7,6 +7,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/surfacehub-whats-new-1703.md b/devices/surface-hub/surfacehub-whats-new-1703.md index a24d9b1905..e2b323adce 100644 --- a/devices/surface-hub/surfacehub-whats-new-1703.md +++ b/devices/surface-hub/surfacehub-whats-new-1703.md @@ -6,6 +6,8 @@ ms.mktglfcycl: manage ms.pagetype: devices ms.sitesec: library author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md index 5e1c0977a8..88634df13a 100644 --- a/devices/surface-hub/troubleshoot-surface-hub.md +++ b/devices/surface-hub/troubleshoot-surface-hub.md @@ -8,6 +8,8 @@ ms.mktglfcycl: support ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md index 6d0b8bbda7..8b90760907 100644 --- a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md +++ b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md @@ -3,6 +3,8 @@ title: Use fully qualified doman name with Surface Hub description: Troubleshoot common problems, including setup issues, Exchange ActiveSync errors. keywords: ["Troubleshoot common problems", "setup issues", "Exchange ActiveSync errors"] author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium ms.prod: w10 ms.mktglfcycl: support diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md index 39d7708dde..8a77082f26 100644 --- a/devices/surface-hub/use-room-control-system-with-surface-hub.md +++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md @@ -8,6 +8,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface-hub/whiteboard-collaboration.md b/devices/surface-hub/whiteboard-collaboration.md new file mode 100644 index 0000000000..7633008a2d --- /dev/null +++ b/devices/surface-hub/whiteboard-collaboration.md @@ -0,0 +1,80 @@ +--- +title: Set up and use Whiteboard to Whiteboard collaboration +description: Microsoft Whiteboard’s latest update includes the capability for two Surface Hubs to collaborate in real time on the same board. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: surfacehub +author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 +localizationpriority: medium +--- + +# Set up and use Whiteboard to Whiteboard collaboration (Surface Hub) + +Microsoft Whiteboard’s latest update (17.8302.5275X or greater) includes the capability for two Surface Hubs to collaborate in real time on the same board. + +By ensuring that your organization meets the prerequisites, users can then ink, collaborate, and ideate together. Mobile device management (MDM) allows you to control default settings and provides access to these capabilities. For more information about mobile device management for Surface Hub, see [Manage settings with an MDM provider (Surface Hub)](manage-settings-with-mdm-for-surface-hub.md). + +![example of a whiteboard with collaborative inking](images/wb-collab-example.png) + +## Prerequisites for Whiteboard to Whiteboard collaboration + +To get Whiteboard to Whiteboard collaboration up and running, you’ll need to make sure your organization meets the following requirements: + +- Office 365 with cloud-based Azure Active Directory (Azure AD) for all users +- OneDrive for Business deployed for all users who intend to collaborate +- Currently not utilizing Office 365 Germany or Office 365 operated by 21Vianet +- Surface Hub needs to be updated to Windows 10, version 1607 or newer +- Port 443 needs to be open since Whiteboard makes standard https requests + + +>[!NOTE] +>Collaborative sessions can only take place between users within the same tenant, so users outside of your organization won’t be able to join even if they have a Surface Hub. + +## Using Whiteboard to Whiteboard collaboration + +To start a collaboration session: + +1. In the Whiteboard app, tap the **Sign in** button. +2. Sign in with your organization ID. +3. Tap the **Invite** button next to your name at the top of the app. +4. Tap **Start session**. Whiteboard will generate a link that you can share. + + ![screenshot of the link dialog box on whiteboard](images/wb-collab-link.png) + +5. Copy and paste this link into a Skype chat with another Surface Hub + +When the other Surface Hub receives the link, the recipient can tap on the link, sign in to Whiteboard, and then begin collaborating. You can copy and paste other content, use smart ink features like Ink to Shape, and co-author together. + +After you’re done, you can export a copy of the Whiteboard collaboration for yourself through the Share charm and leave the board for others to continue working. + +>[!TIP] +>When you start a collaboration session, Whiteboard creates a folder named **Whiteboard App Data** in your OneDrive for Business to store your shared whiteboards. After some collaboration sessions, this folder may continue to sync or process changes indefinitely. You can fix this by choosing to not sync the **Whiteboard App Data** folder to your device. Disabling sync for this folder won't limit your ability to use Whiteboard for collaboration sessions. + +## How to control and manage Whiteboard to Whiteboard collaboration + +Whiteboard has settings that can be managed via MDM. These allow you to disable or enable collaboration functionality in case your organization can’t meet the prerequisites or you’d rather not have your organization use this feature. + +The value for each setting can be True or False. The default value for each setting is False. + +The OMA URI for each setting consists of `./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/Microsoft.Office.Whiteboard_8wekyb3d8bbwe/AppSettingPolicy/` and the string from the OMA URI column in the table. For example, the full OMA URI for **Enable sign-in** is `./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/Microsoft.Office.Whiteboard_8wekyb3d8bbwe/AppSettingPolicy/EnableSignIn`. + +| Setting | Details | OMA URI | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML*? | +| --- | ---- | --- |---- | --- | --- | +| Enable sign-in | Users can sign in and authenticate | EnableSignIn | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Disable sign-in | Users are unable to sign in and access collaboration or education features | DisableSignIn | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Disable Collaboration | Users can sign in but not create or join collaborative sessions | DisableCollaboration | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. + +Whiteboard also has other MDM settings that can be managed and set for defaults, exporting, and sharing. You can see these additional settings in [Manage settings with an MDM provider (Surface Hub)](manage-settings-with-mdm-for-surface-hub.md#whiteboard-collaboration-settings). + + + + + +## Related topics + +- [Windows 10 Creators Update for Surface Hub](https://www.microsoft.com/surface/support/surface-hub/windows-10-creators-update-surface-hub) +- [Support documentation for Microsoft Whiteboard](https://support.office.com/en-us/article/Whiteboard-Help-0c0f2aa0-b1bb-491c-b814-fd22de4d7c01) \ No newline at end of file diff --git a/devices/surface-hub/wireless-network-management-for-surface-hub.md b/devices/surface-hub/wireless-network-management-for-surface-hub.md index 22a91e040a..d7b8a3edbe 100644 --- a/devices/surface-hub/wireless-network-management-for-surface-hub.md +++ b/devices/surface-hub/wireless-network-management-for-surface-hub.md @@ -8,6 +8,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub, networking author: jdeckerms +ms.author: jdecker +ms.date: 06/19/2017 localizationpriority: medium --- diff --git a/devices/surface/docfx.json b/devices/surface/docfx.json index e14912dea9..502700db32 100644 --- a/devices/surface/docfx.json +++ b/devices/surface/docfx.json @@ -19,7 +19,13 @@ "ROBOTS": "INDEX, FOLLOW", "ms.technology": "windows", "ms.topic": "article", - "ms.author": "jdecker" + "ms.author": "jdecker", + "ms.date": "05/09/2017", + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "Win.surface" + } + } }, "externalReference": [ ], diff --git a/education/docfx.json b/education/docfx.json index d0d03f4aea..067964f4d7 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -19,7 +19,13 @@ "ms.author": "celested", "audience": "windows-education", "ms.topic": "article", - "breadcrumb_path": "/education/breadcrumb/toc.json" + "breadcrumb_path": "/education/breadcrumb/toc.json", + "ms.date": "05/09/2017", + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "Win.education" + } + } }, "externalReference": [ ], diff --git a/education/get-started/TOC.md b/education/get-started/TOC.md index b0cabc0178..b4b33d20fc 100644 --- a/education/get-started/TOC.md +++ b/education/get-started/TOC.md @@ -1,2 +1,3 @@ # [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) +# [Change history for Microsoft Education get started](change-history-ms-edu-get-started.md) diff --git a/education/get-started/change-history-ms-edu-get-started.md b/education/get-started/change-history-ms-edu-get-started.md new file mode 100644 index 0000000000..484ed4a299 --- /dev/null +++ b/education/get-started/change-history-ms-edu-get-started.md @@ -0,0 +1,28 @@ +--- +title: Change history for Microsoft Education Get started +description: New and changed topics in the Microsoft Education get started guide. +keywords: Microsoft Education get started guide, IT admin, IT pro, school, education, change history +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: edu +author: CelesteDG +ms.author: celested +ms.date: 06/26/2017 +--- + +# Change history for Microsoft Education Get started + +This topic lists the changes in the Microsoft Education IT admin get started. + +## June 2017 + +| New or changed topic | Description | +| --- | ---- | +| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | Includes the following updates:

- New configuration guidance for IT administrators to deploy Microsoft Teams.
- Updated steps for School Data Sync to show the latest workflow and user experience.
- Updated steps for Option 2: Try out Microsoft Education in a trial environment. You no longer need the SDS promo code to try SDS in a trial environment. | + +## May 2017 + +| New or changed topic | Description | +| --- | ---- | +| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | New. Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. | diff --git a/education/get-started/get-started-with-microsoft-education.md b/education/get-started/get-started-with-microsoft-education.md index a93c3a283c..78b9e46ccf 100644 --- a/education/get-started/get-started-with-microsoft-education.md +++ b/education/get-started/get-started-with-microsoft-education.md @@ -9,6 +9,8 @@ ms.topic: hero-article localizationpriority: high ms.pagetype: edu author: CelesteDG +ms.author: celested +ms.date: 06/26/2017 --- # Get started: Deploy and manage a full cloud IT solution with Microsoft Education @@ -101,25 +103,31 @@ To get started with Microsoft Education in a trial environment, follow these ste 1. [Set up a new Office 365 for Education tenant](#1-set-up-a-new-office-365-for-education-tenant). - Wait for your tenant to be education-verified before proceeding with the next step. Verification can take up to two weeks. + Wait for your tenant to be education-verified before proceeding with the next step. Verification can take up to a few days. -2. Click https://aka.ms/getsdspromocode to apply a School Data Sync trial promo code to your Office 365 education tenant. -3. Follow the instructions in [Use School Data Sync to import student data](#2-use-school-data-sync-to-import-student-data). -4. Follow the instructions in [Try out Intune for Education](#schooluseso365tryi4e). +2. Once you have an education-verified tenant, click https://aka.ms/intuneforedupreviewtrial to apply the Intune for Education trial promo code. + 1. In the Intune for Education Trial page, on the upper right, click **Sign in** next to **Want to add this to an existing subscription?**. + 2. Sign in with your global admin credentials. + +3. Sign in to Office 365 admin portal and: + 1. Select **Admin > Users** and then search for your admin account. + 2. In the user page, select **Product licenses** and expand the **Office 365 Education** license you assigned to yourself. + 3. Confirm that School Data Sync is turned on. + +3. Skip ahead and follow the rest of the instructions in this walkthrough beginning with [2. Use School Data Sync to import student data](#2-use-school-data-sync-to-import-student-data). ### Option 3: Try out Intune for Education Already have an Office 365 for Education verified tenant? Just sign in with your global admin credentials to apply the Intune for Education preview trial code to your tenant and follow the rest of the walkthrough. 1. Click https://aka.ms/intuneforedupreviewtrial to get started. -2. In the **Intune for Education Trial** page, click **Sign in**. +2. In the **Intune for Education Trial** page, on the upper right, click **Sign in** next to **Want to add this to an existing subscription?**. **Figure 2** - Intune for Education trial sign in page ![Intune for Education trial sign in page](images/i4e_trialsigninpage.png) 3. Enter your Office 365 global admin credentials to apply the Intune for Education trial to your tenant. -4. Skip ahead and follow the instructions in the walkthrough beginning with [4. Configure Microsoft Store for Education](#4-configure-microsoft-store-for-education). - +4. If you don't already have Microsoft Teams deployed to your tenant, you can start with [3. Enable Microsoft Teams for your school](#3-enable-microsoft-teams-for-your-school) and then follow the rest of the instructions in this walkthrough. ## 1. Set up a new Office 365 for Education tenant Schools can use Office 365 to save time and be more productive. Built with powerful tools and accessible from any device, setting it up is the first step in getting your school to the cloud. @@ -174,21 +182,6 @@ Follow all the steps in this section to use SDS and sample CSV files in a trial To learn more about the CSV files that are required and the info you need to include in each file, see CSV files for School Data Sync. If you run into any issues, see School Data Sync errors and troubleshooting. -**Assign Classroom license** - -The Classroom application is retired, but you will need to assign the Classroom Preview license to global admin accounts that will be used to administer SDS. The single license allows global admins to access both Classroom Preview and School Data Sync. - -1. In the Office 365 admin center, select **Users > Active users**. -2. Select the checkbox for your global admin account. -3. In the account details window, under **Product licenses**, click **Edit**. -4. In the **Product licenses** page, turn on **Microsoft Classroom** and then click **Save**. -5. Confirm that you can access SDS. To do this: - - Navigate to https://sds.microsoft.com and click **Sign in**. When prompted, enter your global admin username and password to access the SDS portal. Or, - - From the Office 365 admin portal, go to **Admin centers** and click on **School Data Sync** to go to the SDS portal. - - > [!NOTE] - > Only global admins can access SDS. - **Use SDS to import student data** 1. If you haven't done so already, go to the SDS portal, https://sds.microsoft.com. @@ -196,7 +189,7 @@ The Classroom application is retired, but you will need to assign the Classroom **Figure 6** - Settings for managing SDS - ![Settings for managing SDS](images/sds_sds_and_classroom_off.png) + ![Settings for managing SDS](images/sds_settings_manage_sds_firstsignin.png) 3. Turn on **School Data Sync**. You will get a notification that it is turned on. Click **OK**. @@ -204,7 +197,7 @@ The Classroom application is retired, but you will need to assign the Classroom **Figure 7** - New menu options appear after SDS is turned on - ![New menu options appear after SDS is turned on](images/sds_sds_on_newmenu_items.png) + ![New menu options appear after SDS is turned on](images/sds_sds_on_newmenuitemsappear.png) 4. Click **+ Add Profile** from the sync dashboard or from the menu on the left to start syncing school data. @@ -212,84 +205,93 @@ The Classroom application is retired, but you will need to assign the Classroom **Figure 8** - New SDS profile setup wizard - ![New SDS profile setup wizard](images/sds_updated_addnewprofile.png) + ![New SDS profile setup wizard](images/sds_add_new_profile_062317.png) -6. For the new profile, in the **Before you begin...** screen: - 1. Enter a name for your profile, such as *Contoso_Profile_1*. - 2. Select a sync method for your profile. For this walkthrough, select **CSV Files**. +5. For the new profile, in the **How do you want to connect to your school?** screen: + 1. Enter a name for your profile, such as *Contoso_Elementary_Profile*. + 2. Select a sync method for your profile. For this walkthrough, select **Upload CSV Files**. + 3. Select the type of CSV files that you're using. For this walkthrough, select **CSV files: SDS Format**. + 4. Click **Start**. - Note that for any sync method that you choose, you can click the **View steps** link to get more information about the steps you need to take depending on the sync method of your choosing. - - 3. Click **Start**. - -7. In the **Sync options** screen: - 1. In the **Select new or existing users** section, you can select either **New users** or **Existing users** based on the scenaro that applies to you. For this walkthrough, select **New users**. - +6. In the **Sync options** screen: + 1. In the **Select new or existing users** section, you can select either **Existing users** or **New users** based on the scenaro that applies to you. For this walkthrough, select **New users**. 2. In the **Import data** section: 1. Click **Upload Files** to bring up the **Select data files to be uploaded** window. 2. In the **Select data files to be uploaded** window, click **+ Add Files** and navigate to the directory where you saved the six CSV files required for data import. 3. In the File Explorer window, you will see a folder for the sample CSV files for the UK and six sample CSV files for the US. Select the CSV files that match your region/locale, and then click **Open**. 4. In the **Select data files to be uploaded** window, confirm that all six CSV files (School.csv, Section.csv, Student.csv, StudentEnrollment.csv, Teacher.csv, and TeacherRoster.csv) are listed and then click **Upload**. - 4. After all the files are successfully uploaded, click **OK**. + + > [!NOTE] + > After you click **Upload**, the status in the **Select data files to be uploaded** window will indicate that files are being uploaded and verified. + + 5. After all the files are successfully uploaded, click **OK**. + 3. Select the domain for the schools/sections. This domain will be used for the Section email addresses created during setup. If you have more than one domain, make sure you select the appropriate domain for the sync profile and subsequent sections being created. 4. In the **Select school and section properties** section, ensure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties, or deselect any properties, make sure you have the properties and values contained within the CSV files. For the walkthrough, you don't have to change the default. 5. In the **Sync option for Section Group Display Name**, check the box if you want to allow teachers to overwrite the section names. Otherwise, SDS will always reset the display name value for sections to the value contained within the CSV files. - 6. In the **License Options** section, check the box to enable the Classroom Preview license for all synced students and teachers within the sync profile. - 7. Check the **Intune for Education** checkbox to allow users to receive the Intune for Education license and to create the SDS dynamic groups and security groups, which be used within Intune for Education. + 6. In the **Student enrollment option** section: + * If you want to sync your student roster data immediately, leave the box unchecked. + * If you prefer to sync student enrollment/rostering data at a later date, check this box and then pick a date by clicking the empty box and selecting the appropriate date in the calendar when you would like to begin syncing your student roster data. Some schools prefer to delay syncing student roster data so they don't expose rosters before the start of the new term, semester, or school year. + 7. In the **License Options** section, check the box for **Intune for Education** to allow students and teachers to receive the Intune for Education license. This will also create the SDS dynamic groups and security groups, which will be used within Intune for Education. 8. Click **Next**. **Figure 9** - Sync options for the new profile - ![Specify sync options for the new SDS profile](images/sds_profile_syncoptions.png) + ![Specify sync options for the new SDS profile](images/sds_profile_sync_options_062317.png) -8. In the **Teacher options** screen: +7. In the **Teacher options** screen: 1. Select the domain for the teachers. SDS appends the selected domain suffix to the teacher's username attribute contained in the CSV file, to build the UserPrincipalName for each user in Office 365/Azure Active Directory during the account creation process. The teacher will log in to Office 365 with the UserPrincipalName once the account is created. 2. In the **Select teacher properties** section, make sure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties or deselect any properties, make sure you have the corresponding properties and values contained within the CSV files. For this walkthrough, you don't have to change the default. - 3. In the **Teacher licenses** section, choose the SKU to assign licenses for teachers. For this walkthrough, choose **STANDARDWOFFPACK_FACULTY**. + 3. In the **Teacher licenses** section, choose the SKU to assign licenses for teachers. For example, **STANDARDWOFFPACK_FACULTY**. 4. Click **Next**. **Figure 10** - Specify options for teacher mapping - ![Specify options for teacher mapping](images/sds_profile_teacheroptions.png) + ![Specify options for teacher mapping](images/sds_profile_teacher_options_062317.png) -9. In the **Student options** screen: +8. In the **Student options** screen: 1. Select the domain for the students. SDS appends the selected domain suffix to the student's username attribute contained in the CSV file, to build the UserPrincipalName for each user in Office 365/Azure Active Directory during the account creation process. The student will log in to Office 365 with the UserPrincipalName once the account is created. 2. In the **Select student properties** section, make sure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties or deselect any properties, make sure you have the corresponding properties and values contained within the CSV files. For this walkthrough, you don't have to change the default. - 3. In the **Student licenses** section, choose the SKU to assign licenses for students. For this walkthrough, choose **STANDARDWOFFPACK_STUDENT**. + 3. In the **Student licenses** section, choose the SKU to assign licenses for students. For example, **STANDARDWOFFPACK_STUDENT**. 4. Click **Next**. **Figure 11** - Specify options for student mapping - ![Specify options for student mapping](images/sds_profile_studentoptions.png) + ![Specify options for student mapping](images/sds_profile_student_options_062317.png) -10. In the profile **Review** page, review the summary and confirm that the options selected are correct. Click **Create profile**. - - You will see a notification that your profile is being created. - -11. You will see a page for your profile. The status might indicate that it's still being set up. +9. In the profile **Review** page, review the summary and confirm that the options selected are correct. +10. Click **Create profile**. You will see a notification that your profile is being submitted and then you will see a page for your profile. **Figure 12** - SDS profile page - ![SDS profile page](images/sds_profile_profilepage.png) + ![SDS profile page](images/sds_profile_profilepage_settingup_062317.png) -12. After the profile is created and finished **Setting up**, confirm that the status for your profile now says **Sync enabled**. +11. After the profile is created and the status indicates as **Setting up**, refresh the page until you see the status change to **Sync in progress**. Beneath the **Sync in progress** status, you will see which of the 5 sync stages SDS is working on: + * Stage 1 - Validating data + * Stage 2 - Processing schools and sections + * Stage 3 - Processing students and teachers + * Stage 4 - Adding students and teachers into sections + * Stage 5 - Setting up security groups - If the status still indicates that the profile is being set up, try refreshing the page until you see the status change to **Sync enabled**. + If you don't see a **Sync in progress** status on the sync profile, and receive an error message instead, this indicates that SDS has encountered data issues during the pre-sync validation check and has not started syncing your data. This gives you the opportunity to fix the errors identified by the pre-sync validation checks before continuing. Once you've fixed any errors or if you prefer to continue with the errors and begin syncing your data anyway, click the **Resume sync** button to start the sync process. - **Figure 13** - New profile is sync enabled + Once you've completed all five sync stages, your profile status will update one final time. + * If you haven't encountered any errors, you will see a green check mark which states **Everything is ok**, and the profile status will change to **Sync complete. Ready for more data.** + * If SDS encountered sync errors, you will see a red status icon that indicates an error, and a profile status of **Sync complete. Profile contains multiple errors**. Download the available error report to identify and fix your sync errors. Once complete, upload new files as needed and re-sync your data until errors are resolved. - ![Confirm that the new profile is sync enabled](images/sds_profile_syncenabled.png) + Here are some examples of what the sync status can look like: - > [!TIP] - > If you get errors during the pre-sync validation process, your profile status will change to **x Error**. To continue, review or resolve any pre-sync validation errors, and then click **Resume Sync** to start the synchronization cycle. + **Figure 13** - New profile: Sync in progress + + ![Sync in progress for the new profile](images/sds_profile_status_syncinprogress_062317.png) + + **Figure 14** - New profile: Sync complete - no errors + + ![New profile sync complete with no errors](images/sds_profile_status_everythingok_062317.png) + + **Figure 15** - New profile: Sync complete - with errors + + ![New profile sync complete with errors](images/sds_profile_status_syncerrors_062317.png) Sync times, like file download times, can vary widely depending on when you start the sync, how much data you are syncing, the complexity of your data (such as the number of users, schools, and class enrollments), overall system/network load, and other factors. Two people who start a sync at the same time may not have their syncs complete at the same time. @@ -309,25 +311,25 @@ To get started, IT administrators need to use the Office 365 Admin Center to ena 3. Go to **Settings > Services & add-ins**. 4. On the **Services & add-ins** page, select **Microsoft Teams**. - **Figure 14** - Select Microsoft Teams from the list of services & add-ins + **Figure 16** - Select Microsoft Teams from the list of services & add-ins ![Enable Microsoft Teams for your school](images/o365_settings_services_msteams.png) -5. On the Microsoft Teams settings screen, select the license that you want to configure, **Student** or **Faculty and Staff**. +5. On the Microsoft Teams settings screen, select the license that you want to configure, **Student** or **Faculty and Staff**. Select **Faculty and Staff**. - **Figure 15** - Select the license that you want to configure + **Figure 17** - Select the license that you want to configure ![Select the Microsoft Teams license that you want to configure](images/o365_msteams_settings.png) 6. After you select the license type, set the toggle to turn on Microsoft Teams for your organization. - **Figure 16** - Turn on Microsoft Teams for your organization + **Figure 18** - Turn on Microsoft Teams for your organization ![Turn on Microsoft Teams for your organization](images/o365_msteams_turnon.png) 7. Click **Save**. -You can find more info about how to control which users in your school can use Microsoft Teams, turn off group creation, configure tenant-level settings, and more by reading the *Guide for IT admins** getting started guide in the Meet Microsoft Teams page. +You can find more info about how to control which users in your school can use Microsoft Teams, turn off group creation, configure tenant-level settings, and more by reading the *Guide for IT admins* getting started guide in the Meet Microsoft Teams page. ## 4. Configure Microsoft Store for Education You'll need to configure Microsoft Store for Education to accept the services agreement and make sure your Microsoft Store account is associated with Intune for Education. @@ -339,20 +341,20 @@ You'll need to configure Microsoft Store for Education to accept the services ag This will take you to the Microsoft Store for Education portal. - **Figure 17** - Microsoft Store for Education portal + **Figure 19** - Microsoft Store for Education portal ![Microsoft Store for Education portal](images/msfe_store_portal.png) 3. In the Microsoft Store portal, click **Manage** to go to the Microsoft Store **Overview** page. 4. Find the **Overview** page, find the **Store settings** tile and click **Management tools**. - **Figure 18** - Select management tools from the list of Store settings options + **Figure 20** - Select management tools from the list of Store settings options ![Select management tools from list of Store settings options](images/msfe_storesettings_select_managementtools.png) 4. In the **Management tools** page, find **Microsoft Intune** on the list and click **Activate** to get Intune for Education ready for use with Microsoft Store for Education. - **Figure 19** - Activate Intune for Education as the management tool + **Figure 21** - Activate Intune for Education as the management tool ![Activate Intune for Education as the management tool](images/msfe_managementtools_activateintune.png) @@ -386,20 +388,20 @@ Intune for Education provides an **Express configuration** option so you can get 1. Log into the Intune for Education console. You will see the Intune for Education dashboard once you're logged in. - **Figure 20** - Intune for Education dashboard + **Figure 22** - Intune for Education dashboard ![Intune for Education dashboard](images/i4e_portal.png) 2. On the dashboard, click **Launch Express Configuration**, or select the **Express configuration** option on the menu on the left. 3. In the **Welcome to Intune for Education** screen, click **Get started**. - **Figure 21** - Click Get started to set up Intune for Education + **Figure 23** - Click Get started to set up Intune for Education ![Click Get Started to configure groups, apps, and settings](images/i4e_expressconfiguration_welcome.png) 4. In the **Get school information (optional)** screen, it should indicate that SDS is already configured. Click **Next**. - **Figure 22** - SDS is configured + **Figure 24** - SDS is configured ![SDS is already configured](images/i4e_expressconfiguration_sdsconfigured.png) @@ -412,7 +414,7 @@ Intune for Education provides an **Express configuration** option so you can get > [!TIP] > At the top of the screen, did you notice the **Choose group** button change to a green check mark? This means we are done with that step. If you change your mind or need to make changes, simply click on the button to go back to that step. Try it! > - > **Figure 23** - Click on the buttons to go back to that step + > **Figure 25** - Click on the buttons to go back to that step > > ![Click on the buttons to back to that step](images/i4e_expressconfiguration_choosebuttontogoback.png) @@ -425,7 +427,7 @@ Intune for Education provides an **Express configuration** option so you can get > [!TIP] > Web apps are pushed as links in the Windows Start menu under **All apps**. If you want apps to appear in Microsoft Edge browser tabs, use the **Homepages** setting for Microsoft Edge through **Express configuration** or **Manage Users and Devices**. - **Figure 24** - Choose the apps that you want to install for the group + **Figure 26** - Choose the apps that you want to install for the group ![Choose apps to install for the group](images/i4e_expressconfiguration_chooseapps_selected_cropped.png) @@ -435,7 +437,7 @@ Intune for Education provides an **Express configuration** option so you can get 8. In the **Choose settings** screen, we will set the settings to apply to the group. Click the reverse caret (downward-facing arrow) to expand the settings group and get more information about each setting in that settings group. - **Figure 25** - Expand the settings group to get more details + **Figure 27** - Expand the settings group to get more details ![Expand the settings group to get more info](images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped_052217.png) @@ -443,20 +445,20 @@ Intune for Education provides an **Express configuration** option so you can get - In the **Microsoft Edge settings** group, change the **Do-Not-Track headers** setting to **Require**. - In the **App settings** group, change the **Microsoft Store for Business apps** setting to **Block**, and then set the **Require Microsoft Store for Business apps to be installed from private store** to **Require**. - **Figure 26** - Set some additional settings + **Figure 28** - Set some additional settings ![Set some additional settings](images/i4e_expressconfiguration_choosesettings_additionalsettings_cropped.png) 10. Click **Next**. In the **Review** screen, you will see a summary of the apps and settings you selected to apply. - **Figure 27** - Review the group, apps, and settings you configured + **Figure 29** - Review the group, apps, and settings you configured ![Review the group, apps, and settings you configured](images/i4e_expressconfiguration_review.png) 11. Click **Save** to end express configuration. 12. You will see the **You're done!** screen which lets you choose one of two options. - **Figure 28** - All done with Intune for Education express configuration + **Figure 30** - All done with Intune for Education express configuration ![Done with Intune for Education express configuration](images/i4e_expressconfiguration_alldone.png) @@ -473,13 +475,13 @@ Intune for Education provides an **Express configuration** option so you can get 1. In the Intune for Education console, click **Apps** from the menu on the left. - **Figure 29** - Click on **Apps** to see the list of apps for your tenant + **Figure 31** - Click on **Apps** to see the list of apps for your tenant ![Click Apps to see the list of apps for your tenant](images/i4e_dashboard_clickapps.png) 2. In the **Store apps** section, click **+ New app**. This will take you to the Microsoft Store for Education portal and you will already be signed in. - **Figure 30** - Select the option to add a new Store app + **Figure 32** - Select the option to add a new Store app ![Select the option to add a new Store app](images/i4e_apps_newstoreapp_selected.png) @@ -498,7 +500,7 @@ Intune for Education provides an **Express configuration** option so you can get For example, if you bought Duolingo and Khan Academy, they will show up in your inventory along with the apps that Microsoft automatically provisioned for your education tenant. - **Figure 31** - Apps inventory in Microsoft Store for Education + **Figure 33** - Apps inventory in Microsoft Store for Education ![Apps inventory in Store for Business](images/msfe_manageapps_inventory_grouped.png) @@ -513,32 +515,32 @@ Now that you've bought the apps, use Intune for Education to specify the group t 1. In the Intune for Education console, click the **Groups** option from the menu on the left. - **Figure 32** - Groups page in Intune for Education + **Figure 34** - Groups page in Intune for Education ![Groups page in Intune for Education](images/i4e_groupspage.png) 2. In the **Groups** page, select **All Users** from the list of groups on the left, and then click **Users** in the taskbar at the top of the **All Users** page. - **Figure 33** - List of all users in the tenant + **Figure 35** - List of all users in the tenant ![List of all users in the tenant](images/i4e_groups_allusers_users_steps.png) 3. In the taskbar at the top, select **Apps** and then click **Edit apps** to see a list of available apps. - **Figure 34** - Edit apps to assign them to users + **Figure 36** - Edit apps to assign them to users ![Edit apps to assign them to users](images/i4e_groups_allusers_appspage_editapps.png) 4. Select the apps to deploy to the group. A blue checkmark will appear next to the apps you select. - **Figure 35** - Select the apps to deploy to the group + **Figure 37** - Select the apps to deploy to the group ![Select the apps to deploy to the group](images/i4e_groups_allusers_selectappstodeploy.png) 5. Once you're done, click **Save** at the bottom of the page to deploy the selected apps to the group. 6. You'll be notified that app assignments are being updated. The updated **All Users** groups page now include the apps you selected. - **Figure 36** - Updated list of assigned apps + **Figure 38** - Updated list of assigned apps ![Updated list of assigned apps](images/i4e_groups_allusers_updatedappslist.png) @@ -586,13 +588,13 @@ Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recomm 1. If you don't have a Wi-Fi network configured, make sure you connect the device to the Internet through a wired or Ethernet connection. 2. Go through the Windows device setup experience. On a new or reset device, this starts with the **Let's start with region. Is this right?** screen. - **Figure 37** - Let's start with region + **Figure 39** - Let's start with region ![Let's start with region](images/win10_letsstartwithregion.png) 3. Continue with setup. In the **How would you like to set up?** screen, select **Set up for an organization**. - **Figure 38** - Select setup for an organization + **Figure 40** - Select setup for an organization ![Select setup for an organization](images/win10_setupforanorg.png) @@ -611,7 +613,7 @@ Verify that the device is set up correctly and boots without any issues. > [!NOTE] > It may take some time before some apps are pushed down to your device from Intune for Education. Check again later if you don't see some of the apps you provisioned for the user. - **Figure 39** - Sample list of apps for a user + **Figure 41** - Sample list of apps for a user ![Apps list contains the apps provisioned for the user](images/win10_start_checkapps.png) @@ -623,7 +625,7 @@ Let's now verify that the device is joined to your organization's Azure AD and s 2. Select **Groups** and select **All Devices**. 3. In the **All Devices** page, see the list of devices and verify that the device you're signed into appears on the list. - **Figure 40** - List of all managed devices + **Figure 42** - List of all managed devices ![Verify that the device is managed in Intune for Education](images/i4e_groups_alldevices_listofaadjdevices.png) @@ -631,7 +633,7 @@ Let's now verify that the device is joined to your organization's Azure AD and s 5. Select **Accounts > Access work or school**. 6. In the **Access work or school** page, confirm that the device is connected to the organization's Azure AD. - **Figure 41** - Confirm that the Windows 10 device is joined to Azure AD + **Figure 43** - Confirm that the Windows 10 device is joined to Azure AD ![Confirm that the Windows 10 device is joined to Azure AD](images/win10_confirmaadj.png) @@ -647,7 +649,7 @@ If you need to make changes or updates to any of the apps or settings for the gr 2. Click **Groups** and then choose **Settings** in the taskbar at the top of the page. 3. You will see the same settings groups that you saw in express setup for Intune for Education as well as other settings categories such as **Windows Defender settings**, **Device sharing**, **Edition upgrade**, and so on. - **Figure 42** - See the list of available settings in Intune for Education + **Figure 44** - See the list of available settings in Intune for Education ![See the list of available settings in Intune for Education](images/i4e_groups_settingslist_full.png) @@ -669,7 +671,7 @@ Follow the steps in this section to enable a single person to add many devices t 2. Configure the device settings for the school's Active Directory. To do this, go to the new Azure portal, https://portal.azure.com. 3. Select **Azure Active Directory > Users and groups > Device settings**. - **Figure 43** - Device settings in the new Azure portal + **Figure 45** - Device settings in the new Azure portal ![Configure device settings in the new Azure portal](images/azure_newportal_usersandgroups_devicesettings.png) @@ -686,7 +688,7 @@ Follow the steps in this section to ensure that settings for the each user follo 3. Select **Azure Active Directory > Users and groups > Device settings**. 4. Find the setting **Users may sync settings and enterprise app data** and change the value to **All**. - **Figure 44** - Enable settings to roam with users + **Figure 46** - Enable settings to roam with users ![Enable settings to roam with users](images/azure_usersandgroups_devicesettings_ers.png) @@ -714,7 +716,7 @@ Adding a new device to your cloud-based tenant is easy. For new devices, you can For example, if a teacher connects their personal device to the school network, they'll see the following screen after typing in their account information. - **Figure 45** - Device is now managed by Intune for Education + **Figure 47** - Device is now managed by Intune for Education ![Device is managed by Intune for Education](images/byob_aad_enrollment_intune.png) @@ -724,7 +726,7 @@ Adding a new device to your cloud-based tenant is easy. For new devices, you can 5. After the user's credentails are validated, the window will refresh and will now include an entry that shows the device is now connected to the organization's MDM. This means the device is now enrolled in Intune for Education MDM and the account should have access to the organization's resources. - **Figure 46** - Device is connected to organization's MDM + **Figure 48** - Device is connected to organization's MDM ![Device is connected to organization's MDM](images/win10_connectedtoorgmdm.png) diff --git a/education/get-started/images/azuread_video_thumbnail.PNG b/education/get-started/images/azuread_video_thumbnail.PNG new file mode 100644 index 0000000000..e0723147f4 Binary files /dev/null and b/education/get-started/images/azuread_video_thumbnail.PNG differ diff --git a/education/get-started/images/i4e_video_thumbnail.PNG b/education/get-started/images/i4e_video_thumbnail.PNG new file mode 100644 index 0000000000..fdec163bca Binary files /dev/null and b/education/get-started/images/i4e_video_thumbnail.PNG differ diff --git a/education/get-started/images/i4e_video_thumbnail_app.PNG b/education/get-started/images/i4e_video_thumbnail_app.PNG new file mode 100644 index 0000000000..f30ea26067 Binary files /dev/null and b/education/get-started/images/i4e_video_thumbnail_app.PNG differ diff --git a/education/get-started/images/sds_add_new_profile_062017.PNG b/education/get-started/images/sds_add_new_profile_062017.PNG new file mode 100644 index 0000000000..84340eebb8 Binary files /dev/null and b/education/get-started/images/sds_add_new_profile_062017.PNG differ diff --git a/education/get-started/images/sds_add_new_profile_062317.PNG b/education/get-started/images/sds_add_new_profile_062317.PNG new file mode 100644 index 0000000000..5732ad597d Binary files /dev/null and b/education/get-started/images/sds_add_new_profile_062317.PNG differ diff --git a/education/get-started/images/sds_portal.PNG b/education/get-started/images/sds_portal.PNG new file mode 100644 index 0000000000..c7a47f2d7d Binary files /dev/null and b/education/get-started/images/sds_portal.PNG differ diff --git a/education/get-started/images/sds_profile_profilepage_062017.PNG b/education/get-started/images/sds_profile_profilepage_062017.PNG new file mode 100644 index 0000000000..8621592542 Binary files /dev/null and b/education/get-started/images/sds_profile_profilepage_062017.PNG differ diff --git a/education/get-started/images/sds_profile_profilepage_settingup_062317.PNG b/education/get-started/images/sds_profile_profilepage_settingup_062317.PNG new file mode 100644 index 0000000000..90fe34dbee Binary files /dev/null and b/education/get-started/images/sds_profile_profilepage_settingup_062317.PNG differ diff --git a/education/get-started/images/sds_profile_reviewpage_062317.PNG b/education/get-started/images/sds_profile_reviewpage_062317.PNG new file mode 100644 index 0000000000..676bed0efc Binary files /dev/null and b/education/get-started/images/sds_profile_reviewpage_062317.PNG differ diff --git a/education/get-started/images/sds_profile_status_everythingok_062317.png b/education/get-started/images/sds_profile_status_everythingok_062317.png new file mode 100644 index 0000000000..cdb487aced Binary files /dev/null and b/education/get-started/images/sds_profile_status_everythingok_062317.png differ diff --git a/education/get-started/images/sds_profile_status_syncerrors_062317.PNG b/education/get-started/images/sds_profile_status_syncerrors_062317.PNG new file mode 100644 index 0000000000..6ae7ec5a31 Binary files /dev/null and b/education/get-started/images/sds_profile_status_syncerrors_062317.PNG differ diff --git a/education/get-started/images/sds_profile_status_syncerrors_highlighted_062317.png b/education/get-started/images/sds_profile_status_syncerrors_highlighted_062317.png new file mode 100644 index 0000000000..2cd58a3b21 Binary files /dev/null and b/education/get-started/images/sds_profile_status_syncerrors_highlighted_062317.png differ diff --git a/education/get-started/images/sds_profile_status_syncinprogress_062317.PNG b/education/get-started/images/sds_profile_status_syncinprogress_062317.PNG new file mode 100644 index 0000000000..2fd6208eca Binary files /dev/null and b/education/get-started/images/sds_profile_status_syncinprogress_062317.PNG differ diff --git a/education/get-started/images/sds_profile_status_syncinprogress_highlighted_062317.png b/education/get-started/images/sds_profile_status_syncinprogress_highlighted_062317.png new file mode 100644 index 0000000000..407744d066 Binary files /dev/null and b/education/get-started/images/sds_profile_status_syncinprogress_highlighted_062317.png differ diff --git a/education/get-started/images/sds_profile_student_options_062017.PNG b/education/get-started/images/sds_profile_student_options_062017.PNG new file mode 100644 index 0000000000..4affc4dbfd Binary files /dev/null and b/education/get-started/images/sds_profile_student_options_062017.PNG differ diff --git a/education/get-started/images/sds_profile_student_options_062317.PNG b/education/get-started/images/sds_profile_student_options_062317.PNG new file mode 100644 index 0000000000..0d2102be7d Binary files /dev/null and b/education/get-started/images/sds_profile_student_options_062317.PNG differ diff --git a/education/get-started/images/sds_profile_sync_options_062017.PNG b/education/get-started/images/sds_profile_sync_options_062017.PNG new file mode 100644 index 0000000000..71df6f3d24 Binary files /dev/null and b/education/get-started/images/sds_profile_sync_options_062017.PNG differ diff --git a/education/get-started/images/sds_profile_sync_options_062317.PNG b/education/get-started/images/sds_profile_sync_options_062317.PNG new file mode 100644 index 0000000000..1d02a0659a Binary files /dev/null and b/education/get-started/images/sds_profile_sync_options_062317.PNG differ diff --git a/education/get-started/images/sds_profile_teacher_options_062017.PNG b/education/get-started/images/sds_profile_teacher_options_062017.PNG new file mode 100644 index 0000000000..7c8bdfae25 Binary files /dev/null and b/education/get-started/images/sds_profile_teacher_options_062017.PNG differ diff --git a/education/get-started/images/sds_profile_teacher_options_062317.PNG b/education/get-started/images/sds_profile_teacher_options_062317.PNG new file mode 100644 index 0000000000..ab9f2706b1 Binary files /dev/null and b/education/get-started/images/sds_profile_teacher_options_062317.PNG differ diff --git a/education/get-started/images/sds_sds_on_newmenuitemsappear.PNG b/education/get-started/images/sds_sds_on_newmenuitemsappear.PNG new file mode 100644 index 0000000000..bec27dc781 Binary files /dev/null and b/education/get-started/images/sds_sds_on_newmenuitemsappear.PNG differ diff --git a/education/get-started/images/sds_settings_manage_sds_firstsignin.PNG b/education/get-started/images/sds_settings_manage_sds_firstsignin.PNG new file mode 100644 index 0000000000..6298721880 Binary files /dev/null and b/education/get-started/images/sds_settings_manage_sds_firstsignin.PNG differ diff --git a/education/index.md b/education/index.md index 3f8576dfca..4033cef903 100644 --- a/education/index.md +++ b/education/index.md @@ -4,6 +4,8 @@ hide_bc: true title: Microsoft Education documentation and resources | Microsoft Docs description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers. author: CelesteDG +ms.author: celested +ms.date: ms.date: 06/12/2017 ---
@@ -27,7 +29,7 @@ author: CelesteDG
  • - +
    @@ -50,13 +52,13 @@ author: CelesteDG

