deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/Microsoft/win-cpub-itpro-docs into eduaccessibility

Browse Source
This commit is contained in:
Celeste de Guzman 2017-06-15 09:40:18 -07:00
commit 9450e152ab
84 changed files with 2961 additions and 379 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
.openpublishing.redirection.json
View File

@ -1,59 +1,64 @@
{
{
"redirections": [
{
"source_path": "windows/device-security/windows-security-baselines.md",
"redirect_url": "https://www.microsoft.com/download/details.aspx?id=55319",
"redirect_document_id": false
},
{
"source_path": "education/windows/windows-10-pro-to-pro-edu-upgrade.md",
"redirect_url": "/education/windows/switch-to-pro-education",
"redirect_document_id": true
"redirect_document_id": true
},
{
"source_path": "windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md",
"redirect_url": "/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune",
"redirect_document_id": false
"redirect_document_id": false
},
{
"source_path": "windows/keep-secure/configure-windows-defender-in-windows-10.md",
"redirect_url": "/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus",
"redirect_document_id": true
"redirect_document_id": true
},
{
"source_path": "windows/keep-secure/enable-pua-windows-defender-for-windows-10.md",
"redirect_url": "/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus",
"redirect_document_id": true
"redirect_document_id": true
},
{
"source_path": "windows/keep-secure/get-started-with-windows-defender-for-windows-10.md",
"redirect_url": "/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus",
"redirect_document_id": false
"redirect_document_id": false
},
{
"source_path": "windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md",
"redirect_url": "/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus",
"redirect_document_id": true
"redirect_document_id": true
},
{
"source_path": "windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md",
"redirect_url": "/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus",
"redirect_document_id": true
"redirect_document_id": true
},
{
"source_path": "windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md",
"redirect_url": "/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus",
"redirect_document_id": true
"redirect_document_id": true
},
{
"source_path": "windows/keep-secure/windows-defender-block-at-first-sight.md",
"redirect_url": "/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus",
"redirect_document_id": true
"redirect_document_id": true
},
{
"source_path": "windows/keep-secure/windows-defender-in-windows-10.md",
"redirect_url": "/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10",
"redirect_document_id": true
"redirect_document_id": true
},
{
"source_path": "windows/keep-secure/windows-defender-enhanced-notifications.md",
"redirect_url": "/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus",
"redirect_document_id": true
"redirect_document_id": true
},
{
"source_path": "windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md",
@ -535,7 +540,7 @@
"redirect_url": "/windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection",
"redirect_document_id": true
},
{
{
"source_path": "windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md",
"redirect_url": "https://technet.microsoft.com/library/jj635854.aspx",
"redirect_document_id": true

3
browsers/edge/docfx.json
View File

@ -19,7 +19,8 @@
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "microsoft-edge",
"ms.topic": "article",
"ms.author": "lizross"
"ms.author": "lizross",
"ms.date": "04/05/2017"
},
"externalReference": [
],

3
browsers/internet-explorer/docfx.json
View File

@ -20,7 +20,8 @@
"ms.author": "lizross",
"author": "eross-msft",
"ms.technology": "internet-explorer",
"ms.topic": "article"
"ms.topic": "article",
"ms.date": "04/05/2017"
},
"externalReference": [
],

3
devices/hololens/docfx.json
View File

@ -33,7 +33,8 @@
"breadcrumb_path": "/hololens/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
"ms.author": "jdecker"
"ms.author": "jdecker",
"ms.date": "04/05/2017"
},
"fileMetadata": {},
"template": [

3
devices/surface-hub/docfx.json
View File

@ -22,7 +22,8 @@
"ms.mktglfcycl": "manage",
"author": "jdeckerms",
"ms.sitesec": "library",
"ms.author": "jdecker"
"ms.author": "jdecker",
"ms.date": "05/23/2017"
},
"externalReference": [
],

6
devices/surface-hub/surfacehub-whats-new-1703.md
View File

@ -11,6 +11,12 @@ localizationpriority: medium
# What's new in Windows 10, version 1703 for Microsoft Surface Hub?
Watch Surface Hub engineer Jordan Marchese present updates to Microsoft Surface Hub with Windows 10, version 1703 (Creators Update).
<a href="http://www.youtube.com/watch?feature=player_embedded&v=R8tX10VIgq0
" target="_blank"><img src="http://img.youtube.com/vi/R8tX10VIgq0/0.jpg"
alt="Watch a video about Creators Update on Surface Hub" width="240" height="180" border="10" /></a>
Windows 10, version 1703 (also called the Creators Update), introduces the following changes for Microsoft Surface Hub:
## New settings

