deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-29 05:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into atp-alertsuppression

Browse Source
This commit is contained in:
Joey Caparas 2017-07-05 11:40:54 -07:00
commit 91da489e4f
77 changed files with 22553 additions and 6226 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.openpublishing.redirection.json
View File

@ -11,6 +11,11 @@
"redirect_document_id": true
},
{
"source_path": "windows/client-management/mdm/policy-admx-backed.md",
"redirect_url": "/windows/client-management/mdm/policy-configuration-service-provider",
"redirect_document_id": true
},
{
"source_path": "windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md",
"redirect_url": "/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune",
"redirect_document_id": false

6
devices/surface-hub/whiteboard-collaboration.md
View File

@ -63,9 +63,9 @@ The OMA URI for each setting consists of `./User/Vendor/MSFT/EnterpriseModernApp
| Setting | Details | OMA URI | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML*? |
| --- | ---- | --- |---- | --- | --- |
| Enable sign-in | Users can sign in and authenticate | EnableSignIn | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Disable sign-in | Users are unable to sign in and access collaboration or education features | DisableSignIn | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Disable Collaboration | Users can sign in but not create or join collaborative sessions | DisableCollaboration | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
| Enable sign-in | Users can sign in and authenticate | EnableSignIn | Yes <br> [Use a custom policy.](manage-settings-with-mdm-for-surface-hub.md#example-intune) | Yes.<br> [Use a custom setting.](manage-settings-with-mdm-for-surface-hub.md#example-sccm) | Yes |
| Disable sign-in | Users are unable to sign in and access collaboration or education features | DisableSignIn | Yes <br> [Use a custom policy.](manage-settings-with-mdm-for-surface-hub.md#example-intune) | Yes.<br> [Use a custom setting.](manage-settings-with-mdm-for-surface-hub.md#example-sccm) | Yes |
| Disable Collaboration | Users can sign in but not create or join collaborative sessions | DisableCollaboration | Yes <br> [Use a custom policy.](manage-settings-with-mdm-for-surface-hub.md#example-intune) | Yes.<br> [Use a custom setting.](manage-settings-with-mdm-for-surface-hub.md#example-sccm) | Yes |
\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
Whiteboard also has other MDM settings that can be managed and set for defaults, exporting, and sharing. You can see these additional settings in [Manage settings with an MDM provider (Surface Hub)](manage-settings-with-mdm-for-surface-hub.md#whiteboard-collaboration-settings).

1
devices/surface/microsoft-surface-data-eraser.md
View File

@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.pagetype: surface, devices, security
ms.sitesec: library
author: miladCA
ms.date: 06/29/2017
---
# Microsoft Surface Data Eraser

1
devices/surface/microsoft-surface-deployment-accelerator.md
View File

@ -2,6 +2,7 @@
title: Microsoft Surface Deployment Accelerator (Surface)
description: Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices.
ms.assetid: E7991E90-4AAE-44B6-8822-58BFDE3EADE4
ms.date: 06/29/2017
localizationpriority: high
keywords: deploy, install, tool
ms.prod: w10

1
devices/surface/surface-dock-updater.md
View File

@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.pagetype: surface, devices
ms.sitesec: library
author: jobotto
ms.date: 06/29/2017
---
# Microsoft Surface Dock Updater