    Microsoft Education documentation and resources

    • +
  • + +
    +
    +
    +
    +
    + Meet Microsoft Teams +
    +
    +
    +

    Microsoft Teams

    +

    Learn how the new classroom experiences in Microsoft Teams can help you manage your daily workflow more easily than ever before.

    +
    +
    +
    +
    +     +
  • diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index e3cec30bb9..8cce637c8d 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -7,17 +7,28 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu author: CelesteDG +ms.author: celested +ms.date: 06/19/2017 --- # Change history for Windows 10 for Education This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation. +## June 2017 + +| New or changed topic | Description | +| --- | ---- | +| [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) | Includes the following updates:

    - New configuration guidance for IT administrators to enable students and school personnel, who use assistive technology apps not available in the Microsoft Store for Education and use devices running Windows 10 S, to be successful in the classroom and in their jobs.
    - New configuration information when using Windows 10 S for education. | +| [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) | New configuration guidance for IT administrators to enable students and school personnel, who use assistive technology apps not available in the Microsoft Store for Education and use devices running Windows 10 S, to be successful in the classroom and in their jobs. | +| [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) | Updated the recommended apps section to include information about Office 365 for Windows 10 S (Education Preview). | + ## May 2017 | New or changed topic | Description | | --- | ---- | | [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md) | New. If you have an education tenant and use devices Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education. | +| [Use the Set up School PCs app ](use-set-up-school-pcs-app.md) | Updated. Now includes network tips and updated step-by-step instructions that show the latest updates to the app such as Wi-Fi setup. | ## RELEASE: Windows 10, version 1703 (Creators Update) diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index a192cd0edf..f88c07f4b1 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -9,6 +9,7 @@ ms.sitesec: library ms.pagetype: edu, devices localizationpriority: high author: craigash +ms.author: celested --- # Chromebook migration guide diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md index 03caa021e6..4cbabcfdff 100644 --- a/education/windows/configure-windows-for-education.md +++ b/education/windows/configure-windows-for-education.md @@ -1,11 +1,13 @@ --- title: Windows 10 configuration recommendations for education customers description: Provides guidance on ways to configure the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school. -keywords: Windows 10 deployment, recommendations, privacy settings, school, education, configurations +keywords: Windows 10 deployment, recommendations, privacy settings, school, education, configurations, accessibility, assistive technology ms.mktglfcycl: plan ms.sitesec: library localizationpriority: high author: CelesteDG +ms.author: celested +ms.date: 06/19/2017 --- # Windows 10 configuration recommendations for education customers @@ -14,18 +16,20 @@ author: CelesteDG - Windows 10 -Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. To learn more about Microsoft’s commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). +Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. See the following table for more information. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). + +We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store for Education, and use devices running Windows 10 S, will be able to configure the device at no additional charge to Windows 10 Pro Education. To learn more about the steps to configure this, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md). In Windows 10, version 1703 (Creators Update), it is straightforward to configure Windows to be education ready. -| Area | How to configure | What this does | Notes | -| --- | --- | --- | --- | -| **Diagnostic Data** | **SetEduPolicies** | Sets Diagnostic Data to [Basic](https://technet.microsoft.com/itpro/windows/configure/configure-windows-telemetry-in-your-organization) | On Windows 10 Education or Windows 10 Pro Education, this is already set | -| **Microsoft consumer experiences** | **SetEduPolicies** | Disables suggested content from Windows such as app recommendations | On Windows 10 Education or Windows 10 Pro Education, this is already set | -| **Cortana** | **AllowCortana** | Disables Cortana | * Cortana is enabled by default on all editions in Windows 10, version 1703

    * If using Windows 10 Pro Education or Windows 10 Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana. You can use the **AllowCortana** policy to turn it off. | -| **Safe search** | **SetEduPolicies** | Locks Bing safe search to Strict in Microsoft Edge | On Windows 10 Education or Windows 10 Pro Education, this is already set | -| **Bing search advertising** | Ad free search with Bing | Disables ads when searching the internet with Bing in Microsoft Edge | Depending on your specific requirements, there are different ways to configure this as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | -| **Apps** | **SetEduPolicies** | Preinstalled apps like Microsoft Edge, Movies & TV, Groove, and Skype become education ready | * Any app can detect Windows is running in an education ready configuration through [IsEducationEnvironment](https://docs.microsoft.com/en-us/uwp/api/windows.system.profile.educationsettings)

    * On Windows 10 Education or Windows 10 Pro Education, this is already set | +| Area | How to configure | What this does | Windows 10 Education | Windows 10 Pro Education | Windows 10 S | +| --- | --- | --- | --- | --- | --- | +| **Diagnostic Data** | **SetEduPolicies** | Sets Diagnostic Data to [Basic](https://technet.microsoft.com/itpro/windows/configure/configure-windows-telemetry-in-your-organization) | This is already set | This is already set | The policy must be set | +| **Microsoft consumer experiences** | **SetEduPolicies** | Disables suggested content from Windows such as app recommendations | This is already set | This is already set | The policy must be set | +| **Cortana** | **AllowCortana** | Disables Cortana

    * Cortana is enabled by default on all editions in Windows 10, version 1703 | If using Windows 10 Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana.

    See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | If using Windows 10 Pro Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana.

    See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | +| **Safe search** | **SetEduPolicies** | Locks Bing safe search to Strict in Microsoft Edge | This is already set | This is already set | The policy must be set | +| **Bing search advertising** | Ad free search with Bing | Disables ads when searching the internet with Bing in Microsoft Edge | Depending on your specific requirements, there are different ways to configure this as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | Depending on your specific requirements, there are different ways to configure this as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | Depending on your specific requirements, there are different ways to configure this as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | +| **Apps** | **SetEduPolicies** | Preinstalled apps like Microsoft Edge, Movies & TV, Groove, and Skype become education ready