3
devices/surface/docfx.json
View File

@ -19,7 +19,8 @@
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "windows",
"ms.topic": "article",
"ms.author": "jdecker"
"ms.author": "jdecker",
"ms.date": "05/09/2017"
},
"externalReference": [
],

3
education/docfx.json
View File

@ -19,7 +19,8 @@
"ms.author": "celested",
"audience": "windows-education",
"ms.topic": "article",
"breadcrumb_path": "/education/breadcrumb/toc.json"
"breadcrumb_path": "/education/breadcrumb/toc.json",
"ms.date": "05/09/2017"
},
"externalReference": [
],

137
education/get-started/get-started-with-microsoft-education.md
View File

@ -1,7 +1,7 @@
---
title: Deploy and manage a full cloud IT solution with Microsoft Education
description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices.
keywords: education, Microsoft Education, Microsoft Education system, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, Microsoft Store for Education, Azure AD, Set up School PCs
keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@ -27,6 +27,7 @@ Hello, IT administrators! In this walkthrough, we'll show you how you can quickl
- **Office 365 for Education** provides online apps for work from anywhere and desktop apps for advanced functionality, built for working together and available across devices, and it's free for schools, teachers, and students
- **School Data Sync** to help automate the process for importing and integrating School Information System (SIS) data that you can use with Office 365
- **OneNote Class Notebook** to organize course content, create and deliver interactive lessons to some or all students, collaborate and provide private feedback to individual students, and connect with major LMS and SIS partners for assignment workflow
- **Microsoft Teams** to bring conversations, content, and apps together in one place and create collaborate classrooms, connect in professional learning communities, and communicate with school staff
- **Learning Tools** are moving beyond the OneNote desktop app and is now available in Office Lens, OneNote Online, Word Online, and Word desktop
- **Whiteboard** to create interactive lessons on the big screen, share and collaborate real-time by connecting to Class Notebook and Classroom
- **Windows 10, version 1703 (Creators Update)** which brings 3D for everyone and other new and updated Windows features
@ -43,6 +44,7 @@ Go to the <a href="https://www.microsoft.com/en-us/education" target="_blank">Mi
In this walkthrough, we'll show you the basics on how to:
- Acquire an Office 365 for Education tenant, if you don't already have one
- Import school, student, teacher, and class data using School Data Sync (SDS)
- Deploy Microsoft Teams to enable groups and teams in your school to communicate and collaborate
- Manage apps and settings deployment with Intune for Education
- Acquire additional apps in Microsoft Store for Education
- Use the Set up School PCs app to quickly set up and provision your Windows 10 education devices
@ -52,7 +54,7 @@ This diagram shows a high-level view of what we cover in this walkthrough. The n
**Figure 1** - Microsoft Education IT administrator workflow
![Deploy and manage a full cloud IT solution using Microsoft Education](images/microsoft-education-get-started-workflow.png)
![Deploy and manage a full cloud IT solution using Microsoft Education](images/microsoft_education_it_getstarted_workflow.png)
## Prerequisites
Complete these tasks before you start the walkthrough:
@ -116,7 +118,7 @@ Already have an Office 365 for Education verified tenant? Just sign in with your
![Intune for Education trial sign in page](images/i4e_trialsigninpage.png)
3. Enter your Office 365 global admin credentials to apply the Intune for Education trial to your tenant.
4. Skip ahead and follow the instructions in the walkthrough beginning with [3. Configure Microsoft Store for Education](#3-configure-microsoft-store-for-education).
4. Skip ahead and follow the instructions in the walkthrough beginning with [4. Configure Microsoft Store for Education](#4-configure-microsoft-store-for-education).
## 1. Set up a new Office 365 for Education tenant
@ -131,7 +133,7 @@ Don't have an Office 365 for Education verified tenant or just starting out? Fol
![Create an Office 365 account](images/o365_createaccount.png)
3. Save your sign-in info so you can use it to sign into <a href="https://portal.office.com" target="_blank">https://portal.office.com</a> (the sign-in page). Click **You're ready to go...**
3. Save your sign-in info so you can use it to sign in to <a href="https://portal.office.com" target="_blank">https://portal.office.com</a> (the sign-in page). Click **You're ready to go...**
4. In the **Verify eligibility for Microsoft Office 365 for Education** screen:
1. Add your domain name and follow the steps to confirm ownership of the domain.
2. Choose your DNS hosting provider to see step-by-step instructions on how to confirm that you own the domain.
@ -140,7 +142,7 @@ Don't have an Office 365 for Education verified tenant or just starting out? Fol