72
education/windows/get-minecraft-device-promotion.md Normal file
View File

@ -0,0 +1,72 @@
---
title: Get Minecraft Education Edition with your Windows 10 device promotion
description: Windows 10 device promotion for Minecraft Education Edition licenses
keywords: school, Minecraft, education edition
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library
localizationpriority: high
author: trudyha
ms.author: trudyha
ms.date: 06/29/2017
---
# Get Minecraft: Education Edition with Windows 10 device promotion
**Applies to:**
- Windows 10
For qualifying customers, receive a one-year, single-user subscription for Minecraft: Education Edition for each Windows 10 device you purchase for your K-12 school. Youll need your invoice or receipt, so be sure to keep track of that. For more information including terms of use, see [Minecraft: Education Edition promotion](https://info.microsoft.com/Minecraft-Education-Edition-Signup.html).
## Requirements
- Qualified Educational Users in K-12 education institutions
- Windows 10 devices purchased from May 2, 2017 - January 31, 2018
- Redeem Minecraft: Education Edition licenses from July 1, 2017 - March 17, 2018
- Microsoft Store for Education admin must submit request for Minecraft: Education Edition licenses
- Proof of device purchase is required (invoice required)
Full details available at [Minecraft: Education Edition promotion](https://info.microsoft.com/Minecraft-Education-Edition-Signup.html).
## Redeem Minecraft: Education Edition licenses
Redeeming your licenses takes just a few steps:
- Visit the device promotion page
- Submit a device purchase statement
- Provide proof of your device purchase
After that, well add the appropriate number of Minecraft: Education Edition licenses to your product inventory in **Microsoft Store for Education** as **Minecraft: Education Edition [subscription]**.
**To redeem Minecraft: Education Edition licenses**
1. Visit [Minecraft: Education Edition and Windows 10 device promotion](https://educationstore.microsoft.com/store/mee-device-promo?setflight=wsfb_devicepromo) in **Microsoft Store for Education**.
![Minecraft: Education Edition page in Microsoft Store for Education. ](images/get-mcee-promo.png)
2. Sign in to **Microsoft Store for Education** using a school account. If you dont have one, well help you set one up. <br>
-or-
If you're already signed in to Microsoft Store for Education, the device special offer is available on **Benefits**. </br>
Click **Manage**, **Benefits**, and then click **Minecraft: Education Edition Device Promotion**.
3. **On Minecraft Windows 10 device special offer**, click **Submit a device purchase**.
![Windows 10 device special offer page for Minecraft: Education Edition. Submit a device purchase is highlighted to show customers how to submit info about the devices you purchased. ](images/mcee-benefits.png)
4. Provide info for **Proof of Purchase**. Be sure to include a .pdf or .jpg of your invoice, and then click **Next**.
> [!NOTE]
> Your one-year subscription starts when you submit your proof-of-purchase info. Be sure to submit your request when you'll be using licenses in the classroom.
![Proof of purchase page with Invoice area highlighted.](images/proof-of-purchase.png)
5. Accept the **Promotion Terms of use**, and then click **Submit**. </br>
Success look like this!
![Proof of purchase page with Invoice area highlighted.](images/msfe-device-promo-success.png)
6. Click **Actions** and then click **Manage** to go to the management page for **Minecraft: Education Edition** and distribute licenses.
## Distribute Minecraft: Education Edition licenses
Teachers or admins can distribute the licenses:
- [Learn how teachers can distribute **Minecraft: Education Edition**](teacher-get-minecraft.md#distribute-minecraft)
- [Learn how IT administrators can distribute **Minecraft: Education Edition**](school-get-minecraft.md#distribute-minecraft)

BIN
education/windows/images/get-mcee-promo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 240 KiB

BIN
education/windows/images/mcee-benefits.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 60 KiB

BIN
education/windows/images/msfe-device-promo-success.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 36 KiB

BIN
education/windows/images/proof-of-purchase.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

1
windows/access-protection/hello-for-business/hello-and-password-changes.md
View File

@ -8,6 +8,7 @@ ms.sitesec: library
ms.pagetype: security
author: DaniHalfin
localizationpriority: high
ms.author: daniha
---
# Windows Hello and password changes

1
windows/access-protection/hello-for-business/hello-biometrics-in-enterprise.md
View File

@ -9,6 +9,7 @@ ms.sitesec: library
ms.pagetype: security
author: DaniHalfin
localizationpriority: high
ms.author: daniha
---
# Windows Hello biometrics in the enterprise

1
windows/access-protection/hello-for-business/hello-errors-during-pin-creation.md
View File

@ -9,6 +9,7 @@ ms.sitesec: library
ms.pagetype: security
author: DaniHalfin
localizationpriority: high
ms.author: daniha
---
# Windows Hello errors during PIN creation

1
windows/access-protection/hello-for-business/hello-event-300.md
View File

@ -9,6 +9,7 @@ ms.sitesec: library
ms.pagetype: security
author: DaniHalfin
localizationpriority: high
ms.author: daniha
---
# Event ID 300 - Windows Hello successfully created

1
windows/access-protection/hello-for-business/hello-how-it-works.md
View File

@ -7,6 +7,7 @@ ms.sitesec: library
ms.pagetype: security
author: DaniHalfin
localizationpriority: high
ms.author: daniha
---
# How Windows Hello for Business works

1
windows/access-protection/hello-for-business/hello-identity-verification.md
View File

@ -9,6 +9,7 @@ ms.sitesec: library
ms.pagetype: security, mobile
author: DaniHalfin
localizationpriority: high
ms.author: daniha
---
# Windows Hello for Business

1
windows/access-protection/hello-for-business/hello-manage-in-organization.md
View File

@ -9,6 +9,7 @@ ms.sitesec: library
ms.pagetype: security
author: DaniHalfin
localizationpriority: high
ms.author: daniha
---
# Manage Windows Hello for Business in your organization

1
windows/access-protection/hello-for-business/hello-prepare-people-to-use.md
View File

@ -9,6 +9,7 @@ ms.sitesec: library
ms.pagetype: security
author: DaniHalfin
localizationpriority: high
ms.author: daniha
---
# Prepare people to use Windows Hello