    * Any app can detect Windows is running in an education ready configuration through [IsEducationEnvironment](https://docs.microsoft.com/en-us/uwp/api/windows.system.profile.educationsettings) | This is already set | This is already set | The policy must be set | ## Recommended configuration @@ -39,7 +43,7 @@ It is easy to be education ready when using Microsoft products. We recommend the You can [sign up to learn more about Intune for Education](https://info.microsoft.com/US-WNDWS-CNTNT-FY17-01Jan-17-IntuneforEducationlandingpageandnurture292531_01Registration-ForminBody.html). -3. On PCs running Windows 10, version 1703 (Windows 10 Pro Education or Windows 10 Education): +3. On PCs running Windows 10, version 1703: 1. Provision the PC using one of these methods: * [Provision PCs with the Set up School PCs app](use-set-up-school-pcs-app.md) - This will automatically set both **SetEduPolicies** to True and **AllowCortana** to False. * [Provision PCs with a custom package created with Windows Configuration Designer](https://technet.microsoft.com/en-us/itpro/windows/configure/provisioning-create-package) - Make sure to set both **SetEduPolicies** to True and **AllowCortana** to False. @@ -48,6 +52,8 @@ It is easy to be education ready when using Microsoft products. We recommend the * Manually Azure AD join the PC during the Windows device setup experience. 3. Enroll the PCs in MDM. * If you have activated Intune for Education in your Azure AD tenant, enrollment will happen automatically when the PC is joined to Azure AD. Intune for Education will automatically set **SetEduPolicies** to True and **AllowCortana** to False. + 4. Ensure that needed assistive technology apps can be used. + * If you have students or school personnel who rely on assistive technology apps that are not available in the Microsoft Store for Education, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md) for more info. 4. Distribute the PCs to students. @@ -69,6 +75,9 @@ You can set all the education compliance areas through both provisioning and man ## AllowCortana **AllowCortana** is a policy that enables or disables Cortana. It is a policy node in the Policy configuration service provider, [AllowCortana](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowcortana). +> [!NOTE] +> See the [Recommended configuration](#recommended-configuration) section for recommended Cortana settings. + Use one of these methods to set this policy. ### MDM diff --git a/education/windows/create-tests-using-microsoft-forms.md b/education/windows/create-tests-using-microsoft-forms.md index c2df9fb7ba..a5fdfd4970 100644 --- a/education/windows/create-tests-using-microsoft-forms.md +++ b/education/windows/create-tests-using-microsoft-forms.md @@ -7,6 +7,7 @@ ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu author: CelesteDG +ms.author: celested redirect_url: https://support.microsoft.com/help/4000711/windows-10-create-tests-using-microsoft-forms --- diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md index 1669188d1a..70f71c103a 100644 --- a/education/windows/deploy-windows-10-in-a-school-district.md +++ b/education/windows/deploy-windows-10-in-a-school-district.md @@ -8,6 +8,7 @@ ms.pagetype: edu ms.sitesec: library localizationpriority: high author: craigash +ms.author: celested --- # Deploy Windows 10 in a school district diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md index 8c0efa4efe..6c6ecf4977 100644 --- a/education/windows/deploy-windows-10-in-a-school.md +++ b/education/windows/deploy-windows-10-in-a-school.md @@ -8,6 +8,7 @@ ms.pagetype: edu ms.sitesec: library localizationpriority: high author: craigash +ms.author: celested --- # Deploy Windows 10 in a school diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md index e10a79af57..7d76300a59 100644 --- a/education/windows/edu-deployment-recommendations.md +++ b/education/windows/edu-deployment-recommendations.md @@ -6,6 +6,8 @@ ms.mktglfcycl: plan ms.sitesec: library localizationpriority: high author: CelesteDG +ms.author: celested +ms.date: 06/19/2017 ms.prod: W10 --- @@ -15,17 +17,17 @@ ms.prod: W10 - Windows 10 -Your privacy is important to us, so we want to provide you with ways to customize the OS privacy settings, as well as some of the apps, so that you can choose what information is shared with Microsoft. To learn more about Microsoft’s commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). +Your privacy is important to us, so we want to provide you with ways to customize the OS privacy settings, as well as some of the apps, so that you can choose what information is shared with Microsoft. To learn more about Microsoft’s commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). The following sections provide some best practices and specific privacy settings we’d like you to be aware of. Also see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) for more information about ways to customize the OS diagnostic data, consumer experiences, Cortana, and search. -Here are some best practices and specific privacy settings we’d like you to be aware of. Also see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) for more information about ways to customize the OS diagnostic data, consumer experiences, Cortana, and search. +We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store for Education, and use devices running Windows 10 S, will be able to configure the device at no additional charge to Windows 10 Pro Education. To learn more about the steps to configure this, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md). ## Deployment best practices Keep these best practices in mind when deploying any edition of Windows 10 in schools or districts: * A Microsoft account is only intended for consumer services. Enterprises and educational institutions should use enterprise versions where possible, such as Skype for Business, OneDrive for Business, and so on. For schools, consider using mobile device management (MDM) or Group Policy to block students from adding a Microsoft account as a secondary account. - * If schools allow the use of personal accounts by their students to access personal services, schools should be aware that these accounts belong to individuals, not the school. * IT administrators, school officials, and teachers should also consider ratings when picking apps from the Windows Store. +* If you have students or school personnel who rely on assistive technology apps that are not available in the Microsoft Store for Education, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md) for more info. ## Windows 10 Contacts privacy settings diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md index f9dbde2df7..25070b6aa8 100644 --- a/education/windows/education-scenarios-store-for-business.md +++ b/education/windows/education-scenarios-store-for-business.md @@ -7,6 +7,7 @@ ms.mktglfcycl: plan ms.sitesec: library localizationpriority: high author: trudyha +ms.author: trudyha --- # Working with Microsoft Store for Education diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index 595d935f57..036d1cf2b7 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -7,6 +7,7 @@ ms.mktglfcycl: plan ms.sitesec: library localizationpriority: high author: trudyha +ms.author: trudyha --- # Get Minecraft: Education Edition diff --git a/education/windows/images/suspc_createpackage_recommendedapps_office061217.png b/education/windows/images/suspc_createpackage_recommendedapps_office061217.png new file mode 100644 index 0000000000..ac2ccbe4eb Binary files /dev/null and b/education/windows/images/suspc_createpackage_recommendedapps_office061217.png differ diff --git a/education/windows/index.md b/education/windows/index.md index 9d3f183b1d..33b03ce19c 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: edu localizationpriority: high author: CelesteDG +ms.author: celested --- # Windows 10 for Education diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md index 2d28eccfc9..66feebb077 100644 --- a/education/windows/school-get-minecraft.md +++ b/education/windows/school-get-minecraft.md @@ -7,6 +7,7 @@ ms.mktglfcycl: plan ms.sitesec: library localizationpriority: high author: trudyha +ms.author: trudyha --- # For IT administrators - get Minecraft: Education Edition diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 39f0826ba4..120247f9d3 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: edu localizationpriority: high author: CelesteDG +ms.author: celested --- # Technical reference for the Set up School PCs app diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md index 81edf2b7a9..d33c9d5620 100644 --- a/education/windows/set-up-students-pcs-to-join-domain.md +++ b/education/windows/set-up-students-pcs-to-join-domain.md @@ -7,6 +7,7 @@ ms.mktglfcycl: plan ms.sitesec: library localizationpriority: high author: CelesteDG +ms.author: celested --- # Set up student PCs to join domain diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md index bcb92096ac..32d966f479 100644 --- a/education/windows/set-up-students-pcs-with-apps.md +++ b/education/windows/set-up-students-pcs-with-apps.md @@ -7,6 +7,7 @@ ms.mktglfcycl: plan ms.sitesec: library localizationpriority: high author: CelesteDG +ms.author: celested --- # Provision student PCs with apps diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md index 1d43aed651..00647deb81 100644 --- a/education/windows/set-up-windows-10.md +++ b/education/windows/set-up-windows-10.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: edu localizationpriority: high author: CelesteDG +ms.author: celested --- # Set up Windows devices for education diff --git a/education/windows/switch-to-pro-education.md b/education/windows/switch-to-pro-education.md index a42e464435..1619f08a9a 100644 --- a/education/windows/switch-to-pro-education.md +++ b/education/windows/switch-to-pro-education.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: edu localizationpriority: high author: CelesteDG +ms.author: celested --- # Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S @@ -41,30 +42,32 @@ There are two ways to switch from Windows 10 S to Windows 10 Pro Education, outl 1. **Bulk switch through Microsoft Store for Education** - In this scenario, the global admin for the Azure AD education tenant can use Microsoft Store to switch all Windows 10 S devices on the tenant to Windows 10 Pro Education. See [Switch using Microsoft Store for Education](#switch-using-microsoft-store-for-education) for details on how to do this. + In this scenario, the global admin for the Azure AD education tenant can use Microsoft Store to switch all Windows 10 S devices on the tenant to Windows 10 Pro Education. + + See [Switch using Microsoft Store for Education](#switch-using-microsoft-store-for-education) for details on how to do this. 2. **Asynchronous switch** In this scenario, the global admin must acquire the necessary keys and then select a method for key distribution. **Key acquisition options:** - - - Volume Licensing customers - For schools with active Microsoft Volume Licensing agreements, global admins can obtain free MAK keys for Windows 10 Pro Education. + - **Volume Licensing customers** - For schools with active Microsoft Volume Licensing agreements, global admins can obtain free MAK keys for Windows 10 Pro Education. > [!NOTE] > Windows 10 S is a Qualified OS (QOS) for Academic Volume Licensing only. + + - **Non-Volume Licensing customers** - For schools without an active Microsoft Volume Licensing agreement, the global admin can contact CSS, fill out a form and provide a proof of purchase to receive MAK keys for Windows 10 Pro Education. - - Non-Volume Licensing customers - For schools without an active Microsoft Volume Licensing agreement, the global admin can contact CSS, fill out a form and provide a proof of purchase to receive MAK keys for Windows 10 Pro Education. + **Key distribution options:** + + You can find step-by-step info on how to use each of the options described here in [Switch options from Windows 10 S to Windows 10 Pro Education](#switch-options-from-windows-10-s-to-windows-10-pro-education). - **Key distribution options:** - - - Bulk key distribution - You can apply MAK keys to switch the operating system on select devices or groups of devices using one of these methods: + - **Bulk key distribution** - You can apply MAK keys to switch the operating system on select devices or groups of devices using one of these methods: - Use Microsoft Intune for Education. See [Switch using Intune for Education](#switch-using-intune-for-education) for details on how to do this. - Use Windows Configuration Designer to create a provisioning package that will provision the switch on the device(s). See [Switch using Windows Configuration Designer](#switch-using-windows-configuration-designer) for details on how to do this. - Use the mobile device management (MDM) policy, **UpgradeEditionWithProductKey**. See [Switch using MDM](#switch-using-mdm) for details on how to do this. - Use scripting. See [Switch using scripting](#switch-using-scripting) for details on how to do this. - - - Manual key entry - You can also manually apply the MAK key using one of these methods: + - **Manual key entry** - You can also manually apply the MAK key using one of these methods: - Enter the MAK key in the Windows **Settings > Activation** page. See [Switch using the Activation page](#switch-using-the-activation-page) for details on how to do this. - Install with a media and key through Windows setup. We don't recommend this option due to the potential for multi-reboot requirements. diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md index 2e60824894..5da7470ad4 100644 --- a/education/windows/take-a-test-app-technical.md +++ b/education/windows/take-a-test-app-technical.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: edu localizationpriority: high author: CelesteDG +ms.author: celested --- # Take a Test app technical reference diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index 19b0f65e62..ba5ffb4d9d 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: edu localizationpriority: high author: CelesteDG +ms.author: celested --- # Set up Take a Test on multiple PCs diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md index 19053b9c55..71827e3366 100644 --- a/education/windows/take-a-test-single-pc.md +++ b/education/windows/take-a-test-single-pc.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: edu localizationpriority: high author: CelesteDG +ms.author: celested --- # Set up Take a Test on a single PC diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md index c526121def..94b00c53fa 100644 --- a/education/windows/take-tests-in-windows-10.md +++ b/education/windows/take-tests-in-windows-10.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: edu localizationpriority: high author: CelesteDG +ms.author: celested --- # Take tests in Windows 10 diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md index 24cf0d3cb4..fb8d30ef6f 100644 --- a/education/windows/teacher-get-minecraft.md +++ b/education/windows/teacher-get-minecraft.md @@ -7,6 +7,7 @@ ms.mktglfcycl: plan ms.sitesec: library localizationpriority: high author: trudyha +ms.author: trudyha --- # For teachers - get Minecraft: Education Edition diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index bba42e5d55..bfc4179cfa 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -8,6 +8,8 @@ ms.sitesec: library ms.pagetype: edu localizationpriority: high author: CelesteDG +ms.author: celested +ms.date: 06/26/2017 --- # Use the Set up School PCs app @@ -66,6 +68,7 @@ Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recomm > [!WARNING] > Only use the provisioning package on PCs that you want to configure and lock down for students. After you apply the provisioning package to a student PC, the PC must be reset to remove the settings. + * The student PCs must be in range of the Wi-Fi network that you configured in Set up School PCs or have a wired Ethernet connection when you set them up. Otherwise, setup will fail. * If the PC has already been set up and you want to return to the first-run experience to apply a new package, you can reset the PC to get to a clean state and get it back to the first-run experience and ready to provision again. To do this: @@ -90,18 +93,16 @@ Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recomm Learn more about what Set up School PCs does, including provisioning details, in [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md). +## Prerequisites -## Set up School PCs app step-by-step +- [Download the latest Set up School PCs app from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4ls40). +- Install the app on your work PC and make sure you're connected to your school's network. +- You must be an administrator on Office 365 and Azure Active Directory, and have Microsoft Store for Education configured. It's best if you sign up for and configure Intune for Education before using the Set up School PCs app. +- Have a USB drive, 1 GB or larger, to save the provisioning package. We recommend an 8 GB or larger USB drive if you're installing Office. -What you need: +## Set up School PCs step-by-step -- The **Set up School PCs** app, installed on your work PC and connected to your school's network. - - To get started, [download the latest Set up School PCs app from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4ls40). - -- A USB drive, 1 GB or larger. We recommend an 8 GB or larger USB drive if you're installing Office. - -### Create the provisioning package in the app +### Create the provisioning package The **Set up School PCs** app guides you through the configuration choices for the student PCs. @@ -145,7 +146,7 @@ The **Set up School PCs** app guides you through the configuration choices for t ![Only skip Wi-Fi if you have a wired Ethernet connection](images/suspc_createpackage_skipwifi_modaldialog.png) -5. To assign a name to the student PCs, in the **Assign a name to these student PCs** page: +5. To assign a name to the student PCs, in the **Name these devices** page: 1. Add a short name that Set up School PCs will use as a prefix to identify and easily manage the group of devices, apps, and other settings through your device management client. > [!NOTE] @@ -191,15 +192,21 @@ The **Set up School PCs** app guides you through the configuration choices for t 3. Click **Next** or **Skip** depending on whether you want to set up Take a Test. -8. In the **Add recommended apps** page, you can choose from a set of recommended Microsoft Store apps to provision. The recommended apps include Minecraft: Education Edition and several STEM and Makerspace apps. +8. In the **Add recommended apps** page, you can choose from a set of recommended Microsoft Store apps to provision. The recommended apps include the following: + * **Office 365 for Windows 10 S (Education Preview)** + * Office 365 for Windows 10 S will only work on student PCs running Windows 10 S. If you try to install this app on other editions of Windows, setup will fail. + * When adding the Office 365 for Windows 10 S to a package, the device you use to run Set up School PCs does not have to be running Windows 10 S. + * **Minecraft: Education Edition** - Free trial + * Popular **STEM and Makerspace apps** + 1. Select the apps that you would like to provision and then click **Next** when you're done. 2. Click **Skip** if you don't want to provision any apps. - **Figure 6** - Select from a set of recommended Microsoft Store apps + **Figure 6** - Select from a set of recommended Microsoft Store apps - ![Select from a set of recommended Microsoft Store apps](images/suspc_createpackage_recommendedapps.png) + ![Select from a set of recommended Microsoft Store apps](images/suspc_createpackage_recommendedapps_office061217.png) - The set of recommended Microsoft Store for Education apps may vary from what we show here. + The set of recommended Microsoft Store for Education apps may vary from what we show here. 9. In the **Review package summary** page, make sure that all the settings you configured appear correctly. 1. If you need to change any of the settings, you can on the sections to go back to that page and make your changes. diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md index b798212e27..f25dbdafb2 100644 --- a/education/windows/windows-editions-for-education-customers.md +++ b/education/windows/windows-editions-for-education-customers.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: edu localizationpriority: high author: CelesteDG +ms.author: celested --- # Windows 10 editions for education customers diff --git a/mdop/docfx.json b/mdop/docfx.json index 5b4039884d..a9a41d5222 100644 --- a/mdop/docfx.json +++ b/mdop/docfx.json @@ -20,7 +20,13 @@ "ms.technology": "mdop", "ms.sitesec": "library", "ms.topic": "article", - "ms.author": "jamiet" + "ms.author": "jamiet", + "ms.date": "04/05/2017", + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "Win.mdop" + } + } }, "externalReference": [ ], diff --git a/smb/docfx.json b/smb/docfx.json index 2e849d2d22..866b2b152c 100644 --- a/smb/docfx.json +++ b/smb/docfx.json @@ -29,9 +29,14 @@ "overwrite": [], "externalReference": [], "globalMetadata": { - "uhfHeaderId": "MSDocsHeader-WindowsIT", - "breadcrumb_path": "/windows/smb/breadcrumb/toc.json" - }, + "uhfHeaderId": "MSDocsHeader-WindowsIT", + "breadcrumb_path": "/windows/smb/breadcrumb/toc.json", + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "TechNet.smb" + } + } + }, "fileMetadata": {}, "template": [], "dest": "smb" diff --git a/store-for-business/TOC.md b/store-for-business/TOC.md index ba2c1b8c8a..514ff6cfea 100644 --- a/store-for-business/TOC.md +++ b/store-for-business/TOC.md @@ -27,4 +27,5 @@ ### [Update Microsoft Store for Business and Microsoft Store for Education account settings](update-windows-store-for-business-account-settings.md) ### [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-windows-store-for-business.md) ## [Troubleshoot Microsoft Store for Business](troubleshoot-windows-store-for-business.md) +## [Notifications in Microsoft Store for Business and Education](notifications-microsoft-store-business.md) diff --git a/store-for-business/docfx.json b/store-for-business/docfx.json index 05874cfbb2..9fe69e52a3 100644 --- a/store-for-business/docfx.json +++ b/store-for-business/docfx.json @@ -35,7 +35,13 @@ "uhfHeaderId": "MSDocsHeader-WindowsIT", "ms.author": "trudyha", "ms.technology": "windows", - "ms.topic": "article" + "ms.topic": "article", + "ms.date": "05/09/2017", + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "MSDN.store-for-business" + } + } }, "fileMetadata": {}, "template": [], diff --git a/store-for-business/education/TOC.md b/store-for-business/education/TOC.md index 2e4ef3a73c..1c2ebc03b3 100644 --- a/store-for-business/education/TOC.md +++ b/store-for-business/education/TOC.md @@ -32,4 +32,5 @@ ### [Update Microsoft Store for Business and Microsoft Store for Education account settings](/microsoft-store/update-windows-store-for-business-account-settings?toc=/microsoft-store/education/toc.json) ### [Manage user accounts in Microsoft Store for Business and Education](/microsoft-store/manage-users-and-groups-windows-store-for-business?toc=/microsoft-store/education/toc.json) ## [Troubleshoot Microsoft Store for Business](/microsoft-store/troubleshoot-windows-store-for-business?toc=/microsoft-store/education/toc.json) +## [Notifications in Microsoft Store for Business and Education](/microsoft-store/notifications-microsoft-store-business?toc=/microsoft-store/education/toc.json) diff --git a/store-for-business/notifications-microsoft-store-business.md b/store-for-business/notifications-microsoft-store-business.md new file mode 100644 index 0000000000..cb657a21ef --- /dev/null +++ b/store-for-business/notifications-microsoft-store-business.md @@ -0,0 +1,33 @@ +--- +title: Notifications in Microsoft Store for Business and Education (Windows 10) +description: Notifications alert you to issues or outages with Micrososft Store for Business and Education. +keywords: notifications, alerts +ms.assetid: +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: store +author: TrudyHa +localizationpriority: high +--- + +# Notifications in Microsoft Store for Business and Education + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +Microsoft Store for Business and Microsoft Store for Education use a set of notifications to alert admins if there is an issue or outage with Microsoft Store. + +## Notifications for admins + +| Store area | Notification message | Customer impact | +| ---------- | -------------------- | --------------- | +| General | We’re on it. Something happened on our end with the Store. Waiting a bit might help. | You might be unable to sign in. There might be an intermittent Azure AD outage. | +| Manage | We’re on it. Something happened on our end with management for apps and software. We’re working to fix the problem. | You might be unable to manage inventory, including viewing inventory, distributing apps, assigning licenses, or viewing and managing order history. | +| Shop | We’re on it. Something happened on our end with purchasing. We’re working to fix the problem. | Shop might not be available. You might not be able to purchase new, or additional licenses. | +| Private store | We’re on it. Something happened on our end with your organization’s private store. People in your organization can’t download apps right now. We’re working to fix the problem. | People in your organization might not be able to view the private store, or get apps. | +| Acquistion and licensing | We’re on it. People in your org might not be able to install or use certain apps. We’re working to fix the problem. | People in your org might not be able to claim a license from your private store. | +| Partner | We’re on it. Something happened on our end with Find a Partner. We’re working to fix the problem. | You might not be able to search for a partner. | \ No newline at end of file diff --git a/store-for-business/update-windows-store-for-business-account-settings.md b/store-for-business/update-windows-store-for-business-account-settings.md index 637220cb67..f844b5251a 100644 --- a/store-for-business/update-windows-store-for-business-account-settings.md +++ b/store-for-business/update-windows-store-for-business-account-settings.md @@ -38,9 +38,12 @@ We need an email address in case we need to contact you about your Microsoft Sto Taxes for Microsoft Store for Business purchases are determined by your business address. Businesses in these countries can provide their VAT number or local equivalent: - Austria - Belgium +- Bulgaria - Croatia +- Cyprus - Czech Republic - Denmark +- Estonia - Finland - France - Germany @@ -48,6 +51,10 @@ Taxes for Microsoft Store for Business purchases are determined by your business - Hungary - Ireland - Italy +- Latvia +- Liechtenstein +- Lithuania +- Luxembourg - Malta - Netherlands - Norway @@ -65,8 +72,10 @@ These countries can provide their VAT number or local equivalent in **Payments & |Market| Tax identifier | |------|----------------| +| Australia | ABN (optional) | | Brazil | CNPJ (required) | | India | CST ID, VAT ID (both are optional) | +| New Zealand | GST Registration number (optional) | | Taiwan | VAT ID (optional) | ### Tax-exempt status diff --git a/store-for-business/windows-store-for-business-overview.md b/store-for-business/windows-store-for-business-overview.md index 0edcf1dfa2..430cd5c616 100644 --- a/store-for-business/windows-store-for-business-overview.md +++ b/store-for-business/windows-store-for-business-overview.md @@ -472,7 +472,7 @@ Microsoft Store for Business and Education is currently available in these marke
  • United Kingdom
  • United States
  • Uruguay
    • -
  • Viet Nam
    • +
  • Vietnam
  • Virgin Islands, U.S.
  • Zambia
  • Zimbabwe
          
    • @@ -488,7 +488,11 @@ Customers in these markets can use Microsoft Store for Business and Education to ### Support for free apps and Minecraft: Education Edition Customers in these markets can use Microsoft Store for Business and Education to acquire free apps and Minecraft: Education Edition: +- Albania +- Bosnia - Brazil +- Georgia +- Korea - Taiwan - Ukraine diff --git a/windows/access-protection/credential-guard/credential-guard-known-issues.md b/windows/access-protection/credential-guard/credential-guard-known-issues.md index a3780e1d3f..d3b2ea0fff 100644 --- a/windows/access-protection/credential-guard/credential-guard-known-issues.md +++ b/windows/access-protection/credential-guard/credential-guard-known-issues.md @@ -17,34 +17,39 @@ author: brianlic-msft Credential Guard has certain application requirements. Credential Guard blocks specific authentication capabilities. Therefore applications that require such capabilities will not function when Credential Guard is enabled. For further information, see [Application requirements](https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements). -The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017: +The following known issue has been fixed by servicing releases made available in the Cumulative Security Updates for April 2017: -- KB4015217: [Credential Guard generates double bad password count on Active Directory domain-joined Windows 10 machines](https://support.microsoft.com/en-us/help/4015217/windows-10-update-kb4015217) +- [KB4015217 Credential Guard generates double bad password count on Active Directory domain-joined Windows 10 machines](https://support.microsoft.com/en-us/help/4015217/windows-10-update-kb4015217) - This issue can potentially lead to unexpected account lockouts. -See also Knowledge Base articles [KB4015219](https://support.microsoft.com/en-us/help/4015219/windows-10-update-kb4015219) and + This issue can potentially lead to unexpected account lockouts. See also Microsoft® Knowledge Base articles [KB4015219](https://support.microsoft.com/en-us/help/4015219/windows-10-update-kb4015219) and [KB4015221](https://support.microsoft.com/en-us/help/4015221/windows-10-update-kb4015221) -The following issue is under investigation. For available workarounds, see the following Knowledge Base article: -- [Installing AppSense Environment Manager on Windows 10 machines causes LSAiso.exe to exhibit high CPU usage when Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) * [1] - - *Registration required to access this article. - - [1] For further technical information on LSAiso.exe, see this MSDN article: [Isolated User Mode (IUM) Processes](https://msdn.microsoft.com/library/windows/desktop/mt809132(v=vs.85).aspx) - The following issue affects Cisco AnyConnect Secure Mobility Client: -- [Blue screen on Windows 10 computers running Device Guard and Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692)** +- [Blue screen on Windows 10 computers running Device Guard and Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692) \* -**Registration required to access this article. +*Registration required to access this article. -Products that connect to Virtualization Based Security (VBS) protected processes can cause Credential Guard-enabled Windows 10 clients to exhibit high CPU usage. For further information, see the following Knowledge Base article: +The following issue affects McAfee Application and Change Control (MACC): +- [KB88869 Windows 10 machines exhibit high CPU sage with McAfee Application and Change Control (MACC) installed when Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869) [1] + -- KB88869: [Windows 10 machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869) +The following issue affects AppSense Environment Manager. + For further information, see the following Knowledge Base article: +- [Installing AppSense Environment Manager on Windows 10 machines causes LSAISO.exe to exhibit high CPU usage when Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) [1] \** -The following issue is under investigation: +The following issue affects Citrix applications: +- Windows 10 machines exhibit high CPU usage with Citrix applications installed when Credential Guard is enabled. [1] + +[1] Products that connect to Virtualization Based Security (VBS) protected processes can cause Credential Guard-enabled Windows 10 or Windows Server 2016 machines to exhibit high CPU usage. For technical and troubleshooting information, see the following Microsoft Knowledge Base article: + +- [KB4032786 High CPU usage in the LSAISO process on Windows 10 or Windows Server 2016](https://support.microsoft.com/en-us/help/4032786) + +For further technical information on LSAISO.exe, see the MSDN article: [Isolated User Mode (IUM) Processes](https://msdn.microsoft.com/library/windows/desktop/mt809132(v=vs.85).aspx) + + + \** Registration is required to access this article. -- Windows 10 machines exhibit high CPU usage with Citrix applications installed when Credential Guard is enabled. ## Vendor support diff --git a/windows/access-protection/docfx.json b/windows/access-protection/docfx.json index 2a01ff236f..4d805de5fe 100644 --- a/windows/access-protection/docfx.json +++ b/windows/access-protection/docfx.json @@ -35,7 +35,13 @@ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "ms.technology": "windows", "ms.topic": "article", - "ms.author": "justinha" + "ms.author": "justinha", + "ms.date": "04/05/2017", + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "MSDN.win-access-protection" + } + } }, "fileMetadata": {}, "template": [], diff --git a/windows/application-management/app-v/appv-auto-batch-sequencing.md b/windows/application-management/app-v/appv-auto-batch-sequencing.md index a90e25e2eb..5de2cf686f 100644 --- a/windows/application-management/app-v/appv-auto-batch-sequencing.md +++ b/windows/application-management/app-v/appv-auto-batch-sequencing.md @@ -155,6 +155,7 @@ There are 3 types of log files that occur when you sequence multiple apps at the - **Log.txt file**. Located in the **Output Package** folder. This file contains all code included in the NewAppVSequencerPackage cmdlet, including the allowed parameters. ### Related topics + - [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) - [How to install the App-V Sequencer](appv-install-the-sequencer.md) diff --git a/windows/application-management/app-v/appv-auto-batch-updating.md b/windows/application-management/app-v/appv-auto-batch-updating.md index 0430b81a0b..9dd0ce0b52 100644 --- a/windows/application-management/app-v/appv-auto-batch-updating.md +++ b/windows/application-management/app-v/appv-auto-batch-updating.md @@ -158,6 +158,7 @@ There are 3 types of log files that occur when you sequence multiple apps at the - **Log.txt file**. Located in the **Output Package** folder. This file contains all code included in the NewAppVSequencerPackage cmdlet, including the allowed parameters. ### Related topics + - [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) - [How to install the App-V Sequencer](appv-install-the-sequencer.md) diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index 62b8aeb9de..285dcee673 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -35,7 +35,13 @@ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "ms.technology": "windows", "ms.topic": "article", - "ms.author": "elizapo" + "ms.author": "elizapo", + "ms.date": "04/05/2017", + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "MSDN.win-app-management" + } + } }, "fileMetadata": {}, "template": [], diff --git a/windows/client-management/TOC.md b/windows/client-management/TOC.md index 57e0175c71..40c24a2981 100644 --- a/windows/client-management/TOC.md +++ b/windows/client-management/TOC.md @@ -9,5 +9,5 @@ ## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md) ## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md) ## [Windows libraries](windows-libraries.md) -## [Mobile device management protocol](mdm/index.md) +## [Mobile device management for solution providers](mdm/index.md) ## [Change history for Client management](change-history-for-client-management.md) diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index 72ba73ffff..f649a5d1af 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -35,7 +35,13 @@ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "ms.technology": "windows", "ms.topic": "article", - "ms.author": "dongill" + "ms.author": "dongill", + "ms.date": "04/05/2017", + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "MSDN.win-client-management" + } + } }, "fileMetadata": {}, "template": [], diff --git a/windows/client-management/index.md b/windows/client-management/index.md index 7dc6c63ae6..226c9237e7 100644 --- a/windows/client-management/index.md +++ b/windows/client-management/index.md @@ -28,4 +28,5 @@ Learn about the administrative tools, tasks and best practices for managing Wind |[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)| Instructions for resetting a Windows 10 Mobile device using either *factory* or *'wipe and persist'* reset options| |[Deploy Windows 10 Mobile](windows-10-mobile-and-mdm.md)| Considerations and instructions for deploying Windows 10 Mobile| |[Windows libraries](windows-libraries.md)| Considerations and instructions for managing Windows 10 libraries such as My Documents, My Pictures, and My Music.| +|[Mobile device management for solution providers](mdm/index.md) | Procedural and reference documentation for solution providers providing mobile device management (MDM) for Windows 10 devices. | |[Change history for Client management](change-history-for-client-management.md) | This topic lists new and updated topics in the Client management documentation for Windows 10 and Windows 10 Mobile. | \ No newline at end of file diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md index a395891a14..f63def3424 100644 --- a/windows/client-management/mdm/activesync-csp.md +++ b/windows/client-management/mdm/activesync-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # ActiveSync CSP diff --git a/windows/client-management/mdm/activesync-ddf-file.md b/windows/client-management/mdm/activesync-ddf-file.md index 8aa90d6d7c..0ef6a1b1eb 100644 --- a/windows/client-management/mdm/activesync-ddf-file.md +++ b/windows/client-management/mdm/activesync-ddf-file.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # ActiveSync DDF file diff --git a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md index e1c6986fe5..da5ae04b1b 100644 --- a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md +++ b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Add an Azure AD tenant and Azure AD subscription diff --git a/windows/client-management/mdm/alljoynmanagement-csp.md b/windows/client-management/mdm/alljoynmanagement-csp.md index 0746ed4175..94d224ad36 100644 --- a/windows/client-management/mdm/alljoynmanagement-csp.md +++ b/windows/client-management/mdm/alljoynmanagement-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # AllJoynManagement CSP diff --git a/windows/client-management/mdm/alljoynmanagement-ddf.md b/windows/client-management/mdm/alljoynmanagement-ddf.md index ebc2840da3..0b2febb114 100644 --- a/windows/client-management/mdm/alljoynmanagement-ddf.md +++ b/windows/client-management/mdm/alljoynmanagement-ddf.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # AllJoynManagement DDF diff --git a/windows/client-management/mdm/application-csp.md b/windows/client-management/mdm/application-csp.md index 463b2e0c07..ad21866a9d 100644 --- a/windows/client-management/mdm/application-csp.md +++ b/windows/client-management/mdm/application-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # APPLICATION configuration service provider diff --git a/windows/client-management/mdm/applicationrestrictions-xsd.md b/windows/client-management/mdm/applicationrestrictions-xsd.md index 312d90524e..f2b7971e0c 100644 --- a/windows/client-management/mdm/applicationrestrictions-xsd.md +++ b/windows/client-management/mdm/applicationrestrictions-xsd.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # ApplicationRestrictions XSD diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index a73544002c..e1097181a3 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # AppLocker CSP diff --git a/windows/client-management/mdm/applocker-ddf-file.md b/windows/client-management/mdm/applocker-ddf-file.md index e332216b02..8212ab4928 100644 --- a/windows/client-management/mdm/applocker-ddf-file.md +++ b/windows/client-management/mdm/applocker-ddf-file.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # AppLocker DDF file diff --git a/windows/client-management/mdm/applocker-xsd.md b/windows/client-management/mdm/applocker-xsd.md index 1d578d006d..7b7aa1f830 100644 --- a/windows/client-management/mdm/applocker-xsd.md +++ b/windows/client-management/mdm/applocker-xsd.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # AppLocker XSD diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md index d7f18cf787..bfbbb46f16 100644 --- a/windows/client-management/mdm/appv-deploy-and-config.md +++ b/windows/client-management/mdm/appv-deploy-and-config.md @@ -6,6 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Deploy and configure App-V apps using MDM diff --git a/windows/client-management/mdm/assign-seats.md b/windows/client-management/mdm/assign-seats.md index b39d6d9cdf..510be6e748 100644 --- a/windows/client-management/mdm/assign-seats.md +++ b/windows/client-management/mdm/assign-seats.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Assign seat diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index aad87ff0e5..8c6466d2d4 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # AssignedAccess CSP diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md index 4f2fae2306..f3cb07376f 100644 --- a/windows/client-management/mdm/assignedaccess-ddf.md +++ b/windows/client-management/mdm/assignedaccess-ddf.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # AssignedAccess DDF diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index ebdb1d406e..d3ca116cea 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 308b678f24..2007e89d95 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -6,6 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # BitLocker CSP diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md index 2b0491ab35..50a36cc987 100644 --- a/windows/client-management/mdm/bitlocker-ddf-file.md +++ b/windows/client-management/mdm/bitlocker-ddf-file.md @@ -6,6 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # BitLocker DDF file diff --git a/windows/client-management/mdm/bootstrap-csp.md b/windows/client-management/mdm/bootstrap-csp.md index 86259803e4..50513be9bc 100644 --- a/windows/client-management/mdm/bootstrap-csp.md +++ b/windows/client-management/mdm/bootstrap-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # BOOTSTRAP CSP diff --git a/windows/client-management/mdm/browserfavorite-csp.md b/windows/client-management/mdm/browserfavorite-csp.md index e762d03a4f..5e68ea5e83 100644 --- a/windows/client-management/mdm/browserfavorite-csp.md +++ b/windows/client-management/mdm/browserfavorite-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # BrowserFavorite CSP diff --git a/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md b/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md index 3d370d247f..33f5904925 100644 --- a/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md +++ b/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Bulk assign and reclaim seats from users diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index dca0fac617..7a31519c1d 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -10,6 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md index 2eb3f56669..2923939d83 100644 --- a/windows/client-management/mdm/cellularsettings-csp.md +++ b/windows/client-management/mdm/cellularsettings-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # CellularSettings CSP diff --git a/windows/client-management/mdm/certificate-authentication-device-enrollment.md b/windows/client-management/mdm/certificate-authentication-device-enrollment.md index 06d6f265b6..0a2bceab37 100644 --- a/windows/client-management/mdm/certificate-authentication-device-enrollment.md +++ b/windows/client-management/mdm/certificate-authentication-device-enrollment.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Certificate authentication device enrollment diff --git a/windows/client-management/mdm/certificate-renewal-windows-mdm.md b/windows/client-management/mdm/certificate-renewal-windows-mdm.md index 03875bfea6..c281ee131a 100644 --- a/windows/client-management/mdm/certificate-renewal-windows-mdm.md +++ b/windows/client-management/mdm/certificate-renewal-windows-mdm.md @@ -10,6 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Certificate Renewal diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md index 20bda706fb..96b14e8fb7 100644 --- a/windows/client-management/mdm/certificatestore-csp.md +++ b/windows/client-management/mdm/certificatestore-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # CertificateStore CSP diff --git a/windows/client-management/mdm/certificatestore-ddf-file.md b/windows/client-management/mdm/certificatestore-ddf-file.md index dce1073030..64e0b3693f 100644 --- a/windows/client-management/mdm/certificatestore-ddf-file.md +++ b/windows/client-management/mdm/certificatestore-ddf-file.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # CertificateStore DDF file diff --git a/windows/client-management/mdm/cleanpc-csp.md b/windows/client-management/mdm/cleanpc-csp.md index 4f2d5cc211..87f6daf4e2 100644 --- a/windows/client-management/mdm/cleanpc-csp.md +++ b/windows/client-management/mdm/cleanpc-csp.md @@ -6,6 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # CleanPC CSP diff --git a/windows/client-management/mdm/cleanpc-ddf.md b/windows/client-management/mdm/cleanpc-ddf.md index cfbd44cc65..82e162729b 100644 --- a/windows/client-management/mdm/cleanpc-ddf.md +++ b/windows/client-management/mdm/cleanpc-ddf.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # CleanPC DDF diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index 6391e50c7d..587a1318fc 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # ClientCertificateInstall CSP diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md index d94173af03..66c326a853 100644 --- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md +++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # ClientCertificateInstall DDF file diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md index 94a6e27f51..392f0820ef 100644 --- a/windows/client-management/mdm/cm-cellularentries-csp.md +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # CM\_CellularEntries CSP diff --git a/windows/client-management/mdm/cm-proxyentries-csp.md b/windows/client-management/mdm/cm-proxyentries-csp.md index 693b4feb34..3612c0995d 100644 --- a/windows/client-management/mdm/cm-proxyentries-csp.md +++ b/windows/client-management/mdm/cm-proxyentries-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # CM\_ProxyEntries CSP diff --git a/windows/client-management/mdm/cmpolicy-csp.md b/windows/client-management/mdm/cmpolicy-csp.md index e83953965b..daa2d26d67 100644 --- a/windows/client-management/mdm/cmpolicy-csp.md +++ b/windows/client-management/mdm/cmpolicy-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # CMPolicy CSP diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md index a3c9b663bf..3decd7a9a4 100644 --- a/windows/client-management/mdm/cmpolicyenterprise-csp.md +++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # CMPolicyEnterprise CSP diff --git a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md index 6305ea17c3..7f8e457270 100644 --- a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md +++ b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # CMPolicyEnterprise DDF file diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index a6d30377d2..498d52cb2a 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Configuration service provider reference diff --git a/windows/client-management/mdm/create-a-custom-configuration-service-provider.md b/windows/client-management/mdm/create-a-custom-configuration-service-provider.md index 1d424f8364..2e6ce78778 100644 --- a/windows/client-management/mdm/create-a-custom-configuration-service-provider.md +++ b/windows/client-management/mdm/create-a-custom-configuration-service-provider.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Create a custom configuration service provider diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md index 955159f333..5e4e2289db 100644 --- a/windows/client-management/mdm/customdeviceui-csp.md +++ b/windows/client-management/mdm/customdeviceui-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # CustomDeviceUI CSP diff --git a/windows/client-management/mdm/customdeviceui-ddf.md b/windows/client-management/mdm/customdeviceui-ddf.md index d44a97a49e..1299aadd20 100644 --- a/windows/client-management/mdm/customdeviceui-ddf.md +++ b/windows/client-management/mdm/customdeviceui-ddf.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # CustomDeviceUI DDF diff --git a/windows/client-management/mdm/data-structures-windows-store-for-business.md b/windows/client-management/mdm/data-structures-windows-store-for-business.md index 18b093df38..7a1bbaa552 100644 --- a/windows/client-management/mdm/data-structures-windows-store-for-business.md +++ b/windows/client-management/mdm/data-structures-windows-store-for-business.md @@ -10,6 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Data structures for Windows Store for Business @@ -28,6 +29,7 @@ Here's the list of data structures used in the Windows Store for Business REST A - [LicenseType](#licensetype) - [LocalizedProductDetail](#localizedproductdetail) - [OfflineLicense](#offlinelicense) +- [PackageContentInfo](#packagecontentinfo) - [PackageLocation](#packagelocation) - [ProductArchitectures](#productarchitectures) - [ProductDetails](#productdetails) @@ -85,26 +87,22 @@ Specifies the properties of the alternate identifier. --+ - - - + - - +
    Name TypeDescription