You may need to fill in other information to provide that you qualify for an education tenant. Provide and submit the info to Microsoft to continue verification for your tenant.
As part of setting up a basic cloud infrastructure, you don't need to complete the rest of the Office 365 for Education setup so we will skip the rest of setup for now and start importing school data. You can pick up where you left off with Office 365 for Education setup once you've completed the rest of the steps in the walkthrough. See [6.3 Complete Office 365 for Education setup](#63-complete-office-365-education-setup) for info.
As part of setting up a basic cloud infrastructure, you don't need to complete the rest of the Office 365 for Education setup so we will skip the rest of setup for now and start importing school data. You can pick up where you left off with Office 365 for Education setup once you've completed the rest of the steps in the walkthrough. See [7.3 Complete Office 365 for Education setup](#73-complete-office-365-education-setup) for info.
## 2. Use School Data Sync to import student data
@ -240,7 +242,7 @@ The Classroom application is retired, but you will need to assign the Classroom
3. Select the domain for the schools/sections. This domain will be used for the Section email addresses created during setup. If you have more than one domain, make sure you select the appropriate domain for the sync profile and subsequent sections being created.
4. In the **Select school and section properties** section, ensure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties, or deselect any properties, make sure you have the properties and values contained within the CSV files. For the walkthrough, you don't have to change the default.
5. In the **Sync option for Section Group Display Name**, check the box if you want to allow teachers to overwrite the section names. Otherwise, SDS will always reset the display name value for sections to the value contained within the CSV files.
6. In the **License Options** section, check the box to allow users being created to receive an Office 365 license.
6. In the **License Options** section, check the box to enable the Classroom Preview license for all synced students and teachers within the sync profile.
7. Check the **Intune for Education** checkbox to allow users to receive the Intune for Education license and to create the SDS dynamic groups and security groups, which be used within Intune for Education.
8. Click **Next**.
@ -295,35 +297,68 @@ The Classroom application is retired, but you will need to assign the Classroom
That's it for importing sample school data using SDS.
## 3. Configure Microsoft Store for Education
## 3. Enable Microsoft Teams for your school
Microsoft Teams is a digital hub that brings conversations, content, and apps together in one place. Because it's built on Office 365, schools benefit from integration with their familiar Office apps and services. Your institution can use Microsoft Teams to create collaborative classrooms, connect in professional learning communities, and communicate with school staff all from a single experience in Office 365 for Education.
To get started, IT administrators need to use the Office 365 Admin Center to enable Microsoft Teams for your school.
**Enable Microsoft Teams for your school**
1. Sign in to <a href="https://portal.office.com" target="_blank">Office 365</a> with your work or school account.
2. Click **Admin** to go to the Office 365 admin center.
3. Go to **Settings > Services & add-ins**.
4. On the **Services & add-ins** page, select **Microsoft Teams**.
**Figure 14** - Select Microsoft Teams from the list of services & add-ins
![Enable Microsoft Teams for your school](images/o365_settings_services_msteams.png)
5. On the Microsoft Teams settings screen, select the license that you want to configure, **Student** or **Faculty and Staff**.
**Figure 15** - Select the license that you want to configure
![Select the Microsoft Teams license that you want to configure](images/o365_msteams_settings.png)
6. After you select the license type, set the toggle to turn on Microsoft Teams for your organization.
**Figure 16** - Turn on Microsoft Teams for your organization
![Turn on Microsoft Teams for your organization](images/o365_msteams_turnon.png)
7. Click **Save**.
You can find more info about how to control which users in your school can use Microsoft Teams, turn off group creation, configure tenant-level settings, and more by reading the *Guide for IT admins** getting started guide in the <a href="https://aka.ms/MeetTeamsEdu" target="_blank">Meet Microsoft Teams</a> page.
## 4. Configure Microsoft Store for Education
You'll need to configure Microsoft Store for Education to accept the services agreement and make sure your Microsoft Store account is associated with Intune for Education.
**Associate your Microsoft Store account with Intune for Education**
1. Sign into <a href="https://educationstore.microsoft.com" target="_blank">Microsoft Store for Education</a>.