1
windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password.md
View File

@ -9,6 +9,7 @@ ms.sitesec: library
ms.pagetype: security
author: DaniHalfin
localizationpriority: high
ms.author: daniha
---
# Why a PIN is better than a password

2
windows/client-management/mdm/TOC.md
View File

@ -218,6 +218,8 @@
#### [Win32AppInventory DDF file](win32appinventory-ddf-file.md)
### [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md)
#### [WindowsAdvancedThreatProtection DDF file](windowsadvancedthreatprotection-ddf.md)
### [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)
#### [WindowsDefenderApplicationGuard DDF file](windowsdefenderapplicationguard-ddf-file.md)
### [WindowsLicensing CSP](windowslicensing-csp.md)
#### [WindowsLicensing DDF file](windowslicensing-ddf-file.md)
### [WindowsSecurityAuditing CSP](windowssecurityauditing-csp.md)

2
windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
View File

@ -52,7 +52,7 @@ Two Azure AD MDM enrollment scenarios:
- Joining a device to Azure AD for company-owned devices
- Adding a work account to a personal device (BYOD)
In both scenarios, Azure AD is responsible for authenticating the user and the device, which provides a verified unique device identifier that can be used fo MDM enrollment.
In both scenarios, Azure AD is responsible for authenticating the user and the device, which provides a verified unique device identifier that can be used for MDM enrollment.
In both scenarios, the enrollment flow provides an opportunity for the MDM service to render it's own UI, using a web view. MDM vendors should use this to render the Terms of Use (TOU), which can be different for company-owned and BYOD devices. MDM vendors can also use the web view to render additional UI elements, such as asking for a one-time PIN, if this is part of the business process of the organization.

47
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -275,11 +275,11 @@ Footnotes:
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
@ -359,11 +359,11 @@ Footnotes:
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
@ -2305,6 +2305,37 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
<!--StartCSP-->
[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[WindowsLicensing CSP](windowslicensing-csp.md)
<!--StartSKU-->

BIN
windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 KiB

8
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -1258,9 +1258,17 @@ Also Added [Firewall DDF file](firewall-ddf-file.md).</td></tr>
</ul>
</td></tr>
<tr class="even">
<td style="vertical-align:top">[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)</td>
<td style="vertical-align:top">New CSP added in Windows 10, version 1709. Also added the DDF topic [WindowsDefenderApplicationGuard DDF file](windowsdefenderapplicationguard-ddf-file.md).</td>
</tr>
<tr class="odd">
<td style="vertical-align:top">[DynamicManagement CSP](dynamicmanagement-csp.md)</td>
<td style="vertical-align:top">The DynamicManagement CSP is not supported in Windows 10 Mobile and Mobile Enterprise. The table of SKU information in the [Configuration service provider reference](configuration-service-provider-reference.md) was updated.</td>
</tr>
<tr class="even">
<td style="vertical-align:top">[CM_ProxyEntries CSP](cm-proxyentries-csp.md) and [CMPolicy CSP](cmpolicy-csp.md)</td>
<td style="vertical-align:top">In Windows 10, version 1709, support for desktop SKUs were added to these CSPs. The table of SKU information in the [Configuration service provider reference](configuration-service-provider-reference.md) was updated.</td>
</tr>
</tbody>
</table>

28034
windows/client-management/mdm/policy-ddf-file.md
View File

File diff suppressed because it is too large Load Diff

8
windows/client-management/mdm/vpnv2-csp.md
View File

@ -1215,7 +1215,7 @@ Servers
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/EncryptionMethod</LocURI>
</Target>
<Data>PFS2048</Data>
<Data>AES128</Data>
</Item>
</Add>
<Add>
@ -1224,7 +1224,7 @@ Servers
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/IntegrityCheckMethod</LocURI>
</Target>
<Data>Eap</Data>
<Data>SHA256</Data>
</Item>
</Add>
<Add>
@ -1233,7 +1233,7 @@ Servers
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/DHGroup</LocURI>
</Target>
<Data>SHA256</Data>
<Data>Group2</Data>
</Item>
</Add>
<Add>
@ -1242,7 +1242,7 @@ Servers
<Target>
<LocURI>./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/PfsGroup</LocURI>
</Target>
<Data>AES128</Data>
<Data>PFS2048</Data>
</Item>
</Add>

95
windows/client-management/mdm/windowsdefenderapplicationguard-csp.md Normal file
View File