    seatDetails

    Collection of [SeatDetails](#seatdetails)

    collection of [SeatDetails](#seatdetails)

    failedSeatOperations

    Collection of [FailedSeatRequest](#failedseatrequest)

    collection of [FailedSeatRequest](#failedseatrequest)
    @@ -117,31 +115,26 @@ Specifies the properties of the alternate identifier. --+ - - - -
    Name TypeDescription

    failureReason

    string

    productKey

    [ProductKey](#productkey)

    userName

    string
    @@ -173,7 +166,7 @@ Specifies the properties of the alternate identifier.

    contentId

    string

    -

    Identifies a specific application

    +

    Identifies a specific application.

    location

    @@ -207,12 +200,12 @@ Specifies the properties of the alternate identifier.

    fileSize

    -

    integer -64

    -

    +

    integer-64

    +

    Size of the file.

    packageRank

    -

    integer-3232

    +

    integer-32

    Optional

    @@ -225,26 +218,22 @@ Specifies the properties of the alternate identifier. --+ - - - @@ -277,7 +266,7 @@ Specifies the properties of the alternate identifier. - + @@ -296,12 +285,12 @@ Specifies the properties of the alternate identifier. - + - + @@ -329,11 +318,11 @@ Specifies the properties of the alternate identifier. - + - + @@ -346,27 +335,23 @@ Specifies the properties of the alternate identifier.
    NameType Description

    open

    Open distribution policy - licenses/seats can be assigned/consumed without limit

    restricted

    Restricted distribution policy - licenses/seats must be assigned/consumed according to the available count

    seatCapacity

    integer-64

    Total number of seats that have been purchased for an application

    Total number of seats that have been purchased for an application.

    availableSeats

    distributionPolicy

    InventoryDistributionPolicy

    [InventoryDistributionPolicy](#inventorydistributionpolicy)

    status

    InventoryStatus

    [InventoryStatus](#inventorystatus)

    continuationToken

    string

    continuationToken is only available if there is a next page

    Only available if there is a next page.

    inventoryEntries

    collection of

    collection of [InventoryEntryDetails](#inventoryentrydetails)

    --+ - - - + - - +
    NameType Description

    active

    Entry is available in the organization’s inventory

    Entry is available in the organization’s inventory.

    removed

    Entry has been removed from the organization’s inventory

    Entry has been removed from the organization’s inventory.
    @@ -378,8 +363,8 @@ Specifies the properties of the alternate identifier. --++ @@ -497,43 +482,13 @@ Specifies the properties of the localized product.   -## ProductArchitectures - - -
    --- - - - - - - - - - - - - - - - - - - - -
    Name

    neutral

    arm

    x86

    x64

    - -  - ## PackageContentInfo --++ @@ -582,6 +537,36 @@ Specifies the properties of the localized product.   +## ProductArchitectures + + +
    +++ + + + + + + + + + + + + + + + + + + + +
    Name

    neutral

    arm

    x86

    x64

    + +  + ## ProductDetails @@ -611,7 +596,7 @@ Specifies the properties of the localized product.

    supportedLanguages

    -

    collection of strings

    +

    collection of string

    The set of localized languages for an application.

    @@ -644,10 +629,74 @@ Specifies the properties of the localized product.   +## ProductImage + + +Specifies the properties of the product image. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescription

    location

    URI

    Location of the download image.

    purpose

    string

    Tag for the purpose of the image, e.g. "screenshot" or "logo".

    height

    string

    Height of the image in pixels.

    width

    string

    Width of the image in pixels.

    caption

    string

    Unlimited length.

    backgroundColor

    string

    Format "#RRGGBB"

    foregroundColor

    string

    Format "#RRGGBB"

    fileSize

    integer-64

    Size of the file.

    + +  + ## ProductKey -Specifies the proerties of the product key. +Specifies the properties of the product key. @@ -678,104 +727,6 @@ Specifies the proerties of the product key.   -## ProductImage - - -Specifies the proerties of the product image. - -
    ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescription

    location

    URI

    Location of the download images.

    purpose

    string

    App screenshots and icons

    height

    string

    Height of the image in pixels.

    width

    string

    Width of the image in pixels.

    caption

    string

    Unlimited

    backgroundColor

    string

    Format #RRGGBB

    foregroundColor

    string

    Format #RRGGBB

    fileSize

    long

    Size of the file.

    - -  - -## PublisherDetails - - -Specifies the proerties of the publisher details. - - ----- - - - - - - - - - - - - - - - - - - - -
    NameTypeDescription

    publisherName

    string

    Name of the publisher.

    publisherWebsite

    string

    Website of the publisher.

    - -  - ## ProductPackageDetails @@ -799,15 +750,15 @@ Specifies the proerties of the publisher details.

    -

    contentId

    -

    string

    -

    Identifies a specific application.

    - -

    packageId

    string

    + +

    contentId

    +

    string

    +

    Identifies a specific application.

    +

    location

    [PackageLocation](#packagelocation)

    @@ -831,7 +782,7 @@ Specifies the proerties of the publisher details.

    packageFormat

    [ProductPackageFormat](#productpackageformat)

    -

    appx, appxbundle, xap

    +

    Extension of the package file.

    platforms

    @@ -839,19 +790,41 @@ Specifies the proerties of the publisher details.

    -

    packageId

    -

    string

    -

    - -

    fileSize

    integer-64

    -

    +

    Size of the file.

    - +

    packageRank

    integer-32

    -

    optional

    +

    Optional

    + + + + +  + +## ProductPackageFormat + + + +++ + + + + + + + + + + + + + +
    Name

    appx

    appxBundle

    xap
    @@ -890,40 +863,13 @@ Specifies the proerties of the publisher details.   -## ProductPackageFormat - - - --- - - - - - - - - - - - - - - - - -
    Name

    appx

    appxBundle

    xap

    - -  - ## ProductPlatform --++ @@ -949,6 +895,40 @@ Specifies the proerties of the publisher details.   +## PublisherDetails + + +Specifies the properties of the publisher details. + +
    +++++ + + + + + + + + + + + + + + + + + + + +
    NameTypeDescription

    publisherName

    string

    Name of the publisher.

    publisherWebsite

    string

    Website of the publisher.

    + +  + ## SeatAction @@ -1020,8 +1000,8 @@ Specifies the proerties of the publisher details. --++ @@ -1032,7 +1012,7 @@ Specifies the proerties of the publisher details. - + @@ -1072,8 +1052,8 @@ Specifies the proerties of the publisher details.

    seats

    Collection of [SeatDetails](#seatdetails)

    collection of [SeatDetails](#seatdetails)

    continuationToken

    --++ @@ -1096,7 +1076,7 @@ Specifies the proerties of the publisher details. - +

    architectures

    collection of ProductArchitectures

    collection of [ProductArchitecture](#productarchitecture)
    @@ -1108,8 +1088,8 @@ Specifies the proerties of the publisher details. --++ @@ -1120,29 +1100,19 @@ Specifies the proerties of the publisher details. - + - + - + - +