1. Sign in to <a href="https://educationstore.microsoft.com" target="_blank">Microsoft Store for Education</a>.
2. Accept the Microsoft Store for Business and Education Services Agreement.
This will take you to the Microsoft Store for Education portal.
**Figure 14** - Microsoft Store for Education portal
**Figure 17** - Microsoft Store for Education portal
![Microsoft Store for Education portal](images/msfe_store_portal.png)
3. In the Microsoft Store portal, click **Manage** to go to the Microsoft Store **Overview** page.
4. Find the **Overview** page, find the **Store settings** tile and click **Management tools**.
**Figure 15** - Select management tools from the list of Store settings options
**Figure 18** - Select management tools from the list of Store settings options
![Select management tools from list of Store settings options](images/msfe_storesettings_select_managementtools.png)
4. In the **Management tools** page, find **Microsoft Intune** on the list and click **Activate** to get Intune for Education ready for use with Microsoft Store for Education.
**Figure 16** - Activate Intune for Education as the management tool
**Figure 19** - Activate Intune for Education as the management tool
![Activate Intune for Education as the management tool](images/msfe_managementtools_activateintune.png)
Your Microsoft Store for Education account is now linked to Intune for Education so let's set that up next.
## 4. Use Intune for Education to manage groups, apps, and settings
## 5. Use Intune for Education to manage groups, apps, and settings
Intune for Education is a streamlined device management solution for educational institutions that can be used to quickly set up and manage Windows 10 devices for your school. It provides a new streamlined UI with the enterprise readiness and resiliency of the Intune service. You can learn more about Intune for Education by reading the <a href="https://docs.microsoft.com/intune-education" target="_blank">Intune for Education documentation</a>.
### Example - Set up Intune for Education, buy apps from the Store, and install the apps
@ -351,20 +386,20 @@ Intune for Education provides an **Express configuration** option so you can get
1. Log into the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>. You will see the Intune for Education dashboard once you're logged in.
**Figure 17** - Intune for Education dashboard
**Figure 20** - Intune for Education dashboard
![Intune for Education dashboard](images/i4e_portal.png)
2. On the dashboard, click **Launch Express Configuration**, or select the **Express configuration** option on the menu on the left.
3. In the **Welcome to Intune for Education** screen, click **Get started**.
**Figure 18** - Click Get started to set up Intune for Education
**Figure 21** - Click Get started to set up Intune for Education
![Click Get Started to configure groups, apps, and settings](images/i4e_expressconfiguration_welcome.png)
4. In the **Get school information (optional)** screen, it should indicate that SDS is already configured. Click **Next**.
**Figure 19** - SDS is configured
**Figure 22** - SDS is configured
![SDS is already configured](images/i4e_expressconfiguration_sdsconfigured.png)
@ -377,7 +412,7 @@ Intune for Education provides an **Express configuration** option so you can get
> [!TIP]
> At the top of the screen, did you notice the **Choose group** button change to a green check mark? This means we are done with that step. If you change your mind or need to make changes, simply click on the button to go back to that step. Try it!
>
> **Figure 20** - Click on the buttons to go back to that step
> **Figure 23** - Click on the buttons to go back to that step
>
> ![Click on the buttons to back to that step](images/i4e_expressconfiguration_choosebuttontogoback.png)
@ -390,7 +425,7 @@ Intune for Education provides an **Express configuration** option so you can get
> [!TIP]
> Web apps are pushed as links in the Windows Start menu under **All apps**. If you want apps to appear in Microsoft Edge browser tabs, use the **Homepages** setting for Microsoft Edge through **Express configuration** or **Manage Users and Devices**.
**Figure 21** - Choose the apps that you want to install for the group
**Figure 24** - Choose the apps that you want to install for the group
![Choose apps to install for the group](images/i4e_expressconfiguration_chooseapps_selected_cropped.png)
@ -400,7 +435,7 @@ Intune for Education provides an **Express configuration** option so you can get
8. In the **Choose settings** screen, we will set the settings to apply to the group. Click the reverse caret (downward-facing arrow) to expand the settings group and get more information about each setting in that settings group.
**Figure 22** - Expand the settings group to get more details
**Figure 25** - Expand the settings group to get more details
![Expand the settings group to get more info](images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped_052217.png)