@ -0,0 +1,95 @@
---
title: WindowsDefenderApplicationGuard CSP
description: WindowsDefenderApplicationGuard CSP
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/27/2017
---
# WindowsDefenderApplicationGuard CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in the Application Guard. This CSP was added in Windows 10, version 1709.
The following diagram shows the WindowsDefenderApplicationGuard configuration service provider in tree format.
![windowsdefenderapplicationguard csp](images/provisioning-csp-windowsdefenderapplicationguard.png)
<a href="" id="windowsdefenderapplicationguard"></a>**./Device/Vendor/MSFT/WindowsDefenderApplicationGuard**
<p style="margin-left: 20px">Root node. Supported operation is Get.</p>
<p style="margin-left: 20px"></p>
<a href="" id="settings"></a>**Settings**
<p style="margin-left: 20px">Interior node. Supported operation is Get.</p>
<a href="" id="allowwindowsdefenderapplicationguard"></a>**Settings/AllowWindowsDefenderApplicationGuard**
<p style="margin-left: 20px">Turn on Windows Defender Application Guard in Enterprise Mode. Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
- 0 - Stops Application Guard in Enterprise Mode. Trying to access non-enterprise domains on the host will not automatically get transferred into the insolated environment.
- 1 - Enables Application Guard in Enterprise Mode. Trying to access non-enterprise websites on the host will automatically get transferred into the container.
<a href="" id="clipboardfiletype"></a>**Settings/ClipboardFileType**
<p style="margin-left: 20px">Determines the type of content that can be copied from the host to Application Guard environment and vice versa. Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
- 0 - Allow text copying.
- 1 - Allow text and image copying.
<a href="" id="clipboardsettings"></a>**Settings/ClipboardSettings**
<p style="margin-left: 20px">This policy setting allows you to decide how the clipboard behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete</p>
- 0 (default) - Completely turns Off the clipboard functionality for the Application Guard.
- 1 - Turns On the clipboard functionality and lets you choose whether to additionally enable copying of certain content from Application Guard into Microsoft Edge and enable copying of certain content from Microsoft Edge into Application Guard.
> [!Important]
> Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
<a href="" id="printingsettings"></a>**Settings/PrintingSettings**
<p style="margin-left: 20px">This policy setting allows you to decide how the print functionality behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
- 0 - Disables all print functionality (default)
- 1 - Enables only XPS printing
- 2 - Enables only PDF printing
- 3 - Enables both PDF and XPS printing
- 4 - Enables only local printing
- 5 - Enables both local and XPS printing - 6 - Enables both local and PDF printing
- 7 - Enables local, PDF, and XPS printing
- 8 - Enables only network printing
- 9 - Enables both network and XPS printing
- 10 - Enables both network and PDF printing
- 11 - Enables network, PDF, and XPS printing
- 12 - Enables both network and local printing
- 13 - Enables network, local, and XPS printing
- 14 - Enables network, local, and PDF printing
- 15 - Enables all printing
<a href="" id="blocknonenterprisecontent"></a>**Settings/BlockNonEnterpriseContent**
<p style="margin-left: 20px">This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer. Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
- 0 - Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Windows Defender Application Guard.
- 1 (default) - Non-enterprise sites can open outside of the Windows Defender Application Guard container, directly in Internet Explorer and Microsoft Edge.
<a href="" id="allowpersistence"></a>**Settings/AllowPersistence**
<p style="margin-left: 20px">This policy setting allows you to decide whether data should persist across different sessions in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
- 0 - Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off.
- 1 - Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
<a href="" id="status"></a>**Status**
<p style="margin-left: 20px">Returns status on Application Guard installation and pre-requisites. Value type is integer. Supported operation is Get.</p>
<a href="" id="installwindowsdefenderapplicationguard"></a>**InstallWindowsDefenderApplicationGuard**
<p style="margin-left: 20px">Initiates remote installation of Application Guard feature. Supported operations are Get and Execute.</p>
<a href="" id="audit"></a>**Audit**
<p style="margin-left: 20px">Interior node. Supported operation is Get</p>
<a href="" id="auditapplicationguard"></a>**Audit/AuditApplicationGuard**
<p style="margin-left: 20px">This policy setting allows you to decide whether auditing events can be collected from Application Guard. Value type in integer. Supported operations are Add, Get, Replace, and Delete.</p>
- 0 (default) - - Audit event logs aren't collected for Application Guard.
- 1 - Application Guard inherits its auditing policies from Microsoft Edge and starts to audit system events specifically for Application Guard.