    major

    integer-23

    integer-32

    minor

    integer-23

    integer-32

    build

    integer-23

    integer-32

    revision

    integer-23

    integer-32
    - -  - -  - - - - - - diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 71e91e480e..b956f94d32 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Defender CSP @@ -14,7 +15,7 @@ author: nickbrower The Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise. -The following image shows the Windows Defender configuration service provider in tree format +The following image shows the Windows Defender configuration service provider in tree format. ![defender csp diagram](images/provisioning-csp-defender.png) diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md index f6856761c6..4806fbb7f1 100644 --- a/windows/client-management/mdm/defender-ddf.md +++ b/windows/client-management/mdm/defender-ddf.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Defender DDF file diff --git a/windows/client-management/mdm/design-a-custom-windows-csp.md b/windows/client-management/mdm/design-a-custom-windows-csp.md index ed969ccbee..caabbc24d7 100644 --- a/windows/client-management/mdm/design-a-custom-windows-csp.md +++ b/windows/client-management/mdm/design-a-custom-windows-csp.md @@ -10,6 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Design a custom configuration service provider diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md index 40ee770991..c1c33e5921 100644 --- a/windows/client-management/mdm/devdetail-csp.md +++ b/windows/client-management/mdm/devdetail-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # DevDetail CSP diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md index e7fbbcac7a..4c8912515d 100644 --- a/windows/client-management/mdm/devdetail-ddf-file.md +++ b/windows/client-management/mdm/devdetail-ddf-file.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # DevDetail DDF file diff --git a/windows/client-management/mdm/developersetup-csp.md b/windows/client-management/mdm/developersetup-csp.md index 1a00b5f67c..ff5281e98d 100644 --- a/windows/client-management/mdm/developersetup-csp.md +++ b/windows/client-management/mdm/developersetup-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # DeveloperSetup CSP diff --git a/windows/client-management/mdm/developersetup-ddf.md b/windows/client-management/mdm/developersetup-ddf.md index b9a3348cca..5270ba0cee 100644 --- a/windows/client-management/mdm/developersetup-ddf.md +++ b/windows/client-management/mdm/developersetup-ddf.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # DeveloperSetup DDF file diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index 724d2abe69..7b74bff2f6 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- diff --git a/windows/client-management/mdm/deviceinstanceservice-csp.md b/windows/client-management/mdm/deviceinstanceservice-csp.md index 55339fb966..54d522666e 100644 --- a/windows/client-management/mdm/deviceinstanceservice-csp.md +++ b/windows/client-management/mdm/deviceinstanceservice-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # DeviceInstanceService CSP diff --git a/windows/client-management/mdm/devicelock-csp.md b/windows/client-management/mdm/devicelock-csp.md index 47a36d95c3..e15bb207f0 100644 --- a/windows/client-management/mdm/devicelock-csp.md +++ b/windows/client-management/mdm/devicelock-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # DeviceLock CSP diff --git a/windows/client-management/mdm/devicelock-ddf-file.md b/windows/client-management/mdm/devicelock-ddf-file.md index 466bcbbf38..084d372f1b 100644 --- a/windows/client-management/mdm/devicelock-ddf-file.md +++ b/windows/client-management/mdm/devicelock-ddf-file.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # DeviceLock DDF file diff --git a/windows/client-management/mdm/devicemanageability-csp.md b/windows/client-management/mdm/devicemanageability-csp.md index 8adc363d59..48dbeed8c0 100644 --- a/windows/client-management/mdm/devicemanageability-csp.md +++ b/windows/client-management/mdm/devicemanageability-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # DeviceManageability CSP diff --git a/windows/client-management/mdm/devicemanageability-ddf.md b/windows/client-management/mdm/devicemanageability-ddf.md index 1adb50855e..f45881a241 100644 --- a/windows/client-management/mdm/devicemanageability-ddf.md +++ b/windows/client-management/mdm/devicemanageability-ddf.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # DeviceManageability DDF diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index e89043b5c1..9abf518c45 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # DeviceStatus CSP diff --git a/windows/client-management/mdm/devicestatus-ddf.md b/windows/client-management/mdm/devicestatus-ddf.md index b0e6ad935c..9fc150cf5b 100644 --- a/windows/client-management/mdm/devicestatus-ddf.md +++ b/windows/client-management/mdm/devicestatus-ddf.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # DeviceStatus DDF diff --git a/windows/client-management/mdm/devinfo-csp.md b/windows/client-management/mdm/devinfo-csp.md index b11d4a12cf..66a7db27b4 100644 --- a/windows/client-management/mdm/devinfo-csp.md +++ b/windows/client-management/mdm/devinfo-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # DevInfo CSP diff --git a/windows/client-management/mdm/devinfo-ddf-file.md b/windows/client-management/mdm/devinfo-ddf-file.md index 0ee45fd363..9099b5e6d2 100644 --- a/windows/client-management/mdm/devinfo-ddf-file.md +++ b/windows/client-management/mdm/devinfo-ddf-file.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # DevInfo DDF file diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md index d4c94639bd..08e3d89747 100644 --- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Diagnose MDM failures in Windows 10 diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md index da0d026cab..9ea3208c28 100644 --- a/windows/client-management/mdm/diagnosticlog-csp.md +++ b/windows/client-management/mdm/diagnosticlog-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # DiagnosticLog CSP diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md index 48154f0bad..6ebb56b605 100644 --- a/windows/client-management/mdm/diagnosticlog-ddf.md +++ b/windows/client-management/mdm/diagnosticlog-ddf.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # DiagnosticLog DDF diff --git a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md index 29889b69f1..97bedffe31 100644 --- a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md @@ -10,6 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md index df7701702a..b4494c27d4 100644 --- a/windows/client-management/mdm/dmacc-csp.md +++ b/windows/client-management/mdm/dmacc-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # DMAcc CSP diff --git a/windows/client-management/mdm/dmacc-ddf-file.md b/windows/client-management/mdm/dmacc-ddf-file.md index dbca78b881..77de17fdeb 100644 --- a/windows/client-management/mdm/dmacc-ddf-file.md +++ b/windows/client-management/mdm/dmacc-ddf-file.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # DMAcc DDF file diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index 59c7ae444e..303c8454a4 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # DMClient CSP diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md index 85bc763412..f328b3861d 100644 --- a/windows/client-management/mdm/dmclient-ddf-file.md +++ b/windows/client-management/mdm/dmclient-ddf-file.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # DMClient DDF file diff --git a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md index c78e43cc7d..8eaa063d0e 100644 --- a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md +++ b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md @@ -17,6 +17,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # DMProcessConfigXMLFiltered function diff --git a/windows/client-management/mdm/dmsessionactions-csp.md b/windows/client-management/mdm/dmsessionactions-csp.md index 17fa2ec201..ab299ca802 100644 --- a/windows/client-management/mdm/dmsessionactions-csp.md +++ b/windows/client-management/mdm/dmsessionactions-csp.md @@ -6,6 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # DMSessionActions CSP diff --git a/windows/client-management/mdm/dmsessionactions-ddf.md b/windows/client-management/mdm/dmsessionactions-ddf.md index 1983b804cc..045b3e71e8 100644 --- a/windows/client-management/mdm/dmsessionactions-ddf.md +++ b/windows/client-management/mdm/dmsessionactions-ddf.md @@ -6,6 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # DMSessionActions DDF file diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md index b0a286169f..c18f2cab9a 100644 --- a/windows/client-management/mdm/dynamicmanagement-csp.md +++ b/windows/client-management/mdm/dynamicmanagement-csp.md @@ -6,6 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # DynamicManagement CSP diff --git a/windows/client-management/mdm/dynamicmanagement-ddf.md b/windows/client-management/mdm/dynamicmanagement-ddf.md index c1b15243de..45bb2c9358 100644 --- a/windows/client-management/mdm/dynamicmanagement-ddf.md +++ b/windows/client-management/mdm/dynamicmanagement-ddf.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # DynamicManagement DDF file diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md index 23d7112ba0..90b52f2748 100644 --- a/windows/client-management/mdm/eap-configuration.md +++ b/windows/client-management/mdm/eap-configuration.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # EAP configuration diff --git a/windows/client-management/mdm/email2-csp.md b/windows/client-management/mdm/email2-csp.md index 54fe0d1273..8b87837eff 100644 --- a/windows/client-management/mdm/email2-csp.md +++ b/windows/client-management/mdm/email2-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # EMAIL2 CSP diff --git a/windows/client-management/mdm/email2-ddf-file.md b/windows/client-management/mdm/email2-ddf-file.md index 58614e459a..99c42f91e9 100644 --- a/windows/client-management/mdm/email2-ddf-file.md +++ b/windows/client-management/mdm/email2-ddf-file.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # EMAIL2 DDF file diff --git a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md index 6fc5284a64..4849dfba3c 100644 --- a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md +++ b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices diff --git a/windows/client-management/mdm/enterprise-app-management.md b/windows/client-management/mdm/enterprise-app-management.md index d6b71a088d..c203cabb0a 100644 --- a/windows/client-management/mdm/enterprise-app-management.md +++ b/windows/client-management/mdm/enterprise-app-management.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Enterprise app management diff --git a/windows/client-management/mdm/enterpriseapn-csp.md b/windows/client-management/mdm/enterpriseapn-csp.md index c61db977e9..e92ab5e8bc 100644 --- a/windows/client-management/mdm/enterpriseapn-csp.md +++ b/windows/client-management/mdm/enterpriseapn-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # EnterpriseAPN CSP diff --git a/windows/client-management/mdm/enterpriseapn-ddf.md b/windows/client-management/mdm/enterpriseapn-ddf.md index 8d656ebb72..34981b2a35 100644 --- a/windows/client-management/mdm/enterpriseapn-ddf.md +++ b/windows/client-management/mdm/enterpriseapn-ddf.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # EnterpriseAPN DDF diff --git a/windows/client-management/mdm/enterpriseappmanagement-csp.md b/windows/client-management/mdm/enterpriseappmanagement-csp.md index 4067c76438..186b36eb3d 100644 --- a/windows/client-management/mdm/enterpriseappmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappmanagement-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # EnterpriseAppManagement CSP diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md index 17b4288eb5..9a3c2ce516 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md @@ -6,6 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # EnterpriseAppVManagement CSP diff --git a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md index 19c14ddfc4..9390e4d645 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md @@ -6,6 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # EnterpriseAppVManagement DDF file diff --git a/windows/client-management/mdm/enterpriseassignedaccess-csp.md b/windows/client-management/mdm/enterpriseassignedaccess-csp.md index ed4d8e0a6e..7d94f470b7 100644 --- a/windows/client-management/mdm/enterpriseassignedaccess-csp.md +++ b/windows/client-management/mdm/enterpriseassignedaccess-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # EnterpriseAssignedAccess CSP diff --git a/windows/client-management/mdm/enterpriseassignedaccess-ddf.md b/windows/client-management/mdm/enterpriseassignedaccess-ddf.md index f98ed740fe..a604bfab76 100644 --- a/windows/client-management/mdm/enterpriseassignedaccess-ddf.md +++ b/windows/client-management/mdm/enterpriseassignedaccess-ddf.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # EnterpriseAssignedAccess DDF diff --git a/windows/client-management/mdm/enterpriseassignedaccess-xsd.md b/windows/client-management/mdm/enterpriseassignedaccess-xsd.md index 6d19a5aedd..7a8360c610 100644 --- a/windows/client-management/mdm/enterpriseassignedaccess-xsd.md +++ b/windows/client-management/mdm/enterpriseassignedaccess-xsd.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # EnterpriseAssignedAccess XSD diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index d75ed17826..95722f7b40 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # EnterpriseDataProtection CSP diff --git a/windows/client-management/mdm/enterprisedataprotection-ddf-file.md b/windows/client-management/mdm/enterprisedataprotection-ddf-file.md index a7914046b2..011f01334f 100644 --- a/windows/client-management/mdm/enterprisedataprotection-ddf-file.md +++ b/windows/client-management/mdm/enterprisedataprotection-ddf-file.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # EnterpriseDataProtection DDF file diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md index bc056caa35..f793b9b7af 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # EnterpriseDesktopAppManagement CSP diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md index 5bd96246ec..75fee057b6 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # EnterpriseDesktopAppManagement DDF diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md b/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md index d5e415b890..3032cc32fc 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # EnterpriseDesktopAppManagement XSD diff --git a/windows/client-management/mdm/enterpriseext-csp.md b/windows/client-management/mdm/enterpriseext-csp.md index 2bb98165d4..62d2a13fd2 100644 --- a/windows/client-management/mdm/enterpriseext-csp.md +++ b/windows/client-management/mdm/enterpriseext-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # EnterpriseExt CSP diff --git a/windows/client-management/mdm/enterpriseext-ddf.md b/windows/client-management/mdm/enterpriseext-ddf.md index 06bc4c0198..3b035e7809 100644 --- a/windows/client-management/mdm/enterpriseext-ddf.md +++ b/windows/client-management/mdm/enterpriseext-ddf.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # EnterpriseExt DDF diff --git a/windows/client-management/mdm/enterpriseextfilessystem-csp.md b/windows/client-management/mdm/enterpriseextfilessystem-csp.md index f6b332a182..6592c546af 100644 --- a/windows/client-management/mdm/enterpriseextfilessystem-csp.md +++ b/windows/client-management/mdm/enterpriseextfilessystem-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # EnterpriseExtFileSystem CSP diff --git a/windows/client-management/mdm/enterpriseextfilesystem-ddf.md b/windows/client-management/mdm/enterpriseextfilesystem-ddf.md index dc371ba33a..baf816c02f 100644 --- a/windows/client-management/mdm/enterpriseextfilesystem-ddf.md +++ b/windows/client-management/mdm/enterpriseextfilesystem-ddf.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # EnterpriseExtFileSystem DDF diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 23fea75c17..ebe9611293 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # EnterpriseModernAppManagement CSP diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md index 4da9c4b384..1689908bfc 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # EnterpriseModernAppManagement DDF diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md index 74d0c2cb31..4a821d54b0 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # EnterpriseModernAppManagement XSD diff --git a/windows/client-management/mdm/federated-authentication-device-enrollment.md b/windows/client-management/mdm/federated-authentication-device-enrollment.md index 4855aaefd7..a1520e20ad 100644 --- a/windows/client-management/mdm/federated-authentication-device-enrollment.md +++ b/windows/client-management/mdm/federated-authentication-device-enrollment.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Federated authentication device enrollment diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md index 7b22236bf3..20f6b1c8ad 100644 --- a/windows/client-management/mdm/filesystem-csp.md +++ b/windows/client-management/mdm/filesystem-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # FileSystem CSP diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index e621f09ad8..71cc5e3867 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -6,6 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Firewall CSP diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md index ced7194e3a..9456acd05e 100644 --- a/windows/client-management/mdm/firewall-ddf-file.md +++ b/windows/client-management/mdm/firewall-ddf-file.md @@ -6,6 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Firewall CSP diff --git a/windows/client-management/mdm/get-inventory.md b/windows/client-management/mdm/get-inventory.md index 405f3c7a29..3c83d22f62 100644 --- a/windows/client-management/mdm/get-inventory.md +++ b/windows/client-management/mdm/get-inventory.md @@ -10,6 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Get Inventory diff --git a/windows/client-management/mdm/get-localized-product-details.md b/windows/client-management/mdm/get-localized-product-details.md index 16f29cb848..eaa61805b9 100644 --- a/windows/client-management/mdm/get-localized-product-details.md +++ b/windows/client-management/mdm/get-localized-product-details.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Get localized product details diff --git a/windows/client-management/mdm/get-offline-license.md b/windows/client-management/mdm/get-offline-license.md index cf3a27b38c..3bf57d69fb 100644 --- a/windows/client-management/mdm/get-offline-license.md +++ b/windows/client-management/mdm/get-offline-license.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Get offline license diff --git a/windows/client-management/mdm/get-product-details.md b/windows/client-management/mdm/get-product-details.md index c602332f9b..f11532b8c5 100644 --- a/windows/client-management/mdm/get-product-details.md +++ b/windows/client-management/mdm/get-product-details.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Get product details diff --git a/windows/client-management/mdm/get-product-package.md b/windows/client-management/mdm/get-product-package.md index ef80b65d3b..30f41c7a77 100644 --- a/windows/client-management/mdm/get-product-package.md +++ b/windows/client-management/mdm/get-product-package.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Get product package diff --git a/windows/client-management/mdm/get-product-packages.md b/windows/client-management/mdm/get-product-packages.md index 24d354e7c2..f65a5ec30c 100644 --- a/windows/client-management/mdm/get-product-packages.md +++ b/windows/client-management/mdm/get-product-packages.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Get product packages diff --git a/windows/client-management/mdm/get-seat.md b/windows/client-management/mdm/get-seat.md index 301be7db93..5c1e6fbba9 100644 --- a/windows/client-management/mdm/get-seat.md +++ b/windows/client-management/mdm/get-seat.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Get seat diff --git a/windows/client-management/mdm/get-seats-assigned-to-a-user.md b/windows/client-management/mdm/get-seats-assigned-to-a-user.md index 77e13c0706..d7c55310d3 100644 --- a/windows/client-management/mdm/get-seats-assigned-to-a-user.md +++ b/windows/client-management/mdm/get-seats-assigned-to-a-user.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Get seats assigned to a user diff --git a/windows/client-management/mdm/get-seats.md b/windows/client-management/mdm/get-seats.md index 1e5fbe93dd..88d7e51517 100644 --- a/windows/client-management/mdm/get-seats.md +++ b/windows/client-management/mdm/get-seats.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Get seats diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index fb44d96773..798731bd2f 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Device HealthAttestation CSP diff --git a/windows/client-management/mdm/healthattestation-ddf.md b/windows/client-management/mdm/healthattestation-ddf.md index f3e857ee6f..c04a1eb986 100644 --- a/windows/client-management/mdm/healthattestation-ddf.md +++ b/windows/client-management/mdm/healthattestation-ddf.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # HealthAttestation DDF diff --git a/windows/client-management/mdm/hotspot-csp.md b/windows/client-management/mdm/hotspot-csp.md index 181c625ca6..cdf6ccd04e 100644 --- a/windows/client-management/mdm/hotspot-csp.md +++ b/windows/client-management/mdm/hotspot-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # HotSpot CSP diff --git a/windows/client-management/mdm/iconfigserviceprovider2.md b/windows/client-management/mdm/iconfigserviceprovider2.md index be59397ff3..e2d730927d 100644 --- a/windows/client-management/mdm/iconfigserviceprovider2.md +++ b/windows/client-management/mdm/iconfigserviceprovider2.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # IConfigServiceProvider2 diff --git a/windows/client-management/mdm/iconfigserviceprovider2configmanagernotification.md b/windows/client-management/mdm/iconfigserviceprovider2configmanagernotification.md index 2d72418a32..80a7edbbb7 100644 --- a/windows/client-management/mdm/iconfigserviceprovider2configmanagernotification.md +++ b/windows/client-management/mdm/iconfigserviceprovider2configmanagernotification.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # IConfigServiceProvider2::ConfigManagerNotification diff --git a/windows/client-management/mdm/iconfigserviceprovider2getnode.md b/windows/client-management/mdm/iconfigserviceprovider2getnode.md index d9efa4d469..c558932897 100644 --- a/windows/client-management/mdm/iconfigserviceprovider2getnode.md +++ b/windows/client-management/mdm/iconfigserviceprovider2getnode.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # IConfigServiceProvider2::GetNode diff --git a/windows/client-management/mdm/icspnode.md b/windows/client-management/mdm/icspnode.md index 5da7ad4b29..d3cd910239 100644 --- a/windows/client-management/mdm/icspnode.md +++ b/windows/client-management/mdm/icspnode.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # ICSPNode diff --git a/windows/client-management/mdm/icspnodeadd.md b/windows/client-management/mdm/icspnodeadd.md index 20be80123e..12bd905ea1 100644 --- a/windows/client-management/mdm/icspnodeadd.md +++ b/windows/client-management/mdm/icspnodeadd.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # ICSPNode::Add diff --git a/windows/client-management/mdm/icspnodeclear.md b/windows/client-management/mdm/icspnodeclear.md index 5c0f660fa3..e5f52fe3c7 100644 --- a/windows/client-management/mdm/icspnodeclear.md +++ b/windows/client-management/mdm/icspnodeclear.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- diff --git a/windows/client-management/mdm/icspnodecopy.md b/windows/client-management/mdm/icspnodecopy.md index cf113766b6..8533efcf91 100644 --- a/windows/client-management/mdm/icspnodecopy.md +++ b/windows/client-management/mdm/icspnodecopy.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # ICSPNode::Copy diff --git a/windows/client-management/mdm/icspnodedeletechild.md b/windows/client-management/mdm/icspnodedeletechild.md index 686df037ea..696063c3eb 100644 --- a/windows/client-management/mdm/icspnodedeletechild.md +++ b/windows/client-management/mdm/icspnodedeletechild.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # ICSPNode::DeleteChild diff --git a/windows/client-management/mdm/icspnodedeleteproperty.md b/windows/client-management/mdm/icspnodedeleteproperty.md index 74126c9679..2d167346f9 100644 --- a/windows/client-management/mdm/icspnodedeleteproperty.md +++ b/windows/client-management/mdm/icspnodedeleteproperty.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # ICSPNode::DeleteProperty diff --git a/windows/client-management/mdm/icspnodeexecute.md b/windows/client-management/mdm/icspnodeexecute.md index ef2c4dfa1a..16ceda7194 100644 --- a/windows/client-management/mdm/icspnodeexecute.md +++ b/windows/client-management/mdm/icspnodeexecute.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # ICSPNode::Execute diff --git a/windows/client-management/mdm/icspnodegetchildnodenames.md b/windows/client-management/mdm/icspnodegetchildnodenames.md index aa63ca5b8e..027e868c61 100644 --- a/windows/client-management/mdm/icspnodegetchildnodenames.md +++ b/windows/client-management/mdm/icspnodegetchildnodenames.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # ICSPNode::GetChildNodeNames diff --git a/windows/client-management/mdm/icspnodegetproperty.md b/windows/client-management/mdm/icspnodegetproperty.md index 673d9e8e15..1e64b7cf4f 100644 --- a/windows/client-management/mdm/icspnodegetproperty.md +++ b/windows/client-management/mdm/icspnodegetproperty.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # ICSPNode::GetProperty diff --git a/windows/client-management/mdm/icspnodegetpropertyidentifiers.md b/windows/client-management/mdm/icspnodegetpropertyidentifiers.md index 55fabbe552..e74615fccb 100644 --- a/windows/client-management/mdm/icspnodegetpropertyidentifiers.md +++ b/windows/client-management/mdm/icspnodegetpropertyidentifiers.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # ICSPNode::GetPropertyIdentifiers diff --git a/windows/client-management/mdm/icspnodegetvalue.md b/windows/client-management/mdm/icspnodegetvalue.md index fe58b75211..0abad17084 100644 --- a/windows/client-management/mdm/icspnodegetvalue.md +++ b/windows/client-management/mdm/icspnodegetvalue.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # ICSPNode::GetValue diff --git a/windows/client-management/mdm/icspnodemove.md b/windows/client-management/mdm/icspnodemove.md index 53c5047934..c10e07a221 100644 --- a/windows/client-management/mdm/icspnodemove.md +++ b/windows/client-management/mdm/icspnodemove.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # ICSPNode::Move diff --git a/windows/client-management/mdm/icspnodesetproperty.md b/windows/client-management/mdm/icspnodesetproperty.md index daae584a37..f7de6036ab 100644 --- a/windows/client-management/mdm/icspnodesetproperty.md +++ b/windows/client-management/mdm/icspnodesetproperty.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # ICSPNode::SetProperty diff --git a/windows/client-management/mdm/icspnodesetvalue.md b/windows/client-management/mdm/icspnodesetvalue.md index ccb5ff6c76..6cb4a2dbc2 100644 --- a/windows/client-management/mdm/icspnodesetvalue.md +++ b/windows/client-management/mdm/icspnodesetvalue.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # ICSPNode::SetValue diff --git a/windows/client-management/mdm/icspnodetransactioning.md b/windows/client-management/mdm/icspnodetransactioning.md index 536708cb7d..373e97aa9b 100644 --- a/windows/client-management/mdm/icspnodetransactioning.md +++ b/windows/client-management/mdm/icspnodetransactioning.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # ICSPNodeTransactioning diff --git a/windows/client-management/mdm/icspvalidate.md b/windows/client-management/mdm/icspvalidate.md index 42828da848..700ff26e85 100644 --- a/windows/client-management/mdm/icspvalidate.md +++ b/windows/client-management/mdm/icspvalidate.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # ICSPValidate diff --git a/windows/client-management/mdm/images/provisioning-csp-watp.png b/windows/client-management/mdm/images/provisioning-csp-watp.png index 7a0ac759f1..7ce8a10a78 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-watp.png and b/windows/client-management/mdm/images/provisioning-csp-watp.png differ diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md index 904aabcc23..05993e65e0 100644 --- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md +++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md @@ -6,6 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md index 70a844c704..c845d80737 100644 --- a/windows/client-management/mdm/index.md +++ b/windows/client-management/mdm/index.md @@ -10,6 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Mobile device management diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md index 98510df8a0..0cef4c42b9 100644 --- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md +++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md @@ -10,6 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Management tool for the Windows Store for Business diff --git a/windows/client-management/mdm/maps-csp.md b/windows/client-management/mdm/maps-csp.md index 7a5f26f5ef..233e5467ef 100644 --- a/windows/client-management/mdm/maps-csp.md +++ b/windows/client-management/mdm/maps-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Maps CSP diff --git a/windows/client-management/mdm/maps-ddf-file.md b/windows/client-management/mdm/maps-ddf-file.md index e91dbca47e..d88c61289e 100644 --- a/windows/client-management/mdm/maps-ddf-file.md +++ b/windows/client-management/mdm/maps-ddf-file.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Maps DDF file diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md index c2896dd7cd..af2ac59df8 100644 --- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -10,6 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # MDM enrollment of Windows-based devices diff --git a/windows/client-management/mdm/messaging-csp.md b/windows/client-management/mdm/messaging-csp.md index 25454c6580..4b90716f6f 100644 --- a/windows/client-management/mdm/messaging-csp.md +++ b/windows/client-management/mdm/messaging-csp.md @@ -6,6 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Messaging CSP diff --git a/windows/client-management/mdm/messaging-ddf.md b/windows/client-management/mdm/messaging-ddf.md index 8a3d8d7e7d..344fafe5bf 100644 --- a/windows/client-management/mdm/messaging-ddf.md +++ b/windows/client-management/mdm/messaging-ddf.md @@ -6,6 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Messaging DDF file diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md index e0a4d74fa3..4a733d2da7 100644 --- a/windows/client-management/mdm/mobile-device-enrollment.md +++ b/windows/client-management/mdm/mobile-device-enrollment.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # Mobile device enrollment diff --git a/windows/client-management/mdm/nap-csp.md b/windows/client-management/mdm/nap-csp.md index d62bf09a6c..a8e2ec0397 100644 --- a/windows/client-management/mdm/nap-csp.md +++ b/windows/client-management/mdm/nap-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # NAP CSP diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md index 0019bd057b..7446c1f730 100644 --- a/windows/client-management/mdm/napdef-csp.md +++ b/windows/client-management/mdm/napdef-csp.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # NAPDEF CSP diff --git a/windows/client-management/mdm/networkproxy-csp.md b/windows/client-management/mdm/networkproxy-csp.md index 2e9efd2de6..2ddf75faf8 100644 --- a/windows/client-management/mdm/networkproxy-csp.md +++ b/windows/client-management/mdm/networkproxy-csp.md @@ -6,6 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # NetworkProxy CSP diff --git a/windows/client-management/mdm/networkproxy-ddf.md b/windows/client-management/mdm/networkproxy-ddf.md index 6657bc67ee..4ea5c5bf3a 100644 --- a/windows/client-management/mdm/networkproxy-ddf.md +++ b/windows/client-management/mdm/networkproxy-ddf.md @@ -6,6 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # NetworkProxy DDF file diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md index eb09ca2909..78953e5ea5 100644 --- a/windows/client-management/mdm/networkqospolicy-csp.md +++ b/windows/client-management/mdm/networkqospolicy-csp.md @@ -6,6 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # NetworkQoSPolicy CSP diff --git a/windows/client-management/mdm/networkqospolicy-ddf.md b/windows/client-management/mdm/networkqospolicy-ddf.md index e22f1a5ac3..a7d23f951a 100644 --- a/windows/client-management/mdm/networkqospolicy-ddf.md +++ b/windows/client-management/mdm/networkqospolicy-ddf.md @@ -7,6 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # NetworkQoSPolicy DDF diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 6c95a92a67..46d1d00429 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -10,6 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower +ms.date: 06/19/2017 --- # What's new in MDM enrollment and management @@ -1229,6 +1230,32 @@ Also Added [Firewall DDF file](firewall-ddf-file.md).
  • Start/AllowPinnedFolderVideos
  • Update/AutoRestartDeadlinePeriodInDays
    • +

    Added the following new policies for Windows 10, version 1709:

    +
      +
    • Power/DisplayOffTimeoutOnBattery
      • +
    • Power/DisplayOffTimeoutPluggedIn
      • +
    • Power/HibernateTimeoutOnBattery
      • +
    • Power/HibernateTimeoutPluggedIn
      • +
    • Power/StandbyTimeoutOnBattery
      • +
    • Power/StandbyTimeoutPluggedIn
      • +
    • Update/ScheduledInstallEveryWeek
      • +
    • Update/ScheduledInstallFirstWeek
      • +
    • Update/ScheduledInstallFourthWeek
      • +
    • Update/ScheduledInstallSecondWeek
      • +
    • Update/ScheduledInstallThirdWeek
      • +
    • DeviceGuard/EnableVirtualizationBasedSecurity
      • +
    • DeviceGuard/RequirePlatformSecurityFeatures
      • +
    • DeviceGuard/LsaCfgFlags
      • +
    +

    EnterpriseCloudPrint/DiscoveryMaxPrinterLimit is only supported in Windows 10 Mobile and Mobile Enterprise.

    + + +[WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) +Updated the CSP in Windows 10, version 1709. Added the following settings: +
      +
    • DeviceTagging/Group
      • +
    • DeviceTagging/Criticality
      • +
    @@ -1305,7 +1332,7 @@ Also Added [Firewall DDF file](firewall-ddf-file.md). [Firewall CSP](firewall-csp.md) -

    Added new CSP in the next major update to Windows 10.

    +

    Added new CSP in Windows 10, version 1709.

    MDM support for Windows 10 S @@ -1819,7 +1846,7 @@ Also Added [Firewall DDF file](firewall-ddf-file.md). [CM_CellularEntries CSP](cm-cellularentries-csp.md) -

    To PurposeGroups setting, added the following values for the next major update of Windows 10:

    +

    To PurposeGroups setting, added the following values Windows 10, version 1709:

     -
  • Update Windows so that all available recommended updates are installed.
    • +
  • Update Windows so that all available recommended updates are installed, and ensure the computer is rebooted if this is necessary to complete installation of an update.
  • Uninstall non-Microsoft antivirus software.
    • Use Windows Defender for protection during the upgrade. @@ -573,7 +573,7 @@ For more information, see [How to perform a clean boot in Windows](https://suppo Code -8000405 - 0x20007 +800040005 - 0x20007 @@ -667,6 +667,39 @@ The installation failed during the second boot phase while attempting the MIGRAT Code +8007001F - 0x3000D + + + +