@ -408,20 +443,20 @@ Intune for Education provides an **Express configuration** option so you can get
- In the **Microsoft Edge settings** group, change the **Do-Not-Track headers** setting to **Require**.
- In the **App settings** group, change the **Microsoft Store for Business apps** setting to **Block**, and then set the **Require Microsoft Store for Business apps to be installed from private store** to **Require**.
**Figure 23** - Set some additional settings
**Figure 26** - Set some additional settings
![Set some additional settings](images/i4e_expressconfiguration_choosesettings_additionalsettings_cropped.png)
10. Click **Next**. In the **Review** screen, you will see a summary of the apps and settings you selected to apply.
**Figure 24** - Review the group, apps, and settings you configured
**Figure 27** - Review the group, apps, and settings you configured
![Review the group, apps, and settings you configured](images/i4e_expressconfiguration_review.png)
11. Click **Save** to end express configuration.
12. You will see the **You're done!** screen which lets you choose one of two options.
**Figure 25** - All done with Intune for Education express configuration
**Figure 28** - All done with Intune for Education express configuration
![Done with Intune for Education express configuration](images/i4e_expressconfiguration_alldone.png)
@ -438,13 +473,13 @@ Intune for Education provides an **Express configuration** option so you can get
1. In the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>, click **Apps** from the menu on the left.
**Figure 26** - Click on **Apps** to see the list of apps for your tenant
**Figure 29** - Click on **Apps** to see the list of apps for your tenant
![Click Apps to see the list of apps for your tenant](images/i4e_dashboard_clickapps.png)
2. In the **Store apps** section, click **+ New app**. This will take you to the Microsoft Store for Education portal and you will already be signed in.
**Figure 27** - Select the option to add a new Store app
**Figure 30** - Select the option to add a new Store app
![Select the option to add a new Store app](images/i4e_apps_newstoreapp_selected.png)
@ -463,7 +498,7 @@ Intune for Education provides an **Express configuration** option so you can get
For example, if you bought Duolingo and Khan Academy, they will show up in your inventory along with the apps that Microsoft automatically provisioned for your education tenant.
**Figure 28** - Apps inventory in Microsoft Store for Education
**Figure 31** - Apps inventory in Microsoft Store for Education
![Apps inventory in Store for Business](images/msfe_manageapps_inventory_grouped.png)
@ -478,40 +513,40 @@ Now that you've bought the apps, use Intune for Education to specify the group t
1. In the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>, click the **Groups** option from the menu on the left.
**Figure 29** - Groups page in Intune for Education
**Figure 32** - Groups page in Intune for Education
![Groups page in Intune for Education](images/i4e_groupspage.png)
2. In the **Groups** page, select **All Users** from the list of groups on the left, and then click **Users** in the taskbar at the top of the **All Users** page.
**Figure 30** - List of all users in the tenant
**Figure 33** - List of all users in the tenant
![List of all users in the tenant](images/i4e_groups_allusers_users_steps.png)
3. In the taskbar at the top, select **Apps** and then click **Edit apps** to see a list of available apps.
**Figure 31** - Edit apps to assign them to users
**Figure 34** - Edit apps to assign them to users
![Edit apps to assign them to users](images/i4e_groups_allusers_appspage_editapps.png)
4. Select the apps to deploy to the group. A blue checkmark will appear next to the apps you select.
**Figure 32** - Select the apps to deploy to the group
**Figure 35** - Select the apps to deploy to the group
![Select the apps to deploy to the group](images/i4e_groups_allusers_selectappstodeploy.png)
5. Once you're done, click **Save** at the bottom of the page to deploy the selected apps to the group.
6. You'll be notified that app assignments are being updated. The updated **All Users** groups page now include the apps you selected.
**Figure 33** - Updated list of assigned apps
**Figure 36** - Updated list of assigned apps
![Updated list of assigned apps](images/i4e_groups_allusers_updatedappslist.png)
You're now done assigning apps to all users in your tenant. It's time to set up your Windows 10 device(s) and check that your cloud infrastructure is correctly set up and your apps are being pushed to your devices from the cloud.
## 5. Set up Windows 10 devices
## 6. Set up Windows 10 devices
### 5.1 Set up devices using Set up School PCs or Windows OOBE
### 6.1 Set up devices using Set up School PCs or Windows OOBE
We recommend using the latest build of Windows 10, version 1703 on your education devices. To set up new Windows 10 devices and enroll them to your education tenant, choose from one of these options:
- **Option 1: [Use the Set up School PCs app](#usesetupschoolpcs)** - You can use the app to create a setup file that you can use to quickly set up one or more Windows 10 devices.
- **Option 2: [Go through Windows OOBE and join the device to Azure AD](#usewindowsoobandjoinaad)** - You can go through a typical Windows 10 device setup or first-run experience to configure your device.
@ -551,13 +586,13 @@ Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recomm
1. If you don't have a Wi-Fi network configured, make sure you connect the device to the Internet through a wired or Ethernet connection.
2. Go through the Windows device setup experience. On a new or reset device, this starts with the **Let's start with region. Is this right?** screen.
**Figure 34** - Let's start with region
**Figure 37** - Let's start with region
![Let's start with region](images/win10_letsstartwithregion.png)
3. Continue with setup. In the **How would you like to set up?** screen, select **Set up for an organization**.
**Figure 35** - Select setup for an organization
**Figure 38** - Select setup for an organization
![Select setup for an organization](images/win10_setupforanorg.png)
@ -566,7 +601,7 @@ Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recomm
6. Click **Accept** to go through the rest of device setup.
### 5.2 Verify correct device setup
### 6.2 Verify correct device setup
Verify that the device is set up correctly and boots without any issues.
**Verify that the device was set up correctly**
@ -576,11 +611,11 @@ Verify that the device is set up correctly and boots without any issues.
> [!NOTE]
> It may take some time before some apps are pushed down to your device from Intune for Education. Check again later if you don't see some of the apps you provisioned for the user.
**Figure 36** - Sample list of apps for a user
**Figure 39** - Sample list of apps for a user
![Apps list contains the apps provisioned for the user](images/win10_start_checkapps.png)
### 5.3 Verify the device is Azure AD joined
### 6.3 Verify the device is Azure AD joined
Let's now verify that the device is joined to your organization's Azure AD and shows up as being managed in Microsoft Intune for Education.
**Verify if the device is joined to Azure AD**
@ -588,7 +623,7 @@ Let's now verify that the device is joined to your organization's Azure AD and s
2. Select **Groups** and select **All Devices**.
3. In the **All Devices** page, see the list of devices and verify that the device you're signed into appears on the list.
**Figure 37** - List of all managed devices
**Figure 40** - List of all managed devices
![Verify that the device is managed in Intune for Education](images/i4e_groups_alldevices_listofaadjdevices.png)
@ -596,23 +631,23 @@ Let's now verify that the device is joined to your organization's Azure AD and s
5. Select **Accounts > Access work or school**.
6. In the **Access work or school** page, confirm that the device is connected to the organization's Azure AD.
**Figure 38** - Confirm that the Windows 10 device is joined to Azure AD
**Figure 41** - Confirm that the Windows 10 device is joined to Azure AD
![Confirm that the Windows 10 device is joined to Azure AD](images/win10_confirmaadj.png)
**That's it! You're done!** You've completed basic cloud setup, deployment, and management using Microsoft Education. You can continue follow the rest of the walkthrough to finish setup and complete other tasks.
## 6. Finish setup and other tasks
## 7. Finish setup and other tasks
### 6.1 Update group settings in Intune for Education
### 7.1 Update group settings in Intune for Education
If you need to make changes or updates to any of the apps or settings for the group(s), follow these steps.
1. Log in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>.
2. Click **Groups** and then choose **Settings** in the taskbar at the top of the page.
3. You will see the same settings groups that you saw in express setup for Intune for Education as well as other settings categories such as **Windows Defender settings**, **Device sharing**, **Edition upgrade**, and so on.
**Figure 39** - See the list of available settings in Intune for Education
**Figure 42** - See the list of available settings in Intune for Education
![See the list of available settings in Intune for Education](images/i4e_groups_settingslist_full.png)
@ -622,7 +657,7 @@ If you need to make changes or updates to any of the apps or settings for the gr
5. Click **Save** or **Discard changes**.
### 6.2 Configure Azure settings
### 7.2 Configure Azure settings
After completing the basic setup for your cloud infrastructure and confirming that it is up and running, it's time to prepare for additional devices to be added and enable capabilities for the user to use.
#### Enable many devices to be added by a single person
@ -634,7 +669,7 @@ Follow the steps in this section to enable a single person to add many devices t