290
windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md Normal file
View File

@ -0,0 +1,290 @@
---
title: WindowsDefenderApplicationGuard DDF file
description: WindowsDefenderApplicationGuard DDF file
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/27/2017
---
# WindowsDefenderApplicationGuard DDF file
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **WindowsDefenderApplicationGuard** configuration service provider.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>WindowsDefenderApplicationGuard</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.1/MDM/WindowsDefenderApplicationGuard</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>Settings</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>AllowWindowsDefenderApplicationGuard</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ClipboardFileType</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ClipboardSettings</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>PrintingSettings</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>BlockNonEnterpriseContent</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AllowPersistence</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>InstallWindowsDefenderApplicationGuard</NodeName>
<DFProperties>
<AccessType>
<Get />
<Exec />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Audit</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>AuditApplicationGuard</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```

1
windows/configuration/change-history-for-configure-windows-10.md
View File

@ -18,6 +18,7 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md)
| New or changed topic | Description |
| --- | --- |
| [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md) | Added guidelines for using Remote Desktop app as the kiosk app and added a general guideline that apps generated using the Desktop App Converter cannot be used for kiosk apps |
| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Added warning about using Shell Launcher to set a custom shell with an application that launches a different process and then exits |
| [Windows Configuration Designer command-line interface (reference)](provisioning-packages/provisioning-command-line.md) | Removed references to imaging |

10
windows/configuration/guidelines-for-assigned-access-app.md
View File

@ -7,6 +7,8 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
localizationpriority: high
ms.author: jdecker
ms.date: 06/29/2017
---
# Guidelines for choosing an app for assigned access (kiosk mode)
@ -27,6 +29,14 @@ The following guidelines may help you choose an appropriate Windows app for your
- Updating a Windows app can sometimes change the Application User Model ID (AUMID) of the app. If this happens, you must update the assigned access settings to launch the updated app, because assigned access uses the AUMID to determine which app to launch.
- Apps that are generated using the [Desktop App Converter (Desktop Bridge)](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) cannot be used as kiosk apps.
## Guidelines for using Remote Desktop app
Kiosk apps open in full screen. When you assign [Remote Desktop](https://www.microsoft.com/store/apps/9wzdncrfj3ps) as the kiosk app, make sure the **Start connections in full screen** setting in the Remote Desktop app is set to **Off**.
![Toggle Start connections in full screen to off](images/rdc.png)
## Guidelines for Windows apps that launch other apps

BIN
windows/configuration/images/rdc.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

2
windows/deployment/TOC.md
View File

@ -41,6 +41,8 @@
##### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)
#### [Change history for Plan for Windows 10 deployment](planning/change-history-for-plan-for-windows-10-deployment.md)
### [Overview of Windows AutoPilot](windows-10-auto-pilot.md)
### [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
### [Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md)

6
windows/deployment/change-history-for-deploy-windows-10.md
View File

@ -6,11 +6,17 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
ms.date: 06/28/2017
---
# Change history for Deploy Windows 10
This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10).
## June 2017
| New or changed topic | Description |
|----------------------|-------------|
| [Overview of Windows AutoPilot](windows-10-auto-pilot.md) | New |
## April 2017
| New or changed topic | Description |
|----------------------|-------------|

6
windows/deployment/deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md
View File

@ -15,7 +15,11 @@ author: mtniehaus
**Applies to**
- Windows 10
- Windows 10 versions 1507, 1511
>[!IMPORTANT]
>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
Operating system images are typically the production image used for deployment throughout the organization. This topic shows you how to add a Windows 10 operating system image created with Microsoft System Center 2012 R2 Configuration Manager, and how to distribute the image to a distribution point.

6
windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
View File

@ -15,7 +15,11 @@ author: mtniehaus
**Applies to**
- Windows 10
- Windows 10 versions 1507, 1511
>[!IMPORTANT]
>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it is likely you will have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system.

6
windows/deployment/deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
View File

@ -15,7 +15,11 @@ author: mtniehaus
**Applies to**
- Windows 10
- Windows 10 versions 1507, 1511
>[!IMPORTANT]
>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
In Microsoft System Center 2012 R2 Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process.

6
windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
View File

@ -15,7 +15,11 @@ author: mtniehaus
**Applies to**
- Windows 10
- Windows 10 versions 1507, 1511
>[!IMPORTANT]
>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
Microsoft System Center 2012 R2 Configuration Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in System Center 2012 R2 Configuration Manager that you later configure the task sequence to use.

6
windows/deployment/deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md
View File

@ -15,7 +15,11 @@ author: mtniehaus
**Applies to**
- Windows 10
- Windows 10 versions 1507, 1511
>[!IMPORTANT]
>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
In this topic, you will learn how to deploy Windows 10 using Microsoft System Center 2012 R2 Configuration Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) machine named PC0001.

8
windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
View File

@ -15,9 +15,13 @@ author: mtniehaus
**Applies to**
- Windows 10
- Windows 10 versions 1507, 1511
If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT).
>[!IMPORTANT]
>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT).
For the purposes of this topic, we will use four machines: DC01, CM01, PC0003, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 standard. PC0003 and PC0004 are machines with Windows 7 SP1, on which Windows 10 will be deployed via both refresh and replace scenarios. In addition to these four ready-made machines, you could also include a few blank virtual machines to be used for bare-metal deployments. DC01, CM01, PC003, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).