      +
      Cause +
      + +The installation failed in the FIRST_BOOT phase with an error during MIGRATE_DATA operation. + +
      + + + + + +
      Mitigation +
      + +[Analyze log files](#analyze-log-files) in order to determine the files that are blocking data migration. + +Note: This error can occur if Active Directory integrated user accounts exist on the computer, but these accounts are no longer present in Active Directory. To repair this error, delete the invalid accounts from the **Users** directory on the local computer and restart the upgrade process. + +
      + + + + + + +
      Code +
      + 8007001F - 0x4000D
      diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md index bb6ce8f949..937be3b7e3 100644 --- a/windows/deployment/upgrade/upgrade-readiness-get-started.md +++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md @@ -40,6 +40,9 @@ To enable system, application, and driver data to be shared with Microsoft, you Upgrade Readiness is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/documentation/articles/operations-management-suite-overview/). +>[!IMPORTANT] +>Upgrade Readiness is a free solution. When configured correctly, all data associated with the Upgrade Readiness solution are exempt from billing in both OMS and Azure. Upgrade Readiness data **do not** count toward OMS daily upload limits. + If you are already using OMS, you’ll find Upgrade Readiness in the Solutions Gallery. Select the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution's details page. Upgrade Readiness is now visible in your workspace. If you are not using OMS: diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index 4e36256cae..7cd077d90a 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -1,10 +1,11 @@ --- -title: Deploy Windows 10 using System Center Configuration Manager -description: Deploy Windows 10 in a test lab using System Center Configuration Manager +title: Step by step - Deploy Windows 10 using System Center Configuration Manager +description: Deploy Windows 10 in a test lab using System Center Configuration Manager ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: deploykeywords: deployment, automate, tools, configure, sccm, configuration manager +ms.pagetype: deploy +keywords: deployment, automate, tools, configure, sccm localizationpriority: high author: greg-lindsay --- @@ -14,6 +15,7 @@ author: greg-lindsay **Applies to** - Windows 10 + **Important**: This guide leverages the proof of concept (PoC) environment, and some settings that are configured in the following guides: - [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) - [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index 32af71bf09..ebdbe4e613 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -54,11 +54,8 @@ Topics and procedures in this guide are summarized in the following table. An es [Convert PC to VM](#convert-pc-to-vm)Convert a physical computer on your network to a VM hosted in Hyper-V.30 minutes [Resize VHD](#resize-vhd)Increase the storage capacity for one of the Windows Server VMs.5 minutes [Configure Hyper-V](#configure-hyper-v)Create virtual switches, determine available RAM for virtual machines, and add virtual machines.15 minutes -<<<<<<< HEAD:windows/deployment/windows-10-poc.md [Configure service and user accounts](#configure-service-and-user-accounts)Start virtual machines and configure all services and settings.60 minutes -======= [Configure VMs](#configure-vms)Start virtual machines and configure all services and settings.60 minutes ->>>>>>> bb842731e73d0f219d021f0869d9b36c8aba222c:windows/deploy/windows-10-poc.md [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration)Verify and troubleshoot network connectivity and services in the PoC environment.30 minutes [Appendix B: Terminology in this guide](#appendix-b-terminology-used-in-this-guide)Terms used in this guide.Informational diff --git a/windows/device-security/TOC.md b/windows/device-security/TOC.md index d4f7015047..9305ed157e 100644 --- a/windows/device-security/TOC.md +++ b/windows/device-security/TOC.md @@ -649,7 +649,6 @@ ## [Trusted Platform Module](tpm/trusted-platform-module-top-node.md) ### [Trusted Platform Module Overview](tpm/trusted-platform-module-overview.md) -### [How Windows 10 uses the TPM](tpm/how-windows-uses-the-tpm.md) ### [TPM fundamentals](tpm/tpm-fundamentals.md) ### [TPM Group Policy settings](tpm/trusted-platform-module-services-group-policy-settings.md) ### [Back up the TPM recovery information to AD DS](tpm/backup-tpm-recovery-information-to-ad-ds.md) diff --git a/windows/device-security/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/device-security/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index f1f62943e3..60483dd6e4 100644 --- a/windows/device-security/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/device-security/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -12,7 +12,7 @@ author: brianlic-msft # Protecting cluster shared volumes and storage area networks with BitLocker **Applies to** -- Windows 10 +- Windows Server 2016 This topic for IT pros describes how to protect CSVs and SANs with BitLocker. diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md index d13224f45d..df7aacb570 100644 --- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md +++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md @@ -20,7 +20,208 @@ For an overview of the process described in the following procedures, see [Deplo The process for creating a golden code integrity policy from a reference system is straightforward. This section outlines the process that is required to successfully create a code integrity policy with Windows PowerShell. First, for this example, you must initiate variables to be used during the creation process. Rather than using variables, you can simply use the full file paths in the command. Next, you create the code integrity policy by scanning the system for installed applications. When created, the policy file is converted to binary format so that Windows can consume its contents. -> **Note**  Before you begin this procedure, ensure that the reference PC is clean of viruses or malware. Each piece of installed software should be validated as trustworthy before you create this policy. Also, be sure that any software that you would like to be scanned is installed on the system before you create the code integrity policy. +> [!Note] +> Before you begin this procedure, make sure that the reference PC is virus and malware-free,and that any software you want to be scanned is installed on the system before creating the code integrity policy. + +### Scripting and applications + +Each installed software application should be validated as trustworthy before you create a policy. We recommend that you review the reference PC for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you do not want it to run scripts. +You can remove or disable such software on reference PCs used to create code integrity policies. You can also fine-tune your control by using Device Guard in combination with AppLocker, as described in [Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker). + +Members of the security community\* continuously collaborate with Microsoft® to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Device Guard code integrity policies. + +Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. These applications or files can be used by an attacker to circumvent Application Whitelisting policies, including Device Guard: + +- bash.exe +- bginfo.exe +- cdb.exe +- csi.exe +- dnx.exe +- fsi.exe +- kd.exe +- lxssmanager.dll +- msbuild.exe[1] +- mshta.exe +- ntsd.exe +- rcsi.exe +- system.management.automation.dll +- windbg.exe + +[1]If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you whitelist msbuild.exe in your code integrity policies. However, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe. + +*Microsoft recognizes the efforts of those in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people: + +
      + +|Name|Twitter| +|---|---| +|Casey Smith |@subTee| +|Matt Graeber | @mattifestation| +|Matt Nelson | @enigma0x3| +|Oddvar Moe |@Oddvarmoe| + +
      + +>[!Note] +>This application list is fluid and will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. + +Certain software applications may allow additional code to run by design. These types of applications should be blocked by your Device Guard policy. In addition, when an application version is upgraded to fix a security vulnerability or potential Device Guard bypass, you should add deny rules to your code integrity policies for that application’s previous, less secure versions. + +Microsoft recommends that you install the latest security updates. The June 2017 Windows updates resolve several issues in in-box PowerShell modules that allowed an attacker to bypass Device Guard code integrity policies. These modules cannot be blocked by name or version, and therefore must be blocked by their corresponding hashes. + +Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet: + +``` + + + 10.0.0.0 + {A244370E-44C9-4C06-B551-F6016E563076} + {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0 + + +``` +
      To create a code integrity policy, copy each of the following commands into an elevated Windows PowerShell session, in order: @@ -36,7 +237,7 @@ To create a code integrity policy, copy each of the following commands into an e ` New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt ` - > **Notes** + > [!Notes] > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. @@ -52,7 +253,8 @@ To create a code integrity policy, copy each of the following commands into an e After you complete these steps, the Device Guard binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary version as a code integrity policy or sign it for additional security. -> **Note**  We recommend that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see [Merge code integrity policies](#merge-code-integrity-policies). +> [!Note] +> We recommend that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see [Merge code integrity policies](#merge-code-integrity-policies). We recommend that every code integrity policy be run in audit mode before being enforced. Doing so allows administrators to discover any issues with the policy without receiving error message dialog boxes. For information about how to audit a code integrity policy, see the next section, [Audit code integrity policies](#audit-code-integrity-policies). @@ -60,7 +262,8 @@ We recommend that every code integrity policy be run in audit mode before being When code integrity policies are run in audit mode, it allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a code integrity policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. When these logged binaries have been validated, they can easily be added to a new code integrity policy. When the new exception policy is created, you can merge it with your existing code integrity policies. -> **Note**  Before you begin this process, you need to create a code integrity policy binary file. If you have not already done so, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic, for a step-by-step walkthrough of the process to create a code integrity policy and convert it to binary format. +> [!Note] +> Before you begin this process, you need to create a code integrity policy binary file. If you have not already done so, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic, for a step-by-step walkthrough of the process to create a code integrity policy and convert it to binary format. **To audit a code integrity policy with local policy:** @@ -68,7 +271,7 @@ When code integrity policies are run in audit mode, it allows administrators to 2. On the computer you want to run in audit mode, open the Local Group Policy Editor by running **GPEdit.msc**. - > **Notes** + > [!Note] > - The computer that you will run in audit mode must be clean of viruses or malware. Otherwise, in the process that you follow after auditing the system, you might unintentionally merge in a code integrity policy that allows viruses or malware to run. @@ -76,7 +279,7 @@ When code integrity policies are run in audit mode, it allows administrators to 3. Navigate to **Computer Configuration\\Administrative Templates\\System\\Device Guard**, and then select **Deploy Code Integrity Policy**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1. - > **Notes** + > [!Note] > - The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). Also, this policy file does not need to be copied to every system. You can instead copy the code integrity policies to a file share to which all computer accounts have access. @@ -124,7 +327,8 @@ Use the following procedure after you have been running a computer with a code i ` New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3> CIPolicylog.txt` - > **Note**  When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy. + > [!Note] + > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy. 4. Find and review the Device Guard audit policy .xml file that you created. If you used the example variables as shown, the filename will be **DeviceGuardAuditPolicy.xml**, and it will be on your desktop. Look for the following: @@ -134,7 +338,8 @@ Use the following procedure after you have been running a computer with a code i You can now use this file to update the existing code integrity policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing code integrity policy, see the next section, [Merge code integrity policies](#merge-code-integrity-policies). -> **Note**  You may have noticed that you did not generate a binary version of this policy as you did in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). This is because code integrity policies created from an audit log are not intended to run as stand-alone policies but rather to update existing code integrity policies. +> [!Note] +> You may have noticed that you did not generate a binary version of this policy as you did in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). This is because code integrity policies created from an audit log are not intended to run as stand-alone policies but rather to update existing code integrity policies. ## Use a code integrity policy to control specific plug-ins, add-ins, and modules @@ -166,7 +371,8 @@ New-CIPolicy -Rules $rule -FilePath ".\BlockAddins.xml" -UserPEs When you develop code integrity policies, you will occasionally need to merge two policies. A common example is when a code integrity policy is initially created and audited. Another example is when you create a single master policy by using multiple code integrity policies previously created from golden computers. Because each computer running Windows 10 can have only one code integrity policy, it is important to properly maintain these policies. In this example, audit events have been saved into a secondary code integrity policy that you then merge with the initial code integrity policy. -> **Note**  The following example uses several of the code integrity policy .xml files that you created in earlier sections in this topic. You can follow this process, however, with any two code integrity policies you would like to combine. +> [!Note] +> The following example uses several of the code integrity policy .xml files that you created in earlier sections in this topic. You can follow this process, however, with any two code integrity policies you would like to combine. To merge two code integrity policies, complete the following steps in an elevated Windows PowerShell session: @@ -182,7 +388,8 @@ To merge two code integrity policies, complete the following steps in an elevate ` $CIPolicyBin=$CIPolicyPath+"NewDeviceGuardPolicy.bin"` - > **Note**  The variables in this section specifically expect to find an initial policy on your desktop called **InitialScan.xml** and an audit code integrity policy called **DeviceGuardAuditPolicy.xml**. If you want to merge other code integrity policies, update the variables accordingly. + > [!Note] + > The variables in this section specifically expect to find an initial policy on your desktop called **InitialScan.xml** and an audit code integrity policy called **DeviceGuardAuditPolicy.xml**. If you want to merge other code integrity policies, update the variables accordingly. 2. Use [Merge-CIPolicy](https://technet.microsoft.com/library/mt634485.aspx) to merge two policies and create a new code integrity policy: @@ -198,7 +405,8 @@ Now that you have created a new code integrity policy (for example, called **New Every code integrity policy is created with audit mode enabled. After you have successfully deployed and tested a code integrity policy in audit mode and are ready to test the policy in enforced mode, complete the following steps in an elevated Windows PowerShell session: -> **Note**  Every code integrity policy should be tested in audit mode first. For information about how to audit code integrity policies, see [Audit code integrity policies](#audit-code-integrity-policies), earlier in this topic. +> [!Note] +> Every code integrity policy should be tested in audit mode first. For information about how to audit code integrity policies, see [Audit code integrity policies](#audit-code-integrity-policies), earlier in this topic. 1. Initialize the variables that will be used: @@ -210,7 +418,8 @@ Every code integrity policy is created with audit mode enabled. After you have s ` $CIPolicyBin=$CIPolicyPath+"EnforcedDeviceGuardPolicy.bin"` - > **Note**  The initial code integrity policy that this section refers to was created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are using a different code integrity policy, update the **CIPolicyPath** and **InitialCIPolicy** variables. + > [!Note] + > The initial code integrity policy that this section refers to was created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are using a different code integrity policy, update the **CIPolicyPath** and **InitialCIPolicy** variables. 2. Ensure that rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) are set the way that you intend for this policy. We strongly recommend that you enable these rule options before you run any enforced policy for the first time. Enabling these options provides administrators with a pre-boot command prompt, and allows Windows to start even if the code integrity policy blocks a kernel-mode driver from running. When ready for enterprise deployment, you can remove these options. @@ -228,7 +437,8 @@ Every code integrity policy is created with audit mode enabled. After you have s ` Set-RuleOption -FilePath $EnforcedCIPolicy -Option 3 -Delete` - > **Note**  To enforce a code integrity policy, you delete option 3, the **Audit Mode Enabled** option. There is no “enforced” option that can be placed in a code integrity policy. + > [!Note] + > To enforce a code integrity policy, you delete option 3, the **Audit Mode Enabled** option. There is no “enforced” option that can be placed in a code integrity policy. 5. Use [ConvertFrom-CIPolicy](https://technet.microsoft.com/library/mt733073.aspx) to convert the new code integrity policy to binary format: @@ -244,7 +454,8 @@ Signing code integrity policies by using an on-premises CA-generated certificate Before signing code integrity policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9` even if you're not sure whether the option is already enabled—if so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Code integrity policy rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-policy-rules) in "Deploy code integrity policies: policy rules and file rules." -> **Note**  Signing code integrity policies is the last step in a code integrity deployment. It is much more difficult to remove a signed code integrity policy than an unsigned one. Before you deploy a signed code integrity policy to deployed client computers, be sure to test its effect on a subset of computers. +> [!Note] +> Signing code integrity policies is the last step in a code integrity deployment. It is much more difficult to remove a signed code integrity policy than an unsigned one. Before you deploy a signed code integrity policy to deployed client computers, be sure to test its effect on a subset of computers. To sign a code integrity policy with SignTool.exe, you need the following components: @@ -264,7 +475,8 @@ If you do not have a code signing certificate, see the [Optional: Create a code ` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"` - > **Note**  This example uses the code integrity policy that you created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information. + > [!Note] + > This example uses the code integrity policy that you created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information. 2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the code integrity policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md). @@ -278,9 +490,9 @@ If you do not have a code signing certificate, see the [Optional: Create a code ` Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update` - > **Notes**  *<Path to exported .cer certificate>* should be the full path to the certificate that you exported in step 3. - - > Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed code integrity policies, see the [Disable signed code integrity policies within Windows](#disable-signed-code-integrity-policies-within-windows) section. + > [!Note] + > *<Path to exported .cer certificate>* should be the full path to the certificate that you exported in step 3. + Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed code integrity policies, see the [Disable signed code integrity policies within Windows](#disable-signed-code-integrity-policies-within-windows) section. 6. Use [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) to remove the unsigned policy rule option: @@ -294,7 +506,8 @@ If you do not have a code signing certificate, see the [Optional: Create a code ` sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin` - > **Note**  The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the code integrity policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy. + > [!Note] + > The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the code integrity policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy. 9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy code integrity policies, see [Deploy and manage code integrity policies with Group Policy](#deploy-and-manage-code-integrity-policies-with-group-policy). @@ -312,7 +525,8 @@ If the code integrity policy was deployed by using Group Policy, the GPO that is Signed policies protect Windows from administrative manipulation as well as malware that has gained administrative-level access to the system. For this reason, signed code integrity policies are intentionally more difficult to remove than unsigned policies. They inherently protect themselves from modification or removal and therefore are difficult even for administrators to remove successfully. If the signed code integrity policy is manually enabled and copied to the CodeIntegrity folder, to remove the policy, you must complete the following steps. -> **Note**  For reference, signed code integrity policies should be replaced and removed from the following locations: +> [!Note] +> For reference, signed code integrity policies should be replaced and removed from the following locations: - <EFI System Partition>\\Microsoft\\Boot\\ @@ -363,9 +577,11 @@ There may be a time when signed code integrity policies cause a boot failure. Be Code integrity policies can easily be deployed and managed with Group Policy. A Device Guard administrative template will be available in Windows Server 2016 that allows you to simplify deployment of Device Guard hardware-based security features and code integrity policies. The following procedure walks you through how to deploy a code integrity policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**. -> **Note**  This walkthrough requires that you have previously created a code integrity policy and have a computer running Windows 10 on which to test a Group Policy deployment. For more information about how to create a code integrity policy, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic. +> [!Note] +> This walkthrough requires that you have previously created a code integrity policy and have a computer running Windows 10 on which to test a Group Policy deployment. For more information about how to create a code integrity policy, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic. -> **Note**  Signed code integrity policies can cause boot failures when deployed. We recommend that signed code integrity policies be thoroughly tested on each hardware platform before enterprise deployment. +> [!Note] +> Signed code integrity policies can cause boot failures when deployed. We recommend that signed code integrity policies be thoroughly tested on each hardware platform before enterprise deployment. To deploy and manage a code integrity policy with Group Policy: @@ -393,13 +609,15 @@ To deploy and manage a code integrity policy with Group Policy: In this policy setting, you specify either the local path in which the policy will exist on the client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, with DeviceGuardPolicy.bin on the test computer, the example file path would be C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 5. - > **Note**  The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). Also, this policy file does not need to be copied to every computer. You can instead copy the code integrity policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers. + > [!Note] + > The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). Also, this policy file does not need to be copied to every computer. You can instead copy the code integrity policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers. ![Group Policy called Deploy Code Integrity Policy](images/dg-fig26-enablecode.png) Figure 5. Enable the code integrity policy - > **Note**  You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Make your code integrity policies friendly and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository. + > [!Note] + > You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Make your code integrity policies friendly and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository. 7. Close the Group Policy Management Editor, and then restart the Windows 10 test computer. Restarting the computer updates the code integrity policy. For information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity-policies) section. diff --git a/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md b/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md index 3e922b1c6b..d3919505b8 100644 --- a/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md +++ b/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md @@ -25,12 +25,26 @@ This topic provides a roadmap for planning and getting started on the Device Gua 3. **Review how much variety in software and hardware is needed by roles or departments**. When several departments all use the same hardware and software, you might need to deploy only one code integrity policy for them. More variety across departments might mean you need to create and manage more code integrity policies. The following questions can help you clarify how many code integrity policies to create: - How standardized is the hardware?
      This can be relevant because of drivers. You could create a code integrity policy on hardware that uses a particular set of drivers, and if other drivers in your environment use the same signature, they would also be allowed to run. However, you might need to create several code integrity policies on different "reference" hardware, then merge the policies together, to ensure that the resulting policy recognizes all the drivers in your environment. - - Is there already a list of accepted applications?
      A list of accepted applications can be used to help create a baseline code integrity policy.
      As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser). - - What software does each department or role need? Should they be able to install and run other departments’ software?
      If multiple departments are allowed to run the same list of software, you might be able to merge several code integrity policies to simplify management. - Are there departments or roles where unique, restricted software is used?
      If one department needs to run an application that no other department is allowed, it might require a separate code integrity policy. Similarly, if only one department must run an old version of an application (while other departments allow only the newer version), it might require a separate code integrity policy. + - Is there already a list of accepted applications?
      A list of accepted applications can be used to help create a baseline code integrity policy.
      As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser). + + - As part of a threat review process, have you reviewed systems for software that can load arbitrary DLLs or run code or scripts? + In day-to-day operations, your organization’s security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Device Guard code integrity policies. You can also fine-tune your control by using Device Guard in combination with AppLocker, as described in [Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker). + + Legitimate applications from trusted vendors provide valid functionality. However, an attacker could also potentially use that same functionality to run malicious executable code that could bypass code integrity policies. + + For operational scenarios that require elevated security, certain applications with known Code Integrity bypasses may represent a security risk if you whitelist them in your code integrity policies. Other applications where older versions of the application had vulnerabilities also represent a risk. Therefore, you may want to deny or block such applications from your code integrity policies. For applications with vulnerabilities, once the vulnerabilities are fixed you can create a rule that only allows the fixed or newer versions of that application. The decision to allow or block applications depends on the context and on how the reference system is being used. + + Security professionals collaborate with Microsoft continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Device Guard code integrity policies. Depending on the context, you may want to block these applications. To view this list of applications and for use case examples, such as disabling msbuild.exe, see [Deploy code integrity policies: steps](https://technet.microsoft.com/itpro/windows/keep-secure/deploy-code-integrity-policies-steps). + + + + + + 4. **Identify LOB applications that are currently unsigned**. Although requiring signed code (through code integrity policies) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. For a basic description of catalog files, see the table in [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md). For more background information about catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files). ## Getting started on the deployment process @@ -59,3 +73,5 @@ This topic provides a roadmap for planning and getting started on the Device Gua > Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error). For information about enabling VBS features, see [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md). + +
      \ No newline at end of file diff --git a/windows/device-security/docfx.json b/windows/device-security/docfx.json index ebbbf433db..acfa4df08b 100644 --- a/windows/device-security/docfx.json +++ b/windows/device-security/docfx.json @@ -35,7 +35,13 @@ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "ms.technology": "windows", "ms.topic": "article", - "ms.author": "justinha" + "ms.author": "justinha", + "ms.date": "04/05/2017", + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "MSDN.win-device-security" + } + } }, "fileMetadata": {}, "template": [], diff --git a/windows/device-security/tpm/how-windows-uses-the-tpm.md b/windows/device-security/tpm/how-windows-uses-the-tpm.md deleted file mode 100644 index 9c4c75440a..0000000000 --- a/windows/device-security/tpm/how-windows-uses-the-tpm.md +++ /dev/null @@ -1,274 +0,0 @@ ---- -title: How Windows 10 uses the TPM (Windows 10) -description: This topic for the IT professional has an overview of the TPM, describes how it works, and discusses the benefits that TPM brings to Windows 10. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: brianlic-msft ---- - -# How Windows 10 uses the TPM - -Windows 10 improves existing security features and adds new groundbreaking security features such as Device Guard and Windows Hello for Business. -It places hardware-based security deeper inside the operating system than previous Windows versions, maximizing platform security while increasing usability. -To achieve many of these security enhancements, Windows 10 makes extensive use of the Trusted Platform Module (TPM). - -This article offers a brief overview of the TPM, describes how it works, and discusses the benefits that TPM brings to Windows 10—as well as the cumulative security impact of running Windows 10 on a PC that contains a TPM. - -**See also** - -- [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/windows-10-specifications) -- [TPM Fundamentals](tpm-fundamentals.md) -- [TPM Recommendations](tpm-recommendations.md) - -## TPM Overview - -The TPM is a cryptographic module that enhances computer security and privacy. -Protecting data through encryption and decryption, protecting authentication credentials, and proving which software is running on a system are basic functionalities associated with computer security. -The TPM helps with all these scenarios and more. - -Traditionally, TPMs have been discrete chips soldered to a computer’s motherboard. -Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. -Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. -Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips. - -TPMs are passive: they receive commands and return responses. -To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. -TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. -Before it can be used for advanced scenarios, however, a TPM must be provisioned. -Windows 10 automatically provisions a TPM, but if the user reinstalls the operating system, he or she may need to tell the operating system to explicitly provision the TPM again before it can use all the TPM’s features. - -The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. -The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. -The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). - -OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. -Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve. -For example, software alone cannot reliably report whether malware is present during the system startup process. -The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. -Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. -For example, if a key stored in a TPM has properties that disallow exporting the key, that key *truly cannot leave the TPM*. - -The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. -There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. -In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs, whereas others do not. - -Certification programs for TPMs—and technology in general—continue to evolve as the speed of innovation increases. -Although having a TPM is clearly better than not having a TPM, Microsoft’s best advice is to determine your organization’s security needs and research any regulatory requirements associated with procurement for your industry. -The result is a balance between scenarios used, assurance level, cost, convenience, and availability. - -## TPM in Windows 10 - -The security features of Windows 10 combined with the benefits of a TPM offer practical security and privacy benefits. -The following sections start with major TPM-related security features in Windows 10 and go on to describe how key technologies use the TPM to enable or increase security. - -## Platform Crypto Provider - -Historically, Windows has included a cryptography framework called *Cryptographic API: Next Generation* (CNG), the basic approach of which is to implement cryptographic algorithms in different ways but with a common application programming interface (API). -Applications that use cryptography can use the common API without knowing the details of how an algorithm is implemented much less the algorithm itself. - -Although CNG sounds like a mundane starting point, it illustrates some of the advantages that a TPM provides. -Underneath the CNG interface, Windows or third parties supply a cryptographic provider (that is, an implementation of an algorithm) implemented as software libraries alone or in a combination of software and available system hardware or third party hardware. -If implemented through hardware, the cryptographic provider communicates with the hardware behind the software interface of CNG. - -The Platform Crypto Provider, introduced in the Windows 8 operating system, exposes the following special TPM properties, which software only CNG providers cannot offer or cannot offer as effectively: - -- **Key protection.** The Platform Crypto Provider can create keys in the TPM with restrictions on their use. - The operating system can load and use the keys in the TPM without copying the keys to system memory, where they are vulnerable to malware. - The Platform Crypto Provider can also configure keys that a TPM protects so that they are not removable. - If a TPM creates a key, the key is unique and resides only in that TPM. - If the TPM imports a key, the Platform Crypto Provider can use the key in that TPM, but that TPM is not a source for making additional copies of the key or enabling the use of copies elsewhere. - In sharp contrast, software solutions that protect keys from copying are subject to reverse-engineering attacks, in which someone figures out how the solution stores keys or makes copies of keys while they are in memory during use. - -- **Dictionary attack protection.** Keys that a TPM protects can require an authorization value such as a PIN. - With dictionary attack protection, the TPM can prevent attacks that attempt a large number of guesses to determine the PIN. - After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time. - Software solutions might provide similar features, but they cannot provide the same level of protection, especially if the system restarts, the system clock changes, or files on the hard disk that count failed guesses are rolled back. - In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions. - -These TPM features give Platform Crypto Provider distinct advantages over software-based solutions. -A practical way to see these benefits in action is when using certificates on a Windows 10 device. -On platforms that include a TPM, Windows can use the Platform Crypto Provider to provide certificate storage. -Certificate templates can specify that a TPM use the Platform Crypto Provider to protect the key associated with a certificate. -In mixed environments, where some computers might not have a TPM, the certificate template could simply prefer the Platform Crypto Provider over the standard Windows software provider. -If a certificate is configured as not able to be exported, the private key for the certificate is restricted and cannot be exported from the TPM. -If the certificate requires a PIN, the PIN gains the TPM’s dictionary attack protection automatically. - -## Virtual Smart Card - -Smart cards are highly secure physical devices that typically store a single certificate and the corresponding private key. -Users insert a smart card into a built-in or USB card reader and enter a PIN to unlock it. -Windows can then access the card’s certificate and use the private key for authentication or to unlock BitLocker protected data volumes. -Smart cards are popular because they provide two-factor authentication that requires both something the user has (that is, the smart card) and something the user knows (such as the smart card PIN). -Smart cards are difficult to use, however, because they require purchase and deployment of both smart cards and smart card readers. - -In Windows, the Virtual Smart Card feature allows the TPM to mimic a permanently inserted smart card. -The TPM becomes “something the user has” but still requires a PIN. -Although physical smart cards limit the number of PIN attempts before locking the card and requiring a reset, a virtual smart card relies on the TPM’s dictionary attack protection to prevent too many PIN guesses. - -For TPM-based virtual smart cards, the TPM protects the use and storage of the certificate private key so that it cannot be copied when it is in use or stored and used elsewhere. -Using a component that is part of the system rather than a separate physical smart card can reduce total cost of ownership because it eliminates “lost card” and “card left at home” scenarios while still delivering the benefits of smart card–based multifactor authentication. -For users, virtual smart cards are simple to use, requiring only a PIN to unlock. -Virtual smart cards support the same scenarios that physical smart cards support, including signing in to Windows or authenticating for resource access. - -## Windows Hello for Business - -Windows Hello for Business provides authentication methods intended to replace passwords, which can be difficult to remember and easily compromised. -In addition, user name- password solutions for authentication often reuse the same user name–password combinations on multiple devices and services; if those credentials are compromised, they are compromised in many places. -Windows Hello for Business provisions devices one by one and combines the information provisioned on each device (i.e., the cryptographic key) with additional information to authenticate users. -On a system that has a TPM, the TPM can protect the key. -If a system does not have a TPM, software-based techniques protect the key. -The additional information the user supplies can be a PIN value or, if the system has the necessary hardware, biometric information, such as fingerprint or facial recognition. -To protect privacy, the biometric information is used only on the provisioned device to access the provisioned key: it is not shared across devices. - -The adoption of new authentication technology requires that identity providers and organizations deploy and use that technology. -Windows Hello for Business lets a user authenticate with an existing Microsoft account, an Active Directory account, an Azure Active Directory account, or even non-Microsoft Identity Provider Services or Relying Party Services that support [Fast ID Online V2.0 authentication](http://go.microsoft.com/fwlink/p/?LinkId=533889). - -Identity providers have flexibility in how they provision credentials on client devices. -For example, an organization might provision only those devices that have a TPM so that the organization knows that a TPM protects the credentials. -The ability to distinguish a TPM from malware acting like a TPM requires the following TPM capabilities (see Figure 1): - -- **Endorsement key.** The TPM manufacturer can create a special key in the TPM called an endorsement key. - An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that that manufacturer made. - Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM). - -- **Attestation identity key.** To protect privacy, most TPM scenarios do not directly use an actual endorsement key. - Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. - The identity CA issues attestation identity key certificates. - More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios. - -![TPM capabilities](..\images\tpm-capabilities.png) -*Figure 1 TPM capabilities* - -For Windows Hello for Business, Microsoft can fill the role of the identity CA. -Microsoft services can issue an attestation identity key certificate for each device, user, and identify provider to ensure that privacy is protected and to help identity providers ensure that device TPM requirements are met before Windows Hello for Business credentials are provisioned. - -## BitLocker Drive Encryption - -BitLocker provides full-volume encryption to protect data at rest. -The most common device configuration splits the hard drive into several volumes. -The operating system and user data reside on one volume that holds confidential information, and other volumes hold public information such as boot components, system information and recovery tools. -(These other volumes are used infrequently enough that they do not need to be visible to users.) -Without additional protections in place, if the volume containing the operating system and user data is not encrypted, someone can boot another operating system and easily bypass the intended operating system’s enforcement of file permissions to read any user data. - -In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. -When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. -If something about the boot process changes, however—for example, a different operating system is booted from a USB device—the operating system volume and user data cannot be read and are not accessible. -The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. -BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. -The system firmware and TPM are carefully designed to work together to provide the following capabilities: - -- **Hardware root of trust for measurement.** A TPM allows software to send it commands that record measurements of software or configuration information. - This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. - The system firmware has a component called the *Core Root of Trust for Measurement* (CRTM) that is implicitly trusted. - The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component’s measurement is sent to the TPM before it runs, a component cannot erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values. - -- **Key used only when boot measurements are accurate.** BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value. - The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive. Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM will not let Windows Boot Manager use the key, and the startup process cannot proceed normally because the data on the operating system cannot be decrypted. If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM will not allow use of the key needed to decrypt the operating system volume. As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Organizations can configure BitLocker to store the recovery key in Active Directory Domain Services (AD DS). - -Device hardware characteristics are important to BitLocker and its ability to protect data. -One consideration is whether the device provides attack vectors when the system is at the logon screen. -For example, if the Windows device has a port that allows direct memory access so that someone can plug in hardware and read memory, an attacker can read the operating system volume’s decryption key from memory while at the Windows logon screen. -To mitigate this risk, organizations can configure BitLocker so that the TPM key requires both the correct software measurements and an authorization value. -The system startup process stops at Windows Boot Manager, and the user is prompted to enter the authorization value for the TPM key or insert a USB device with the value. -This process stops BitLocker from automatically loading the key into memory where it might be vulnerable, but has a less desirable user experience. - -Newer hardware and Windows 10 work better together to disable direct memory access through ports and reduce attack vectors. -The result is that organizations can deploy more systems without requiring users to enter additional authorization information during the startup process. -The right hardware allows BitLocker to be used with the “TPM-only” configuration giving users a single sign-on experience without having to enter a PIN or USB key during boot. - -## Device Encryption - -Device Encryption is the consumer version of BitLocker, and it uses the same underlying technology. -How it works is if a customer signs in with a Microsoft account and the system meets InstantGo hardware requirements, BitLocker Drive Encryption is enabled automatically in Windows 10. -The recovery key is backed up in the Microsoft cloud and is accessible to the consumer through his or her Microsoft account. -The InstantGo hardware requirements inform Windows 10 that the hardware is appropriate for deploying Device Encryption and allows use of the “TPM-only” configuration for a simple consumer experience. -In addition, InstantGo hardware is designed to reduce the likelihood that measurement values change and prompt the customer for the recovery key. - -For software measurements, Device Encryption relies on measurements of the authority providing software components (based on code signing from manufacturers such as OEMs or Microsoft) instead of the precise hashes of the software components themselves. -This permits servicing of components without changing the resulting measurement values. -For configuration measurements, the values used are based on the boot security policy instead of the numerous other configuration settings recorded during startup. -These values also change less frequently. -The result is that Device Encryption is enabled on appropriate hardware in a user-friendly way while also protecting data. - -## Measured Boot - -Windows 8 introduced Measured Boot as a way for the operating system to record the chain of measurements of software components and configuration information in the TPM through the initialization of the Windows operating system. -In previous Windows versions, the measurement chain stopped at the Windows Boot Manager component itself, and the measurements in the TPM were not helpful for understanding the starting state of Windows. - -The Windows boot process happens in stages and often involves third-party drivers to communicate with vendor-specific hardware or implement antimalware solutions. -For software, Measured Boot records measurements of the Windows kernel, Early-Launch Anti-Malware drivers, and boot drivers in the TPM. -For configuration settings, Measured Boot records security-relevant information such as signature data that antimalware drivers use and configuration data about Windows security features (e.g., whether BitLocker is on or off). - -Measured Boot ensures that TPM measurements fully reflect the starting state of Windows software and configuration settings. -If security settings and other protections are set up correctly, they can be trusted to maintain the security of the running operating system thereafter. -Other scenarios can use the operating system’s starting state to determine whether the running operating system should be trusted. - -TPM measurements are designed to avoid recording any privacy-sensitive information as a measurement. -As an additional privacy protection, Measured Boot stops the measurement chain at the initial starting state of Windows. -Therefore, the set of measurements does not include details about which applications are in use or how Windows is being used. -Measurement information can be shared with external entities to show that the device is enforcing adequate security policies and did not start with malware. - -The TPM provides the following way for scenarios to use the measurements recorded in the TPM during boot: - -- **Remote attestation.** Using an attestation identity key, the TPM can generate and cryptographically sign a statement (or *quote*) of the current measurements in the TPM. - Windows 10 can create unique attestation identity keys for various scenarios to prevent separate evaluators from collaborating to track the same device. - Additional information in the quote is cryptographically scrambled to limit information sharing and better protect privacy. - By sending the quote to a remote entity, a device can attest which software and configuration settings were used to boot the device and initialize the operating system. - An attestation identity key certificate can provide further assurance that the quote is coming from a real TPM. - *Remote attestation* is the process of recording measurements in the TPM, generating a quote, and sending the quote information to another system that evaluates the measurements to establish trust in a device. - Figure 2 illustrates this process. - -When new security features are added to Windows, Measured Boot adds security-relevant configuration information to the measurements recorded in the TPM. -Measured Boot enables remote attestation scenarios that reflect the system firmware and the Windows initialization state. - -![Remote attestation](..\images\tpm-remote-attestation.png) -*Figure 2 Remote attestation* - -## Health attestation - -Some Windows 10 improvements help security solutions implement remote attestation scenarios. -Microsoft provides a Health Attestation service, which can create attestation identity key certificates for TPMs from different manufacturers as well as parse measured boot information to extract simple security assertions, such as whether BitLocker is on or off. -The simple security assertions can be used to evaluate device health. - -Mobile device management (MDM) solutions can receive simple security assertions from the Microsoft Health Attestation service for a client without having to deal with the complexity of the quote or the detailed TPM measurements. -MDM solutions can act on the security information by quarantining unhealthy devices or blocking access to cloud services such as Microsoft Office 365. - -## Credential Guard - -Credential Guard is a new feature in Windows 10 that helps protect Windows credentials in organizations that have deployed AD DS. -Historically, a user’s credentials (e.g., logon password) was hashed to generate an authorization token. -The user employed the token to access resources that he or she was permitted to use. One weakness of the token model is that malware that had access to the operating system kernel could look through the computer’s memory and harvest all the access tokens currently in use. -The attacker could then use harvested tokens to log on to other machines and collect more credentials. -This kind of attack is called a “*pass-the-hash*” attack, a malware technique that infects one machine to infect many machines across an organization. - -Similar to the way Microsoft Hyper-V keeps virtual machines (VMs) separate from one another, Credential Guard uses virtualization to isolate the process that hashes credentials in a memory area that the operating system kernel cannot access. -This isolated memory area is initialized and protected during the boot process so that components in the larger operating system environment cannot tamper with it. -Credential Guard uses the TPM to protect its keys with TPM measurements, so they are accessible only during the boot process step when the separate region is initialized; they are not available for the normal operating system kernel. -The local security authority code in the Windows kernel interacts with the isolated memory area by passing in credentials and receiving single-use authorization tokens in return. - -The resulting solution provides defense in depth, because even if malware runs in the operating system kernel, it cannot access the secrets inside the isolated memory area that actually generates authorization tokens handles. -The solution does not solve the problem of key loggers because the passwords such loggers capture actually pass through the normal Windows kernel, but when combined with other solutions, such as smart cards for authentication, Credential Guard greatly enhances the protection of credentials in Windows 10. - -## Conclusion - -The TPM adds hardware-based security benefits to Windows 10. -When installed on hardware that includes a TPM, Window 10 delivers remarkably improved security benefits. -The following table summarizes the key benefits of the TPM’s major features. - -| **Feature** | **Benefits when used on a system with a TPM**| -|----------------------------|----------------------------------------------| -| Platform Crypto Provider | - If the machine is compromised, the private key associated with the certificate cannot be copied off the device.
      - The TPM’s dictionary attack mechanism protects PIN values to use a certificate.
      | -| Virtual Smart Card | - Achieve security similar to that of physical smart cards without deploying physical smart cards or card readers.| -| Windos Hello for Business | - Credentials provisioned on a device cannot be copied elsewhere.
      - Confirm a device’s TPM before credentials are provisioned.
      | -| BitLocker Drive Encryption | - Multiple options are available for enterprises to protect data at rest while balancing security requirements with different device hardware. | -| Device Encryption | - With a Microsoft account and the right hardware, consumers’ devices seamlessly benefit from data-at-rest protection. | -| Measured Boot | - A hardware root of trust contains boot measurements that help detect malware during remote attestation. | -| Health Attestation | - MDM solutions can easily perform remote attestation and evaluate client health before granting access to resources or cloud services such as Office 365. | -| Credential Guard | - Defense in depth increases so that even if malware has administrative rights on one machine, it is significantly more difficult to compromise additional machines in an organization. | - -Although some of the aforementioned features have additional hardware requirements (e.g., virtualization support), the TPM is a cornerstone of Windows 10 security. -Microsoft and other industry stakeholders continue to improve the global standards associated with TPM and find more and more applications that use it to provide tangible benefits to customers. -Microsoft has included support for most TPM features in its version of Windows for the Internet of Things (IoT) called [Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/iotcore). -IoT devices that might be deployed in insecure physical locations and connected to cloud services like [Azure IoT Hub](https://azure.microsoft.com/documentation/services/iot-hub/) for management can use the TPM in innovative ways to address their emerging security requirements. diff --git a/windows/docfx.json b/windows/docfx.json index 4b2035530d..f1253f1567 100644 --- a/windows/docfx.json +++ b/windows/docfx.json @@ -15,7 +15,12 @@ ], "globalMetadata": { "ROBOTS": "INDEX, FOLLOW", - "breadcrumb_path": "/itpro/windows/breadcrumb/toc.json" + "breadcrumb_path": "/itpro/windows/breadcrumb/toc.json", + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "Win.windows" + } + } }, "externalReference": [ ], diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json index 8c9110e8b7..e33995957d 100644 --- a/windows/hub/docfx.json +++ b/windows/hub/docfx.json @@ -37,7 +37,13 @@ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "ms.technology": "windows", "ms.topic": "article", - "ms.author": "brianlic" + "ms.author": "brianlic", + "ms.date": "04/05/2017", + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "MSDN.windows-hub" + } + } }, "fileMetadata": {}, "template": [], diff --git a/windows/keep-secure/docfx.json b/windows/keep-secure/docfx.json index 8d60cf1552..c69d3e3f49 100644 --- a/windows/keep-secure/docfx.json +++ b/windows/keep-secure/docfx.json @@ -29,7 +29,13 @@ ], "overwrite": [], "externalReference": [], - "globalMetadata": {}, + "globalMetadata": { + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "MSDN.keep-secure" + } + } + }, "fileMetadata": {}, "template": [], "dest": "keep-secure" diff --git a/windows/manage/docfx.json b/windows/manage/docfx.json index 628f06503d..eee8740627 100644 --- a/windows/manage/docfx.json +++ b/windows/manage/docfx.json @@ -29,7 +29,13 @@ ], "overwrite": [], "externalReference": [], - "globalMetadata": {}, + "globalMetadata": { + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "MSDN.windows-manage" + } + } + }, "fileMetadata": {}, "template": [], "dest": "windows-manage" diff --git a/windows/plan/docfx.json b/windows/plan/docfx.json index 289552ee34..4a303a21bc 100644 --- a/windows/plan/docfx.json +++ b/windows/plan/docfx.json @@ -29,7 +29,13 @@ ], "overwrite": [], "externalReference": [], - "globalMetadata": {}, + "globalMetadata": { + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "MSDN.windows-plan" + } + } + }, "fileMetadata": {}, "template": [], "dest": "windows-plan" diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index 681794b4f9..266a77fc24 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -127,16 +127,17 @@ #### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md) #### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md) #### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md) - ## [Windows Defender SmartScreen](windows-defender-smartscreen\windows-defender-smartscreen-overview.md) ### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen\windows-defender-smartscreen-available-settings.md) ### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen\windows-defender-smartscreen-set-individual-device.md) - ## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md) ### [Create a Windows Information Protection (WIP) policy](windows-information-protection\overview-create-wip-policy.md) -#### [Create a Windows Information Protection (WIP) policy using Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md) -##### [Deploy your Windows Information Protection (WIP) policy](windows-information-protection\deploy-wip-policy-using-intune.md) -##### [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md) +#### [Create a Windows Information Protection (WIP) using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md) +##### [Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune.md) +##### [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md) +#### [Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md) +##### [Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune-azure.md) +##### [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md) #### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md) #### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md) #### [Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](windows-information-protection\wip-app-enterprise-context.md) @@ -149,13 +150,9 @@ #### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](windows-information-protection\app-behavior-with-wip.md) #### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](windows-information-protection\recommended-network-definitions-for-wip.md) #### [Using Outlook Web Access with Windows Information Protection (WIP)](windows-information-protection\using-owa-with-wip.md) - ## [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) - ## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) - +## [Secure the windows 10 boot process](secure-the-windows-10-boot-process.md) ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) - ## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) - -## [Change history for Threat Protection](change-history-for-threat-protection.md) +## [Change history for Threat Protection](change-history-for-threat-protection.md) \ No newline at end of file diff --git a/windows/threat-protection/change-history-for-threat-protection.md b/windows/threat-protection/change-history-for-threat-protection.md index 07f61a5d85..c664fa8066 100644 --- a/windows/threat-protection/change-history-for-threat-protection.md +++ b/windows/threat-protection/change-history-for-threat-protection.md @@ -11,10 +11,20 @@ author: brianlic-msft # Change history for threat protection This topic lists new and updated topics in the [Threat protection](index.md) documentation. +## June 2017 +|New or changed topic |Description | +|---------------------|------------| +[Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.| +[Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.| +[Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.| +|[List of enlightened Microsoft apps for use with Windows Information Protection (WIP)](windows-information-protection\enlightened-microsoft-apps-and-wip.md)|Updated to include newly enlightened and supported apps.| +[Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)| Updated from existing applicable and relevant Windows 8.1 content | + + ## March 2017 |New or changed topic |Description | |---------------------|------------| -|[How to collect Windows Information Protection (WIP) audit event logs](windows-information-protection\collect-wip-audit-event-logs.md) |New | +||[How to collect Windows Information Protection (WIP) audit event logs](windows-information-protection\collect-wip-audit-event-logs.md) |New | |[Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](windows-information-protection\mandatory-settings-for-wip.md) |Updated based on Windows 10, version 1703. | |[Limitations while using Windows Information Protection (WIP)](windows-information-protection\limitations-with-wip.md) |Added additional limitations for Windows 10, version 1703.| |[Windows Defender SmartScreen overview](windows-defender-smartscreen\windows-defender-smartscreen-overview.md)|New | diff --git a/windows/threat-protection/docfx.json b/windows/threat-protection/docfx.json index d0865639cb..055e983ab5 100644 --- a/windows/threat-protection/docfx.json +++ b/windows/threat-protection/docfx.json @@ -35,7 +35,13 @@ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "ms.technology": "windows", "ms.topic": "article", - "ms.author": "justinha" + "ms.author": "justinha", + "ms.date": "04/05/2017", + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "MSDN.win-threat-protection" + } + } }, "fileMetadata": {}, "template": [], diff --git a/windows/threat-protection/images/dn168167.boot_process(en-us,MSDN.10).png b/windows/threat-protection/images/dn168167.boot_process(en-us,MSDN.10).png new file mode 100644 index 0000000000..97fabb4625 Binary files /dev/null and b/windows/threat-protection/images/dn168167.boot_process(en-us,MSDN.10).png differ diff --git a/windows/threat-protection/images/dn168167.measure_boot(en-us,MSDN.10).png b/windows/threat-protection/images/dn168167.measure_boot(en-us,MSDN.10).png new file mode 100644 index 0000000000..321f23ea7e Binary files /dev/null and b/windows/threat-protection/images/dn168167.measure_boot(en-us,MSDN.10).png differ diff --git a/windows/threat-protection/secure-the-windows-10-boot-process.md b/windows/threat-protection/secure-the-windows-10-boot-process.md new file mode 100644 index 0000000000..069d8b1578 --- /dev/null +++ b/windows/threat-protection/secure-the-windows-10-boot-process.md @@ -0,0 +1,129 @@ +--- +title: Secure the Windows 10 boot process +description: This article describes how Windows 10 security features helps protect your PC from malware, including rootkits and other applications +keywords: trusted boot, windows 10 boot proces +ms.prod: w10 +ms.mktglfcycl: Explore +ms.pagetype: security +ms.sitesec: library +localizationpriority: medium +author: brianlic-msft +--- + +# Secure the Windows 10 boot process + +**Applies to:** +- Windows 10 +- Windows 8.1 + +The Windows operating system has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Windows Store apps must meet a series of requirements to be certified and included in the Windows Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Windows Store. Even if a malicious app does get through, the Windows 10 operating system includes a series of security features that can mitigate the impact. For instance, Windows Store apps are sandboxed and lack the privileges necessary to access user data or change system settings. + +Windows 10 has multiple levels of protection for desktop apps and data, too. Windows Defender uses signatures to detect and quarantine apps that are known to be malicious. The SmartScreen Filter warns users before allowing them to run an untrustworthy app, even if it’s recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control. + +Those are just some of the ways that Windows 10 protects you from malware. However, those security features protect you only after Windows 10 starts. Modern malware—and bootkits specifically—are capable of starting before Windows, completely bypassing operating system security, and remaining completely hidden. + +When you run Windows 10 on a PC or any PC that supports Unified Extensible Firmware Interface (UEFI), Trusted Boot protects your PC from malware from the moment you power on your PC until your anti-malware starts. In the unlikely event that malware does infect a PC, it can’t remain hidden; Trusted Boot can prove the system’s integrity to your infrastructure in a way that malware can’t disguise. Even on PCs without UEFI, Windows 10 provides even better startup security than previous versions of Windows. + +First, let’s examine what rootkits are and how they work. Then, we’ll show you how Windows 10 can protect you. + + +## The threat: rootkits + +*Rootkits* are a sophisticated and dangerous type of malware that run in kernel mode, using the same privileges as the operating system. Because rootkits have the same rights as the operating system and start before it, they can completely hide themselves and other applications. Often, rootkits are part of an entire suite of malware that can bypass local logins, record passwords and keystrokes, transfer private files, and capture cryptographic data. + +Different types of rootkits load during different phases of the startup process: + +- **Firmware rootkits.** These kits overwrite the firmware of the PC’s basic input/output system or other hardware so the rootkit can start before Windows. +- **Bootkits.** These kits replace the operating system’s bootloader (the small piece of software that starts the operating system) so that the PC loads the bootkit before the operating system. +- **Kernel rootkits.** These kits replace a portion of the operating system kernel so the rootkit can start automatically when the operating system loads. +- **Driver rootkits.** These kits pretend to be one of the trusted drivers that Windows uses to communicate with the PC hardware. + +## The countermeasures +Windows 10 supports four features to help prevent rootkits and bootkits from loading during the startup process: +- **Secure Boot.** PCs with UEFI firmware and a Trusted Platform Module (TPM) can be configured to load only trusted operating system bootloaders. +- **Trusted Boot.** Windows checks the integrity of every component of the startup process before loading it. +- **Early Launch Anti-Malware (ELAM).** ELAM tests all drivers before they load and prevents unapproved drivers from loading. +- **Measured Boot.** The PC’s firmware logs the boot process, and Windows can send it to a trusted server that can objectively assess the PC’s health. + +Figure 1 shows the Windows 10 startup process. + + +![Windows 10 startup process](./images/dn168167.boot_process(en-us,MSDN.10).png) + +**Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage** + +Secure Boot and Measured Boot are only possible on PCs with UEFI 2.3.1 and a TPM chip. Fortunately, all Windows 10 PCs that meet Windows Hardware Compatibility Program requirements have these components, and many PCs designed for earlier versions of Windows have them as well. + +The sections that follow describe Secure Boot, Trusted Boot, ELAM, and Measured Boot. + +## Secure Boot +When a PC starts, it first finds the operating system bootloader. PCs without Secure Boot simply run whatever bootloader is on the PC’s hard drive. There’s no way for the PC to tell whether it’s a trusted operating system or a rootkit. + +When a PC equipped with UEFI starts, the PC first verifies that the firmware is digitally signed, reducing the risk of firmware rootkits. If Secure Boot is enabled, the firmware examines the bootloader’s digital signature to verify that it hasn’t been modified. If the bootloader is intact, the firmware starts the bootloader only if one of the following conditions is true: + +- **The bootloader was signed using a trusted certificate.** In the case of PCs certified for Windows 10, the Microsoft® certificate is trusted. +- **The user has manually approved the bootloader’s digital signature.** This allows the user to load non-Microsoft operating systems. + +All x86-based Certified For Windows 10 PCs must meet several requirements related to Secure Boot: + +- They must have Secure Boot enabled by default. +- They must trust Microsoft’s certificate (and thus any bootloader Microsoft has signed). +- They must allow the user to configure Secure Boot to trust other bootloaders. +- They must allow the user to completely disable Secure Boot. + +These requirements help protect you from rootkits while allowing you to run any operating system you want. You have three options for running non-Microsoft operating systems: + +- **Use an operating system with a certified bootloader.** Because all Certified For Windows 10 PCs must trust Microsoft’s certificate, Microsoft offers a service to analyze and sign any non-Microsoft bootloader so that it will be trusted by all Certified For Windows 10 PCs. In fact, an [open source bootloader](http://mjg59.dreamwidth.org/20303.html) capable of loading Linux is already available. To begin the process of obtaining a certificate, go to . +- **Configure UEFI to trust your custom bootloader.** All Certified For Windows 10 PCs allow you to trust a non-certified bootloader by adding a signature to the UEFI database, allowing you to run any operating system, including homemade operating systems. +- **Turn off Secure Boot.** All Certified For Windows 10 PCs allow you to turn off Secure Boot so that you can run any software. This does not help protect you from bootkits, however. + +To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software cannot change the Secure Boot settings. For more information about Secure Boot, read the blog, [Protecting the pre-OS environment with UEFI](http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx). + +Like most mobile devices, ARM-based Certified For Windows RT devices, such as the Microsoft Surface RT device, are designed to run only Windows 8.1. Therefore, Secure Boot cannot be turned off, and you cannot load a different operating system. Fortunately, there is a large market of ARM devices designed to run other operating systems. + +## Trusted Boot +Trusted Boot takes over where Secure Boot leaves off. The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows 10 can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally. + +## Early Launch Anti-Malware +Because Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel, the next opportunity for malware to start is by infecting a non-Microsoft boot driver. Traditional anti-malware apps don’t start until after the boot drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work. + +Early Launch Anti-Malware (ELAM) can load a Microsoft or non-Microsoft anti-malware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the operating system hasn’t started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: examine every boot driver and determine whether it is on the list of trusted drivers. If it’s not trusted, Windows won’t load it. + +An ELAM driver isn’t a full-featured anti-malware solution; that loads later in the boot process. Windows Defender (included with Windows 10) supports ELAM, as does [Microsoft System Center 2012 Endpoint Protection](https://www.microsoft.com/en-us/server-cloud/system-center/endpoint-protection-2012.aspx) and several non-Microsoft anti-malware apps. + +## Measured Boot +If a PC in your organization does become infected with a rootkit, you need to know about it. Enterprise anti-malware apps can report malware infections to the IT department, but that doesn’t work with rootkits that hide their presence. In other words, you can’t trust the client to tell you whether it’s healthy. + +As a result, PCs infected with rootkits appear to be healthy, even with anti-malware running. Infected PCs continue to connect to the enterprise network, giving the rootkit access to vast amounts of confidential data and potentially allowing the rootkit to spread across the internal network. + +Working with the TPM and non-Microsoft software, Measured Boot in Windows 10 allows a trusted server on the network to verify the integrity of the Windows startup process. Measured Boot uses the following process: + +1. The PC’s UEFI firmware stores in the TPM a hash of the firmware, bootloader, boot drivers, and everything that will be loaded before the anti-malware app. +2. At the end of the startup process, Windows starts the non-Microsoft remote attestation client. The trusted attestation server sends the client a unique key. +3. The TPM uses the unique key to digitally sign the log recorded by the UEFI. +4. The client sends the log to the server, possibly with other security information. + +Depending on the implementation and configuration, the server can now determine whether the client is healthy and grant the client access to either a limited quarantine network or to the full network. + +Figure 2 illustrates the Measured Boot and remote attestation process. + + +![Measured Boot and remote attestation process](./images/dn168167.measure_boot(en-us,MSDN.10).png) + + +**Figure 2. Measured Boot proves the PC’s health to a remote server** + + +Windows 10 includes the application programming interfaces to support Measured Boot, but you’ll need non-Microsoft tools to implement a remote attestation client and trusted attestation server to take advantage of it. For an example of such a tool, download the [TPM Platform Crypto-Provider Toolkit](http://research.microsoft.com/en-us/downloads/74c45746-24ad-4cb7-ba4b-0c6df2f92d5d/) from Microsoft Research or Microsoft Enterprise Security MVP Dan Griffin’s [Measured Boot Tool](http://mbt.codeplex.com/). + +Measured Boot uses the power of UEFI, TPM, and Windows 10 to give you a way to confidently assess the trustworthiness of a client PC across the network. + +## Summary +Secure Boot, Trusted Boot, and Measured Boot create an architecture that is fundamentally resistant to bootkits and rootkits. In Windows 10, these features have the potential to eliminate kernel-level malware from your network. This is the most ground-breaking anti-malware solution that Windows has ever had; it’s leaps and bounds ahead of everything else. With Windows 10, you can truly trust the integrity of your operating system. + +For more information: + +- Watch a [video demonstration of Secure Boot](https://technet.microsoft.com/en-us/windows/jj737995.aspx) + +## Additional resources +- [Windows 10 Enterprise Evaluation](https://technet.microsoft.com/evalcenter/hh699156.aspx?ocid=wc-tn-wctc) diff --git a/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index 194b3e9cfb..e31e53a2bb 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -17,7 +17,7 @@ author: iaanw **Applies to:** -- Windows 10, version 1703 +- Windows 10 (some instructions are only applicable for Windows 10, version 1703) **Audience** @@ -130,6 +130,7 @@ Used by Windows to send client telemetry, Windows Defender Antivirus uses this f This update uses SSL (TCP Port 443) to download manifests and upload telemetry to Microsoft that uses the following DNS endpoints:

      • vortex-win.data.microsoft.com
      • settings-win.data.microsoft.com
      + @@ -147,7 +148,7 @@ Use the following argument with the Windows Defender AV command line utility (*m MpCmdRun - ValidateMapsConnection ``` > [!NOTE] -> You may need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. +> You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. This command will only work on Windows 10, version 1703. See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the *mpcmdrun.exe* utility. @@ -185,6 +186,9 @@ You will also see a detection under **Quarantined threats** in the **Scan histor ![Screenshot of quarantined items in the Windows Defender Security Center app](images/defender/wdav-quarantined-history-wdsc.png) +>[!NOTE] +>Versions of Windows 10 before version 1703 have a different user interface. See the [Windows Defender Antivirus in the Windows Defender Security Center](windows-defender-security-center-antivirus.md) topic for more information about the differences between versions, and instructions on how to perform common tasks in the different interfaces. + The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-windows-defender-antivirus.md). >[!IMPORTANT] diff --git a/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md b/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md index d1da91abab..5ba96c2e65 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md @@ -48,7 +48,7 @@ Topic | Description :---|:--- [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time protection in Windows Defender AV -[Configure end-user interaction with WDAM](configure-end-user-interaction-windows-defender-antivirus.md)|Configure how end-users interact with Windows Defender AV, what notifications they see, and if they can override settings +[Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md)|Configure how end-users interact with Windows Defender AV, what notifications they see, and if they can override settings diff --git a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md new file mode 100644 index 0000000000..15e17ff463 --- /dev/null +++ b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md @@ -0,0 +1,72 @@ +--- +title: Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune (Windows 10) +description: After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to associate and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy. +keywords: WIP, Enterprise Data Protection +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: eross-msft +localizationpriority: high +--- + +# Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune +**Applies to:** + +- Windows 10, version 1607 and later +- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop) + +After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to associate and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy. + +## Associate your WIP policy to your VPN policy by using Microsoft Intune +Follow these steps to associate your WIP policy with your organization's existing VPN policy. + +**To associate your policies** + +1. Create your VPN profile. For info about how to do this, see [How to configure VPN settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune-azure/configure-devices/how-to-configure-vpn-settings) and [How to create custom VPN profiles in Microsoft Intune](https://docs.microsoft.com/en-us/intune-azure/configure-devices/create-custom-vpn-profiles#create-a-custom-configuration). + +2. Open the Microsoft Intune mobile application management console, click **Device configuration**, and then click **Create Profile**. + + ![Microsoft Intune, Create a new policy using the portal](images/wip-azure-vpn-device-policy.png) + +3. In the **Create Profile** blade, type a name for your profile, such as *Contoso_VPN_Win10*, into the **Name** box, add an optional description for your policy into the **Description** box, select **Windows 10 and later** from the **Platform** dropdown box, select **Custom** from the **Profile type** dropdown box, and then click **Configure**. + + ![Microsoft Intune, Create a new policy using the Create Profile blade](images/wip-azure-vpn-configure-policy.png) + +4. In the **Custom OMA-URI Settings** blade, click **Add**. + +5. In the **Add Row** blade, type: + + - **Name.** Type a name for your setting, such as *EDPModeID*. + + - **Description.** Type an optional description for your setting. + + - **OMA-URI.** Type _./Vendor/MSFT/VPNv2/<VPNProfileName>/EDPModeId_ into the box. + + - **Data type.** Select **String** from the dropdown box + + - **Value.** Type your fully-qualified domain that should be used by the OMA-URI setting. For example, _corp.contoso.com_. + + ![Microsoft Intune, Add your OMA-URI settings](images/wip-azure-vpn-custom-omauri.png) + +6. Click **OK** to save your setting info in the **Add Row** blade, and then click **OK** in the **Custom OMA-URI Settings** blade to save the setting with your policy. + +7. Click **Create** to create the policy, including your OMA_URI info. + +## Deploy your VPN policy using Microsoft Intune +After you’ve created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy. + +**To deploy your Custom VPN policy** + +1. On the **App policy** blade, click your newly-created policy, click **User groups** from the menu that appears, and then click **Add user group**. + + A list of user groups, made up of all of the security groups in your Azure Active Directory, appear in the **Add user group** blade. + +2. Choose the group you want your policy to apply to, and then click **Select** to deploy the policy. + + The policy is deployed to the selected users' devices. + + ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png) + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md index 64602d97ae..043f638474 100644 --- a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md +++ b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md @@ -1,5 +1,5 @@ --- -title: Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune (Windows 10) +title: Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune (Windows 10) description: After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy. ms.assetid: d0eaba4f-6d7d-4ae4-8044-64680a40cf6b keywords: WIP, Enterprise Data Protection @@ -11,11 +11,11 @@ author: eross-msft localizationpriority: high --- -# Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune +# Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune **Applies to:** -- Windows 10, version 1607 -- Windows 10 Mobile +- Windows 10, version 1607 and later +- Windows 10 Mobile, version 1607 and later After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy. diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md new file mode 100644 index 0000000000..5726426cf1 --- /dev/null +++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -0,0 +1,532 @@ +--- +title: Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune (Windows 10) +description: Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: eross-msft +localizationpriority: high +--- + +# Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune + +**Applies to:** + +- Windows 10, version 1607 and later +- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop) + +Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. + +>[!Important] +>This topic covers creating a Windows Information Protection (WIP) policy for organizations already managing devices by using Mobile Device Management (MDM) solutions. If your organization uses a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without managing devices, you must follow the instructions in the [Create and deploy Windows Information Protection (WIP) app protection policy with Intune](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune) topic. + +## Add a WIP policy +After you’ve set up Intune for your organization, you must create a WIP-specific policy. + +**To add a WIP policy** +1. Open the Microsoft Intune mobile application management console, click **All settings**, and then click **App policy**. + + ![Microsoft Intune management console: App policy link](images/wip-azure-portal-start.png) + +2. In the **App policy** screen, click **Add a policy**, and then fill out the fields: + - **Name.** Type a name (required) for your new policy. + + - **Description.** Type an optional description. + + - **Platform.** Choose **Windows 10** as the supported platform for your policy. + + - **Enrollment state.** Choose **With enrollment** as the enrollment state for your policy. + + ![Microsoft Intune management console: Create your new policy in the Add a policy blade](images/wip-azure-portal-add-policy.png) + + >[!Important] + >Choosing **With enrollment** only applies for organizations using MDM. If you're using MAM, you must use these instructions, [Create and deploy Windows Information Protection (WIP) app protection policy with Intune](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune), instead. + +3. Click **Create**. + + The policy is created and appears in the table on the **App Policy** screen. + + >[!NOTE] + >Optionally, you can also add your apps and set your settings from the **Add a policy** blade, but for the purposes of this documentation, we recommend instead that you create the policy first, and then use the subsequent menus that become available. + +### Add apps to your Allowed apps list +During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. + +The steps to add your apps are based on the type of template being applied. You can add a recommended app, a store app (also known as a Universal Windows Platform (UWP) app), or a signed Windows desktop app. + +>[!Important] +>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

      Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **Allowed apps** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. + +#### Add a Recommended app to your Allowed apps list +For this example, we’re going to add Microsoft Edge, a recommended app, to the **Allowed apps** list. + +**To add a recommended app** +1. From the **App policy** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears. + + The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy. + + ![Microsoft Intune management console: Viewing the recommended apps that you can add to your policy](images/wip-azure-allowed-apps-pane.png) + +2. From the **Allowed apps** blade, click **Add apps**. + + The **Add apps** blade appears, showing you all **Recommended apps**. + + ![Microsoft Intune management console: Adding recommended apps to your policy](images/wip-azure-add-recommended-apps.png) + +3. Select each app you want to access your enterprise data, and then click **OK**. + + The **Allowed apps** blade updates to show you your selected apps. + + ![Microsoft Intune management console: Allowed apps blade with recommended apps](images/wip-azure-allowed-apps-with-apps.png) + +#### Add a Store app to your Allowed apps list +For this example, we’re going to add Microsoft Power BI, a store app, to the **Allowed apps** list. + +**To add a Store app** +1. From the **App policy** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears. + + The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy. + +2. From the **Allowed apps** blade, click **Add apps**. + +3. On the **Add apps** blade, click **Store apps** from the dropdown list. + + The blade changes to show boxes for you to add a publisher and app name. + +4. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the Product **name** is `Microsoft.MicrosoftPowerBIForWindows`. + +5. After you’ve entered the info into the fields, click **OK** to add the app to your **Allowed apps** list. + + >[!NOTE] + >To add multiple Store apps at the same time, you can click the menu **(…)** at the end of the app row, and then continue to add more apps. When you’re done, click **OK**. + + ![Microsoft Intune management console: Adding Store app info](images/wip-azure-add-store-apps.png) + +If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps. + +**To find the publisher and product name values for Store apps without installing them** +1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft Power BI*. + +2. Copy the ID value from the app URL. For example, Microsoft Power BI ID URL is https://www.microsoft.com/en-us/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`. + +3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblgggzlxn1/applockerdata, where `9nblgggzlxn1` is replaced with your ID value. + + The API runs and opens a text editor with the app details. + + ```json + { + "packageIdentityName": "Microsoft.MicrosoftPowerBIForWindows", + "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" + } + ``` + +4. Copy the `publisherCertificateName` value into the **Publisher** box and copy the `packageIdentityName` value into the **Name** box of Intune. + + >[!Important] + >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

      For example:
      + {
      "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
      }       + +**To find the publisher and product name values for apps installed on Windows 10 mobile phones** +1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature. + + >**Note**
      Your PC and phone must be on the same wireless network. + +2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**. + +3. In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**. + +4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate. + +5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step. + +6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names. + +7. Start the app for which you're looking for the publisher and product name values. + +8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. + + >[!Important] + >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

      For example:
      + {
      "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
      }       + +#### Add a Desktop app to your Allowed apps list +For this example, we’re going to add WordPad, a desktop app, to the **Allowed apps** list. + +**To add a Desktop app** +1. From the **App policy** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears. + + The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy. + +2. From the **Allowed apps** blade, click **Add apps**. + +3. On the **Add apps** blade, click **Desktop apps** from the dropdown list. + + The blade changes to show boxes for you to add the following, based on what results you want returned: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      FieldManages
      All fields marked as “*”All files signed by any publisher. (Not recommended)
      Publisher onlyIf you only fill out this field, you’ll get all files signed by the named publisher.