2. Configure the device settings for the school's Active Directory. To do this, go to the new Azure portal, <a href="https://portal.azure.com" target="_blank">https://portal.azure.com</a>.
3. Select **Azure Active Directory > Users and groups > Device settings**.
**Figure 40** - Device settings in the new Azure portal
**Figure 43** - Device settings in the new Azure portal
![Configure device settings in the new Azure portal](images/azure_newportal_usersandgroups_devicesettings.png)
@ -651,22 +686,22 @@ Follow the steps in this section to ensure that settings for the each user follo
3. Select **Azure Active Directory > Users and groups > Device settings**.
4. Find the setting **Users may sync settings and enterprise app data** and change the value to **All**.
**Figure 41** - Enable settings to roam with users
**Figure 44** - Enable settings to roam with users
![Enable settings to roam with users](images/azure_usersandgroups_devicesettings_ers.png)
5. Click **Save** to update device settings.
### 6.3 Complete Office 365 for Education setup
### 7.3 Complete Office 365 for Education setup
Now that your basic cloud infrastructure is up and running, it's time to complete the rest of the Office 365 for Education setup. You can find detailed information about completing Office 365 setup, services and applications, troubleshooting, and more by reading the <a href="https://support.office.com/en-US/Article/set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa#ID0EAAAABAAA=Education" target="_blank">Office 365 admin documentation</a>.
### 6.4 Add more users
### 7.4 Add more users
After your cloud infrastructure is set up and you have a device management strategy in place, you may need to add more users and you want the same policies to apply to these users. You can add new users to your tenant simply by adding them to the Office 365 groups. Adding new users to Office 365 groups automatically adds them to the corresponding groups in Intune for Education.
See <a href="https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc" target="_blank">Add users to Office 365</a> to learn more. Once you're done adding new users, go to the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a> and verify that the same users were added to the Intune for Education groups as well.
### 6.5 Connect other devices to your cloud infrastructure
Adding a new device to your cloud-based tenant is easy. For new devices, you can follow the steps in [5. Set up Windows 10 devices](#5-set-up-windows-10-devices). For other devices, such as those personally-owned by teachers who need to connect to the school network to access work or school resources (BYOD), you can follow the steps in this section to get these devices connected.
### 7.5 Connect other devices to your cloud infrastructure
Adding a new device to your cloud-based tenant is easy. For new devices, you can follow the steps in [6. Set up Windows 10 devices](#6-set-up-windows-10-devices). For other devices, such as those personally-owned by teachers who need to connect to the school network to access work or school resources (BYOD), you can follow the steps in this section to get these devices connected.
> [!NOTE]
> These steps enable users to get access to the organization's resources, but it also gives the organization some control over the device.
@ -679,7 +714,7 @@ Adding a new device to your cloud-based tenant is easy. For new devices, you can
For example, if a teacher connects their personal device to the school network, they'll see the following screen after typing in their account information.
**Figure 42** - Device is now managed by Intune for Education
**Figure 45** - Device is now managed by Intune for Education
![Device is managed by Intune for Education](images/byob_aad_enrollment_intune.png)
@ -689,11 +724,11 @@ Adding a new device to your cloud-based tenant is easy. For new devices, you can
5. After the user's credentails are validated, the window will refresh and will now include an entry that shows the device is now connected to the organization's MDM. This means the device is now enrolled in Intune for Education MDM and the account should have access to the organization's resources.
**Figure 43** - Device is connected to organization's MDM
**Figure 46** - Device is connected to organization's MDM
![Device is connected to organization's MDM](images/win10_connectedtoorgmdm.png)
6. You can confirm that the new device and user are showing up as Intune for Education-managed by going to the Intune for Education management portal and following the steps in [5.3 Verify the device is Azure AD joined](#53-verify-the-device-is-azure-ad-joined).
6. You can confirm that the new device and user are showing up as Intune for Education-managed by going to the Intune for Education management portal and following the steps in [6.3 Verify the device is Azure AD joined](#63-verify-the-device-is-azure-ad-joined).
It may take several minutes before the new device shows up so check again later.