6
windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
View File

@ -15,7 +15,11 @@ author: mtniehaus
**Applies to**
- Windows 10
- Windows 10 versions 1507, 1511
>[!IMPORTANT]
>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
This topic walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enablement of the optional Microsoft Deployment Toolkit (MDT) monitoring for Microsoft System Center 2012 R2 Configuration Manager, logs folder creation, rules configuration, content distribution, and deployment of the previously created task sequence.

6
windows/deployment/deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md
View File

@ -15,7 +15,11 @@ author: mtniehaus
**Applies to**
- Windows 10
- Windows 10 versions 1507, 1511
>[!IMPORTANT]
>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft System Center 2012 R2 Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench. You will also use the Deployment Workbench to access the computer remotely via the Microsoft Diagnostics and Recovery Toolkit (DaRT) Remote Connection feature.

6
windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
View File

@ -15,7 +15,11 @@ author: mtniehaus
**Applies to**
- Windows 10
- Windows 10 versions 1507, 1511
>[!IMPORTANT]
>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
This topic will walk you through the process of integrating Microsoft System Center 2012 R2 Configuration Manager SP1 with Microsoft Deployment Toolkit (MDT) 2013 Update 2, as well as the other preparations needed to deploying Windows 10 via Zero Touch Installation. Additional preparations include the installation of hotfixes as well as activities that speed up the Pre-Boot Execution Environment (PXE).

6
windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
View File

@ -15,7 +15,11 @@ author: mtniehaus
**Applies to**
- Windows 10
- Windows 10 versions 1507, 1511
>[!IMPORTANT]
>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft System Center 2012 R2 Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 2. When refreshing a machine to a later version, it appears as an upgrade to the end user, but technically it is not an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation. For more information, see [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md).

6
windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
View File

@ -15,7 +15,11 @@ author: mtniehaus
**Applies to**
- Windows 10
- Windows 10 versions 1507, 1511
>[!IMPORTANT]
>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft System Center 2012 R2 Configuration Manager. This process is similar to refreshing a computer, but since you are replacing the machine, you have to run the backup job separately from the deployment of Windows 10.

8
windows/deployment/update/change-history-for-update-windows-10.md
View File

@ -5,6 +5,8 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
ms.author: daniha
ms.date: 05/16/2017
---
# Change history for Update Windows 10
@ -13,6 +15,12 @@ This topic lists new and updated topics in the [Update Windows 10](index.md) doc
>If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history).
## May 2017
| New or changed topic | Description |
| --- | --- |
| [Manage additional Windows Update settings](waas-wu-settings.md) | New |
## RELEASE: Windows 10, version 1703
The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topics have been added:

1
windows/deployment/update/index.md
View File

@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
ms.author: daniha
---
# Update Windows 10 in the enterprise

1
windows/deployment/update/waas-branchcache.md
View File

@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
ms.author: daniha
---
# Configure BranchCache for Windows 10 updates

1
windows/deployment/update/waas-configure-wufb.md
View File

@ -6,6 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
ms.author: daniha
---
# Configure Windows Update for Business

1
windows/deployment/update/waas-delivery-optimization.md
View File

@ -6,6 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
ms.author: daniha
---
# Configure Delivery Optimization for Windows 10 updates

1
windows/deployment/update/waas-deployment-rings-windows-10-updates.md
View File

@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
ms.author: daniha
---
# Build deployment rings for Windows 10 updates

1
windows/deployment/update/waas-integrate-wufb.md
View File

@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
ms.author: daniha
---
# Integrate Windows Update for Business with management solutions

1
windows/deployment/update/waas-manage-updates-configuration-manager.md
View File

@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
ms.author: daniha
---
# Deploy Windows 10 updates using System Center Configuration Manager

1
windows/deployment/update/waas-manage-updates-wsus.md
View File

@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
ms.author: daniha
---
# Deploy Windows 10 updates using Windows Server Update Services (WSUS)

1
windows/deployment/update/waas-manage-updates-wufb.md
View File

@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
ms.author: daniha
---
# Deploy updates using Windows Update for Business

1
windows/deployment/update/waas-mobile-updates.md
View File

@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
ms.author: daniha
---
# Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile

1
windows/deployment/update/waas-optimize-windows-10-updates.md
View File

@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
ms.author: daniha
---
# Optimize Windows 10 update delivery

1
windows/deployment/update/waas-overview.md
View File

@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
ms.author: daniha
---
# Overview of Windows as a service