      This might be useful if your company is the publisher and signer of internal line-of-business apps.
      Publisher and Name onlyIf you only fill out these fields, you’ll get all files for the specified product, signed by the named publisher.
      Publisher, Name, and File onlyIf you only fill out these fields, you’ll get any version of the named file or package for the specified product, signed by the named publisher.
      Publisher, Name, File, and Min version onlyIf you only fill out these fields, you’ll get the specified version or newer releases of the named file or package for the specified product, signed by the named publisher.

      This option is recommended for enlightened apps that weren't previously enlightened.
      Publisher, Name, File, and Max version onlyIf you only fill out these fields, you’ll get the specified version or older releases of the named file or package for the specified product, signed by the named publisher.
      All fields completedIf you fill out all fields, you’ll get the specified version of the named file or package for the specified product, signed by the named publisher.
      + +4. After you’ve entered the info into the fields, click **OK** to add the app to your **Allowed apps** list. + + >[!Note] + >To add multiple Desktop apps at the same time, you can click the menu **(…)** at the end of the app row, and then continue to add more apps. When you’re done, click **OK**. + + ![Microsoft Intune management console: Adding Desktop app info](images/wip-azure-add-desktop-apps.png) + + **To find the Publisher values for Desktop apps** + If you’re unsure about what to include for the publisher, you can run this PowerShell command: + + ```ps1 + Get-AppLockerFileInformation -Path "" + ``` + Where `""` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Windows NT\Accessories\wordpad.exe"`. + + In this example, you'd get the following info: + + ``` json + Path Publisher + ---- --------- + %PROGRAMFILES%\WINDOWS NT\ACCESSORIES\WORDPAD.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US + ``` + Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter into the **Publisher** box and `WORDPAD.EXE` is the text to enter into the **File** box. + +#### Import a list of apps to your Allowed apps list +For this example, we’re going to add an AppLocker XML file to the **Allowed apps** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content. + +**To create a list of Allowed apps using the AppLocker tool** +1. Open the Local Security Policy snap-in (SecPol.msc). + +2. In the left blade, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**. + + ![Local security snap-in, showing the Packaged app Rules](images/wip-applocker-secpol-1.png) + +3. Right-click in the right-hand blade, and then click **Create New Rule**. + + The **Create Packaged app Rules** wizard appears. + +4. On the **Before You Begin** page, click **Next**. + + ![Create Packaged app Rules wizard, showing the Before You Begin page](images/wip-applocker-secpol-wizard-1.png) + +5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**. + + ![Create Packaged app Rules wizard, showing the Before You Begin page](images/wip-applocker-secpol-wizard-2.png) + +6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area. + + ![Create Packaged app Rules wizard, showing the Publisher](images/wip-applocker-secpol-wizard-3.png) + +7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Dynamics 365. + + ![Create Packaged app Rules wizard, showing the Select applications page](images/wip-applocker-secpol-wizard-4.png) + +8. On the updated **Publisher** page, click **Create**. + + ![Create Packaged app Rules wizard, showing the Microsoft Dynamics 365 on the Publisher page](images/wip-applocker-secpol-wizard-5.png) + +9. Click **No** in the dialog box that appears, asking if you want to create the default rules. You must not create default rules for your WIP policy. + + ![Create Packaged app Rules wizard, showing the Microsoft Dynamics 365 on the Publisher page](images/wip-applocker-default-rule-warning.png) + +9. Review the Local Security Policy snap-in to make sure your rule is correct. + + ![Local security snap-in, showing the new rule](images/wip-applocker-secpol-create.png) + +10. In the left blade, right-click on **AppLocker**, and then click **Export policy**. + + The **Export policy** box opens, letting you export and save your new policy as XML. + + ![Local security snap-in, showing the Export Policy option](images/wip-applocker-secpol-export.png) + +11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**. + + The policy is saved and you’ll see a message that says 1 rule was exported from the policy. + + **Example XML file**
      + This is the XML file that AppLocker creates for Microsoft Dynamics 365. + + ```xml + + + + + + + + + + + + + + + + + ``` + +12. After you’ve created your XML file, you need to import it by using Microsoft Intune. + +**To import your list of Allowed apps using Microsoft Intune** + +1. From the **Allowed apps** area, click **Import apps**. + + The blade changes to let you add your import file. + + ![Microsoft Intune, Importing your AppLocker policy file using Intune](images/wip-azure-import-apps.png) + +2. Browse to your exported AppLocker policy file, and then click **Open**. + + The file imports and the apps are added to your **Allowed app** list. + +#### Add exempt apps to your policy +If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. + +**To exempt a Store app, a Desktop app, or an AppLocker policy file from the Allowed apps list** + +1. From the **App policy** blade, click the name of your policy, and then click **Exempt apps** from the menu that appears. + + The **Exempt apps** blade appears, showing you any apps that are already included in the list for this policy. + +2. From the **Exempt apps** blade, click **Add apps**. + + Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-apps-to_your-allowed-apps-list) section of this topic. + +3. Fill out the rest of the app info, based on the type of app you’re adding: + + - **Recommended app.** Follow the instructions in the [Add a Recommended app to your Allowed apps list](#add-a-recommended-app-to_your-allowed-apps-list) section of this topic. + + - **Store app.** Follow the instructions in the [Add a Store app to your Allowed apps list](#add-a-store-app-to_your-allowed-apps-list) section of this topic. + + - **Desktop app.** Follow the instructions in the [Add a Desktop app to your Allowed apps list](#add-a-desktop-app-to_your-allowed-apps-list) section of this topic. + + - **AppLocker policy file.** Follow the instructions to create your app list in the [Import a list of apps to your Allowed apps list](#import-a-list-of-apps-to_your-allowed-apps-list) section of this topic, using a list of exempted apps. + +4. Click **OK**. + +### Manage the WIP protection mode for your enterprise data +After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode. + +We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Hide Overrides**. + +>[!NOTE] +>For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). + +**To add your protection mode** + +1. From the **App policy** blade, click the name of your policy, and then click **Required settings** from the menu that appears. + + The **Required settings** blade appears. + + ![Microsoft Intune, Required settings blade showing Windows Information Protection mode](images/wip-azure-required-settings-protection-mode.png) + + |Mode |Description | + |-----|------------| + |Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| + |Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| + |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.| + |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

      After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.| + +2. Click **Save**. + +### Define your enterprise-managed corporate identity +Corporate identity, usually expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies. + +Starting with Windows 10, version 1703, Intune automatically determines your corporate identity and adds it to the Corporate identity field. You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (`contoso.com|newcontoso.com`). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list. + +**To change your corporate identity** + +1. From the **App policy** blade, click the name of your policy, and then click **Required settings** from the menu that appears. + + The **Required settings** blade appears. + +2. If the identity isn’t correct, or if you need to add additional domains, type info into the **Corporate identity** field. For example, `contoso.com|newcontoso.com`. + + ![Microsoft Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png) + +### Choose where apps can access enterprise data +After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. + +There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). + +>[!Important] +>Every WIP policy should include policy that defines your enterprise network locations.
      Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations. + +**To define where your allowed apps can find and send enterprise data on you network** + +1. From the **App policy** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears. + + The **Advanced settings** blade appears. + +2. Click **Add network boundary** from the Network perimeter area. + + The **Add network boundary** blade appears. + + ![Microsoft Intune, Set where your apps can access enterprise data on your network](images/wip-azure-advanced-settings-network.png) + +3. Select the type of network boundary to add from the **Boundary type** box. + +4. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the following options, and then click **OK**. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Boundary typeValue formatDescription
      Cloud ResourcesWith proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
      contoso.visualstudio.com,contoso.internalproxy2.com

      Without proxy: contoso.sharepoint.com|contoso.visualstudio.com      		Specify the cloud resources to be treated as corporate and protected by WIP.

      For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.

      If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

      Important
      In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

      When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.
      Network domain namescorp.contoso.com,region.contoso.comStarting with Windows 10, version 1703, this field is optional.

      Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

      If you have multiple resources, you must separate them using the "," delimiter.
      Proxy serversproxy.contoso.com:80;proxy2.contoso.com:443Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

      This list shouldn’t include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.

      If you have multiple resources, you must separate them using the ";" delimiter.
      Internal proxy serverscontoso.internalproxy1.com;contoso.internalproxy2.comSpecify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

      This list shouldn’t include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.

      If you have multiple resources, you must separate them using the ";" delimiter.
      IPv4 ranges**Starting IPv4 Address:** 3.4.0.1
      **Ending IPv4 Address:** 3.4.255.254
      **Custom URI:** 3.4.0.1-3.4.255.254,
      10.0.0.1-10.255.255.254      		Starting with Windows 10, version 1703, this field is optional.

      Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries.

      If you have multiple ranges, you must separate them using the "," delimiter.
      IPv6 ranges**Starting IPv6 Address:** 2a01:110::
      **Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
      **Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
      fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff      		Starting with Windows 10, version 1703, this field is optional.

      Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries.

      If you have multiple ranges, you must separate them using the "," delimiter.
      Neutral resourcessts.contoso.com,sts.contoso2.comSpecify your authentication redirection endpoints for your company.

      These locations are considered enterprise or personal, based on the context of the connection before the redirection.

      If you have multiple resources, you must separate them using the "," delimiter.
      + +5. Repeat steps 1-4 to add any additional network boundaries. + +6. Decide if you want to Windows to look for additional network settings: + + ![Microsoft Intune, Choose if you want Windows to search for additional proxy servers or IP ranges in your enterprise](images/wip-azure-advanced-settings-network-autodetect.png) + + - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. + + - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. + +### Upload your Data Recovery Agent (DRA) certificate +After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data. + +>[!Important] +>Using a DRA certificate isn’t mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://tnstage.redmond.corp.microsoft.com/en-us/itpro/windows/keep-secure/create-and-verify-an-efs-dra-certificate) topic. + +**To upload your DRA certificate** +1. From the **App policy** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears. + + The **Advanced settings** blade appears. + +2. In the **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. + + ![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate](images/wip-azure-advanced-settings-efsdra.png) + +### Choose your optional WIP-related settings +After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. + +**To set your optional settings** + +1. Choose to set any or all optional settings: + + ![Microsoft Intune, Choose if you want to include any of the optional settings](images/wip-azure-advanced-settings-optional.png) + + - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: + + - **On (recommended).** Turns on the feature and provides the additional protection. + + - **Off, or not configured.** Doesn't enable this feature. + + - **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: + + - **On, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. + + - **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example if you’re migrating between Mobile Device Management (MDM) solutions. + + - **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: + + - **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu. + + - **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but allowed apps. Not configured is the default option. + + - **Use Azure RMS for WIP.** Determines whether to use Azure Rights Management encryption with Windows Information Protection. + + - **On.** Starts using Azure Rights Management encryption with WIP. By turning this option on, you can also add a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. For more info about setting up Azure Rights management and using a template ID with WIP, see the [Choose to set up Azure Rights Management with WIP](#choose-to-set-up-azure-rights-management-with-wip) section of this topic. + + - **Off, or not configured.** Stops using Azure Rights Management encryption with WIP. + +### Choose to set up Azure Rights Management with WIP +WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. + +To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. + +Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. + +>[!NOTE] +>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic. + +## Related topics +- [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md) + +- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) + +- [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) + +- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) + +- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms) + +- [Create and deploy Windows Information Protection (WIP) app protection policy with Intune and MAM](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune) + +- [Intune MAM Without Enrollment](https://blogs.technet.microsoft.com/configmgrdogs/2016/02/04/intune-mam-without-enrollment/) + +- [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/) + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md index 2b277e056a..cbdd0a70de 100644 --- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md +++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md @@ -1,5 +1,5 @@ --- -title: Create a Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10) +title: Create a Windows Information Protection (WIP) with enrollment policy using the classic console for Microsoft Intune (Windows 10) description: Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. ms.assetid: 4b307c99-3016-4d6a-9ae7-3bbebd26e721 ms.prod: w10 @@ -10,12 +10,12 @@ author: eross-msft localizationpriority: high --- -# Create a Windows Information Protection (WIP) policy using Microsoft Intune +# Create a Windows Information Protection (WIP) using the classic console for Microsoft Intune **Applies to:** -- Windows 10, version 1703 -- Windows 10 Mobile (except Microsoft Azure Rights Management, which is only available on the desktop) +- Windows 10, version 1607 and later +- Windows 10 Mobile, version 1607 and later Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. @@ -39,7 +39,7 @@ During the policy-creation process in Intune, you can choose the apps you want t The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file. >[!Important] ->WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

      Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. +>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

      Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. #### Add a store app rule to your policy For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list. @@ -309,13 +309,13 @@ If you're running into compatibility issues where your app is incompatible with ### Manage the WIP protection mode for your enterprise data After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode. -We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**. +We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Allow Overrides** or **Hide Overrides**. |Mode |Description | |-----|------------| -|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| -|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). | -|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| +|Hide Overrides|WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| +|Allow Overrides|WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). | +|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Allow Overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

      After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.| ![Microsoft Intune, Set the protection mode for your data](images/intune-protection-mode.png) diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md index 4dbf46f1e8..d8a879c4d2 100644 --- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md +++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md @@ -63,7 +63,7 @@ During the policy-creation process in System Center Configuration Manager, you c The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file. >[!IMPORTANT] ->WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

      Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. +>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

      Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. #### Add a store app rule to your policy For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list. @@ -94,7 +94,9 @@ If you don't know the publisher or product name, you can find them for both desk 1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote. - >**Note**
      If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section. + >[!NOTE] + + >If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section. 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. @@ -111,7 +113,8 @@ If you don't know the publisher or product name, you can find them for both desk 4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune. - >**Important**
      The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.

      For example:

      + >[!IMPORTANT] + >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.

      For example:

      ```json { "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", @@ -121,7 +124,8 @@ If you don't know the publisher or product name, you can find them for both desk **To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones** 1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature. - >**Note**
      Your PC and phone must be on the same wireless network. + >[!NOTE] + >Your PC and phone must be on the same wireless network. 2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**. @@ -137,7 +141,8 @@ If you don't know the publisher or product name, you can find them for both desk 8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. - >**Important**
      The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`. + >[!IMPORTANT] + >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`. >For example:

      ```json { @@ -460,6 +465,9 @@ After you've decided where your protected apps can access enterprise data on you - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult. + >[!IMPORTANT] + >The **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box** option is only available for Configuration Manager versions 1610 and below. + - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: - **Yes (recommended).** Turns on the feature and provides the additional protection. diff --git a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md new file mode 100644 index 0000000000..60eb44c676 --- /dev/null +++ b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md @@ -0,0 +1,43 @@ +--- +title: Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune (Windows 10) +description: After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. +keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, Intune +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: eross-msft +localizationpriority: high +--- + +# Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune + +**Applies to:** + +- Windows 10, version 1607 and later +- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop) + +After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information. + +**To deploy your WIP policy** + +1. On the **App policy** pane, click your newly-created policy, click **User groups** from the menu that appears, and then click **Add user group**. + + A list of user groups, made up of all of the security groups in your Azure Active Directory, appear in the **Add user group** pane. + +2. Choose the group you want your policy to apply to, and then click **Select** to deploy the policy. + + The policy is deployed to the selected users' devices. + + ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png) + + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). + +## Related topics +- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) + +- [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) + +- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) diff --git a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md index c7dcdf364b..a3b19da3c4 100644 --- a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md +++ b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md @@ -1,5 +1,5 @@ --- -title: Deploy your Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10) +title: Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune (Windows 10) description: After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. ms.assetid: 9c4a01e7-0b1c-4f15-95d0-0389f0686211 keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, Intune @@ -11,11 +11,11 @@ author: eross-msft localizationpriority: high --- -# Deploy your Windows Information Protection (WIP) policy using Microsoft Intune +# Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune **Applies to:** -- Windows 10, version 1607 -- Windows 10 Mobile +- Windows 10, version 1607 and later +- Windows 10 Mobile, version 1607 and later After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information. diff --git a/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index 77df2d4e51..159440b9aa 100644 --- a/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -1,6 +1,6 @@ --- title: List of enlightened Microsoft apps for use with Windows Information Protection (WIP) (Windows 10) -description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your Protected Apps list. +description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. ms.assetid: 17c85ea3-9b66-4b80-b511-8f277cb4345f keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection ms.prod: w10 @@ -21,7 +21,7 @@ localizationpriority: high Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. ## Enlightened versus unenlightened apps -Apps can be enlightened (also referred to as WIP-aware) or unenlightened (also referred to as WIP-unaware). +Apps can be enlightened or unenlightened: - **Enlightened apps** can differentiate between corporate and personal data, correctly determining which to protect, based on your policies. @@ -31,6 +31,8 @@ Apps can be enlightened (also referred to as WIP-aware) or unenlightened (also r - Windows **Save As** experiences only allow you to save your files as enterprise. +- **WIP-work only apps** are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions. + ## List of enlightened Microsoft apps Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following: @@ -42,9 +44,13 @@ Microsoft has made a concerted effort to enlighten several of our more popular a - Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar -- Microsoft Photos +- Office 365 ProPlus apps, including Word, Excel, PowerPoint, OneNote, and Outlook - +- OneDrive app + +- OneDrive sync client (OneDrive.exe, the next generation sync client) + +- Microsoft Photos - Groove Music @@ -58,6 +64,11 @@ Microsoft has made a concerted effort to enlighten several of our more popular a - Microsoft Remote Desktop +## List of WIP-work only apps from Microsoft +Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with WIP and MAM solutions. + +- Skype for Business + ## Adding enlightened Microsoft apps to the allowed apps list You can add any or all of the enlightened Microsoft apps to your allowed apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and System Center Configuration Manager. @@ -70,12 +81,14 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li |PowerPoint Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
      **Product Name:** Microsoft.Office.PowerPoint
      **App Type:** Universal app | |OneNote |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
      **Product Name:** Microsoft.Office.OneNote
      **App Type:** Universal app | |Outlook Mail and Calendar |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
      **Product Name:** microsoft.windowscommunicationsapps
      **App Type:** Universal app | +|Office 365 ProPlus|Office 365 ProPlus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](http://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for WIP.
      We don't recommend setting up Office by using individual paths or publisher rules.| |Microsoft Photos |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
      **Product Name:** Microsoft.Windows.Photos
      **App Type:** Universal app | |Groove Music |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
      **Product Name:** Microsoft.ZuneMusic
      **App Type:** Universal app | |Microsoft Movies & TV |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
      **Product Name:** Microsoft.ZuneVideo
      **App Type:** Universal app | |Microsoft Messaging |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
      **Product Name:** Microsoft.Messaging
      **App Type:** Universal app | |IE11 |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
      **Binary Name:** iexplore.exe
      **App Type:** Desktop app | -|Microsoft OneDrive |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
      **Binary Name:** onedrive.exe
      **App Type:** Desktop app| +|OneDrive Sync Client|**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
      **Binary Name:** onedrive.exe
      **App Type:** Desktop app| +|OneDrive app|**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
      **Product Name:** Microsoft.Microsoftskydrive
      **Product Version:**Product version: 17.21.0.0 (and later)
      **App Type:** Universal app | |Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
      **Binary Name:** notepad.exe
      **App Type:** Desktop app | |Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
      **Binary Name:** mspaint.exe
      **App Type:** Desktop app | |Microsoft Remote Desktop |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
      **Binary Name:** mstsc.exe
      **App Type:** Desktop app | diff --git a/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md index d8d0fb1910..dfd5630dc2 100644 --- a/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md +++ b/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md @@ -24,7 +24,7 @@ This list provides all of the tasks and settings that are required for the opera |Task|Description| |----|-----------| |Add at least one app to the **Allowed apps** list in your WIP policy.|You must have at least one app added to your **Allowed apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Allowed apps list** section of the policy creation topics.| -|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Override**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection mode for your enterprise data** section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| +|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Hide Overrides**. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection mode for your enterprise data** section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| |Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it’s incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics. |Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.

      Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.| |Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.

      Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.| diff --git a/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md b/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md index eb659e55c3..caf17860ce 100644 --- a/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md +++ b/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md @@ -21,7 +21,8 @@ Microsoft Intune and System Center Configuration Manager helps you create and de ## In this section |Topic |Description | |------|------------| -|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Intune helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | +|[Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](create-wip-policy-using-intune.md) |Details about how to use the classic console for Microsoft Intune to create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | +|[Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | |[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |System Center Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | |[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. | |[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). | diff --git a/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md index fe8a354526..19071542aa 100644 --- a/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md +++ b/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md @@ -76,13 +76,13 @@ WIP gives you a new way to manage data policy enforcement for apps and documents - **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device. - - **Using allowed apps.** Managed apps (apps that you've included on the **Allowed apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem. + - **Using allowed apps.** Managed apps (apps that you've included on the **Allowed apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Hide overrides**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem. - **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your allowed apps list, the app is trusted with enterprise data. All apps not on this list are stopped from accessing your enterprise data, depending on your WIP management-mode. You don’t have to modify line-of-business apps that never touch personal data to list them as allowed apps; just include them in the allowed apps list. - - **Deciding your level of data access.** WIP lets you block overrides, allow overrides, or audit employees' data sharing actions. Blocking overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). + - **Deciding your level of data access.** WIP lets you hide overrides, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). - **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media. @@ -131,8 +131,8 @@ You can set your WIP policy to use 1 of 4 protection and management modes: |Mode|Description| |----|-----------| -|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.| -|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.| +|Hide overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.| +|Allow overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.| |Silent |WIP runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.| |Off |WIP is turned off and doesn't help to protect or audit your data.

      After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.

      **Note**
      For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. | diff --git a/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md index 0d5eb4ca6f..f07d6ab555 100644 --- a/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md +++ b/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md @@ -24,7 +24,7 @@ We recommend that you add the following URLs to the Enterprise Cloud Resources a ## Recommended Enterprise Cloud Resources This table includes the recommended URLs to add to your Enterprise Cloud Resources network setting, based on the apps you use in your organization. -|If your organization uses... |Add these entries to your Enterprise Cloud Resources network setting
      (Replace "contoso" with your domain name(s) | +|If your organization uses... |Add these entries to your Enterprise Cloud Resources network setting
      (Replace "contoso" with your domain name(s)| |-----------------------------|---------------------------------------------------------------------| |Office 365 for Business |

      • contoso.sharepoint.com
      • contoso-my.sharepoint.com
      • contoso-files.sharepoint.com
      • tasks.office.com
      • protection.office.com
      • meet.lync.com
      • teams.microsoft.com
      | |Yammer |
      • www.yammer.com
      • yammer.com
      • persona.yammer.com
      | diff --git a/windows/update/docfx.json b/windows/update/docfx.json index 21e6f12fb6..e95b5a9ccc 100644 --- a/windows/update/docfx.json +++ b/windows/update/docfx.json @@ -29,7 +29,13 @@ ], "overwrite": [], "externalReference": [], - "globalMetadata": {}, + "globalMetadata": { + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "MSDN.windows-update" + } + } + }, "fileMetadata": {}, "template": [], "dest": "windows-update" diff --git a/windows/whats-new/contribute-to-a-topic.md b/windows/whats-new/contribute-to-a-topic.md index 6b8301ccab..c963eb975e 100644 --- a/windows/whats-new/contribute-to-a-topic.md +++ b/windows/whats-new/contribute-to-a-topic.md @@ -1,6 +1,6 @@ --- title: Edit an existing topic using the Edit link -description: Instructions about how to edit an existing topic by using the Contribute link on TechNet. +description: Instructions about how to edit an existing topic by using the Edit link on TechNet. keywords: contribute, edit a topic ms.prod: w10 ms.mktglfcycl: explore @@ -10,13 +10,13 @@ ms.sitesec: library # Editing existing Windows IT professional documentation You can now make suggestions and update existing, public content with a GitHub account and a simple click of a link. ->**Note**
      +>[!NOTE] >At this time, only the English (en-us) content is available for editing. **To edit a topic** -1. All contributors who are ***not*** a Microsoft employee must [sign a Microsoft Contribution Licensing Agreement (CLA)](https://cla.microsoft.com/) before contributing to any Microsoft repositories. -If you've already contributed to Microsoft repositories in the past, congratulations! You've already completed this step. +1. All contributors who are ***not*** a Microsoft employee must [sign a Microsoft Contribution Licensing Agreement (CLA)](https://cla.microsoft.com/) before updating or adding to any Microsoft repositories. +If you've previously contributed to topics in the Microsoft repositories, congratulations! You've already completed this step. 2. Go to the page on TechNet that you want to update, and then click **Edit**. diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json index bdecd75985..1bbc64ff9e 100644 --- a/windows/whats-new/docfx.json +++ b/windows/whats-new/docfx.json @@ -35,7 +35,13 @@ "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "ms.technology": "windows", "ms.topic": "article", - "ms.author": "trudyha" + "ms.author": "trudyha", + "ms.date": "04/05/2017", + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "MSDN.win-whats-new" + } + } }, "fileMetadata": {}, "template": [], diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md index b64a85a590..e0bd472d86 100644 --- a/windows/whats-new/index.md +++ b/windows/whats-new/index.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10 (Windows 10) -description: Learn about new features in Windows 10 for IT professionals, such as Enterprise Data Protection, Windows Hello, Device Guard, and more. +description: Learn about new features in Windows 10 for IT professionals, such as Windows Information Protection, Windows Hello, Device Guard, and more. ms.assetid: F1867017-76A1-4761-A200-7450B96AEF44 keywords: ["What's new in Windows 10", "Windows 10", "anniversary update", "contribute", "edit topic"] ms.prod: w10 @@ -20,7 +20,7 @@ Windows 10 provides IT professionals with advanced protection against modern sec - [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md) -- [Edit an existing topic using the Contribute link](contribute-to-a-topic.md) +- [Edit an existing topic using the Edit link](contribute-to-a-topic.md) ## Learn more