1
windows/deployment/update/waas-quick-start.md
View File

@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
ms.author: daniha
---
# Quick guide to Windows as a service

1
windows/deployment/update/waas-restart.md
View File

@ -6,6 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
ms.author: daniha
---
# Manage device restarts after updates

1
windows/deployment/update/waas-servicing-branches-windows-10-updates.md
View File

@ -6,6 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
ms.author: daniha
---
# Assign devices to servicing branches for Windows 10 updates

1
windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
View File

@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
ms.author: daniha
---
# Prepare servicing strategy for Windows 10 updates

1
windows/deployment/update/waas-windows-insider-for-business-aad.md
View File

@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
ms.author: daniha
---
# Windows Insider Program for Business using Azure Active Directory

1
windows/deployment/update/waas-windows-insider-for-business-faq.md
View File

@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
ms.author: daniha
---
# Windows Insider Program for Business Frequently Asked Questions

1
windows/deployment/update/waas-windows-insider-for-business.md
View File

@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
ms.author: daniha
---
# Windows Insider Program for Business

2
windows/deployment/update/waas-wu-settings.md
View File

@ -6,6 +6,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
ms.author: daniha
ms.date: 05/16/2017
---
# Manage additional Windows Update settings

1
windows/deployment/update/waas-wufb-group-policy.md
View File

@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
ms.author: daniha
---
# Walkthrough: use Group Policy to configure Windows Update for Business

1
windows/deployment/update/waas-wufb-intune.md
View File

@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
ms.author: daniha
---
# Walkthrough: use Microsoft Intune to configure Windows Update for Business

11
windows/deployment/windows-10-auto-pilot.md
View File

@ -8,6 +8,8 @@ localizationpriority: high
ms.sitesec: library
ms.pagetype: deploy
author: DaniHalfin
ms.author: daniha
ms.date: 06/30/2017
---
# Overview of Windows AutoPilot
@ -73,7 +75,7 @@ $wmi = Get-WMIObject -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext01
$wmi.DeviceHardwareData | Out-File "$($env:COMPUTERNAME).txt"
```
>[!NOTE]
>This PowerShell script requires elevated permissions. The output format might not fit the upload method. Check out the [Microsoft Store for Business](/microsoft-store/add-profile-to-devices) or [Partner Center](https://msdn.microsoft.com/partner-center/autopilot) for additional guidance.
>This PowerShell script requires elevated permissions. The output format might not fit the upload method. Check out the Microsoft Store for Business or [Partner Center](https://msdn.microsoft.com/partner-center/autopilot) for additional guidance.
By uploading this information to the Microsoft Store for Business or Partner Center admin portal, you'll be able to assign devices to your organization.
Additional options and customization is available through these portals to pre-configure the devices.
@ -84,12 +86,9 @@ Options available for Windows 10, Version 1703:
* Skipping privacy settings
* Preventing the account used to set-up the device from getting local administrator permissions
Additional options we are working on for the next Windows 10 release:
* Skipping EULA
* Personalizing the setup experience
* MDM Support
We are working to add additional options to further personalize and streamline the setup experience in future releases.
To see additional details on how to customize the OOBE experience and how to follow this process, see guidance for [Microsoft Store for Business](/microsoft-store/add-profile-to-devices) or [Partner Center](https://msdn.microsoft.com/partner-center/autopilot).
To see additional details on how to customize the OOBE experience and how to follow this process, see guidance for Microsoft Store for Business or [Partner Center](https://msdn.microsoft.com/partner-center/autopilot).
### IT-Driven

2
windows/device-security/applocker/tools-to-use-with-applocker.md
View File

@ -46,7 +46,7 @@ The following tools can help you administer the application control policies cre
- **AppLocker PowerShell cmdlets**
The AppLocker Windows PowerShell cmdlets are designed to streamline the administration of AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used in conjunction with the AppLocker user interface that is accessed through the Local Security Policy snap-in and the GPMC. For information about the cmdlets, see the [AppLocker PowerShell Command Reference](http://technet.microsoft.com/library/hh847210.aspx).
The AppLocker Windows PowerShell cmdlets are designed to streamline the administration of AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used in conjunction with the AppLocker user interface that is accessed through the Local Security Policy snap-in and the GPMC. For information about the cmdlets, see the [AppLocker PowerShell Command Reference](https://technet.microsoft.com/itpro/powershell/windows/applocker/applocker).
## Related topics

1
windows/threat-protection/TOC.md
View File

@ -152,6 +152,7 @@
#### [Using Outlook Web Access with Windows Information Protection (WIP)](windows-information-protection\using-owa-with-wip.md)
## [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md)
## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
## [How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md)
## [Secure the windows 10 boot process](secure-the-windows-10-boot-process.md)
## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)

3
windows/threat-protection/change-history-for-threat-protection.md
View File

@ -14,7 +14,8 @@ This topic lists new and updated topics in the [Threat protection](index.md) doc
## June 2017
|New or changed topic |Description |
|---------------------|------------|
[Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
| [How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md) | New |
|[Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
[Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
[Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
|[List of enlightened Microsoft apps for use with Windows Information Protection (WIP)](windows-information-protection\enlightened-microsoft-apps-and-wip.md)|Updated to include newly enlightened and supported apps.|

60
windows/threat-protection/how-hardware-based-containers-help-protect-windows.md Normal file
View File

@ -0,0 +1,60 @@
---
title: How hardware-based containers help protect Windows 10 (Windows 10)
description: Windows 10 uses containers to isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised.
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: justinha
ms.date: 06/29/2017
---
# How hardware-based containers help protect Windows 10
Windows 10 uses containers to isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised.
Windows 10 protects critical resources, such as the Windows authentication stack, single sign-on tokens, Windows Hello biometric stack, and Virtual Trusted Platform Module, by using a container type called Windows Defender System Guard.
Protecting system services and data with Windows Defender System Guard is an important first step, but is just the beginning of what we need to do as it doesnt protect the rest of the operating system, information on the device, other apps, or the network.
Since systems are generally compromised through the application layer, and often though browsers, Windows 10 includes Windows Defender Application Guard to isolate Microsoft Edge from the operating system, information on the device, and the network.
With this, Windows can start to protect the broader range of resources.
The following diagram shows Windows Defender System Guard and Windows Defender Application Guard in relation to the Windows 10 operating system.
![Application Guard and System Guard](images/application-guard-and-system-guard.png)
## What security threats do containers protect against
Exploiting zero days and vulnerabilities are an increasing threat that attackers are attempting to take advantage of.
The following diagram shows the traditional Windows software stack: a kernel with an app platform, and an app running on top of it.
Lets look at how an attacker might elevate privileges and move down the stack.
![Traditional Windows software stack](images/traditional-windows-software-stack.png)
In desktop operating systems, those apps typically run under the context of the users privileges.
If the app was malicious, it would have access to all the files in the file system, all the settings that you as a user Standard user have access to, and so on.
A different type of app may run under the context of an Administrator.
If attackers exploit a vulnerability in that app, they could gain Administrator privileges.
Then they can start turning off defenses.
They can poke down a little bit lower in the stack and maybe elevate to System, which is greater than Administrator.
Or if they can exploit the kernel mode, they can turn on and turn off all defenses, while at the same time making the computer look healthy.
SecOps tools could report the computer as healthy when in fact its completely under the control of someone else.
One way to address this threat is to use a sandbox, as smartphones do.
That puts a layer between the app layer and the Windows platform services.
Universal Windows Platform (UWP) applications work this way.
But what if a vulnerability in the sandbox exists?
The attacker can escape and take control of the system.
## How containers help protect Windows 10
Windows 10 addresses this by using virtualization based security to isolate more and more components out of Windows (left side) over time and moving those components into a separate, isolated hardware container.
The container helps prevent zero days and vulnerabilities from allowing an attacker to take control of a device.
Anything that's running in that container on the right side will be safe, even from Windows, even if the kernel's compromised.
Anything that's running in that container will also be secure against a compromised app.
Initially, Windows Defender System Guard will protect things like authentication and other system services and data that needs to resist malware, and more things will be protected over time.
![Windows Defender System Guard](images/windows-defender-system-guard.png)

BIN
windows/threat-protection/images/application-guard-and-system-guard.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
windows/threat-protection/images/traditional-windows-software-stack.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 33 KiB

BIN
windows/threat-protection/images/windows-defender-system-guard.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 69 KiB

1
windows/threat-protection/secure-the-windows-10-boot-process.md
View File

@ -8,6 +8,7 @@ ms.pagetype: security
ms.sitesec: library
localizationpriority: medium
author: brianlic-msft
ms.date: 06/23/2017
---
# Secure the Windows 10 boot process

2
windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
View File

@ -21,7 +21,7 @@ Windows Defender Antivirus is a built-in antimalware solution that provides secu
This library of documentation is aimed for enterprise security administrators who are either considering deployment, or have already deployed and are wanting to manage and configure Windows Defender AV on PC endpoints in their network.
For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server](https://technet.microsoft.com/library/dn765478.aspx).
For more important information about running Windows Defender AV on a server platform, see [Windows Defender Overview for Windows Server](https://technet.microsoft.com/library/dn765478.aspx).
Windows Defender AV can be managed with:
- System Center Configuration Manager (as System Center Endpoint Protection, or SCEP)