BIN
education/get-started/images/microsoft_education_it_getstarted_workflow.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 454 KiB

BIN
education/get-started/images/o365_msteams_settings.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 37 KiB

BIN
education/get-started/images/o365_msteams_turnon.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
education/get-started/images/o365_settings_services_msteams.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 120 KiB

38
education/index.md
View File

@ -207,6 +207,25 @@ author: CelesteDG
</div>
</a>
</li>
<li>
<a href="/education/windows/use-set-up-school-pcs-app">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-usb.svg" alt="Set up School PCs" />
</div>
</div>
<div class="cardText">
<h3>Set up School PCs</h3>
<p>Use the app to create a provisioning package that you can use to quickly set up one or more Windows 10 devices.</p>
</div>
</div>
</div>
</div>
</a>
</li>
</ul>
</li>
</ul>
@ -331,6 +350,25 @@ author: CelesteDG
</div>
</a>
</li>
<li>
<a href="/education/windows/use-set-up-school-pcs-app">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
<div class="cardImageOuter">
<div class="cardImage bgdAccent1">
<img src="/media/hubs/education/education-pro-usb.svg" alt="Set up School PCs" />
</div>
</div>
<div class="cardText">
<h3>Set up School PCs</h3>
<p>Use the app to create a provisioning package that you can use to quickly set up one or more Windows 10 devices.</p>
</div>
</div>
</div>
</div>
</a>
</li>
</ul>
</li>
</ul>

1
education/windows/change-history-edu.md
View File

@ -1,6 +1,7 @@
---
title: Change history for Windows 10 for Education (Windows 10)
description: New and changed topics in Windows 10 for Education
keywords: Windows 10 education documentation, change history
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library

2
education/windows/chromebook-migration-guide.md
View File

@ -2,7 +2,7 @@
title: Chromebook migration guide (Windows 10)
description: In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment.
ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA
keywords: migrate, automate, device
keywords: migrate, automate, device, Chromebook migration
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library

6
education/windows/configure-windows-for-education.md
View File

@ -1,7 +1,7 @@
---
title: Windows 10 configuration recommendations for education customers
description: Provides guidance on ways to configure the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school.
keywords: ["Windows 10 deployment", "recommendations", "privacy settings", "school", "education", "configurations"]
keywords: Windows 10 deployment, recommendations, privacy settings, school, education, configurations
ms.mktglfcycl: plan
ms.sitesec: library
localizationpriority: high
@ -68,7 +68,7 @@ You can configure Windows through provisioning or management tools including ind
You can set all the education compliance areas through both provisioning and management tools. Additionally, these Microsoft education tools will ensure PCs that you set up are education ready:
- [Set up School PCs](use-set-up-school-pcs-app.md)
- Intune for Education (coming soon)
- [Intune for Education](https://docs.microsoft.com/en-us/intune-education/available-settings)
## AllowCortana
**AllowCortana** is a policy that enables or disables Cortana. It is a policy node in the Policy configuration service provider, [AllowCortana](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowcortana).
@ -149,7 +149,7 @@ Provide an ad-free experience that is a safer, more private search option for K
### Configurations
#### IP registration for entire school network using Microsoft Edge
Ad-free searching with Bing in Microsoft Edge can be configured at the network level. To configure this, email bicteam@microsoft.com with the subject "New Windows 10, version 1703 (Creators Update) Registration: [School District Name]" and the include the following information in the body of the email.
Ad-free searching with Bing in Microsoft Edge can be configured at the network level. To configure this, email bingintheclassroom@microsoft.com with the subject "New Windows 10, version 1703 (Creators Update) Registration: [School District Name]" and the include the following information in the body of the email.
**District information**
- **District or School Name:**

2
education/windows/deploy-windows-10-in-a-school-district.md
View File

@ -1,7 +1,7 @@
---
title: Deploy Windows 10 in a school district (Windows 10)
description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use System Center Configuration Manager, Intune, and Group Policy to manage devices.
keywords: configure, tools, device, school
keywords: configure, tools, device, school district, deploy Windows 10
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: edu

2
education/windows/deploy-windows-10-in-a-school.md
View File

@ -1,7 +1,7 @@
---
title: Deploy Windows 10 in a school (Windows 10)
description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD). Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy.
keywords: configure, tools, device, school
keywords: configure, tools, device, school, deploy Windows 10
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: edu

2
education/windows/edu-deployment-recommendations.md
View File

@ -1,7 +1,7 @@
---
title: Deployment recommendations for school IT administrators
description: Provides guidance on ways to customize the OS privacy settings, as well as some of the apps, for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.
keywords: ["Windows 10 deployment", "recommendations", "privacy settings", "school"]
keywords: Windows 10 deployment, recommendations, privacy settings, school
ms.mktglfcycl: plan
ms.sitesec: library
localizationpriority: high

2
education/windows/education-scenarios-store-for-business.md
View File

@ -1,7 +1,7 @@
---
title: Education scenarios Microsoft Store for Education
description: Learn how IT admins and teachers can use Microsoft Store for Education to acquire and manage apps in schools.
keywords: ["school", "store for business"]
keywords: school, Microsoft Store for Education, Microsoft education store
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library

2
education/windows/get-minecraft-for-education.md
View File

@ -1,7 +1,7 @@
---
title: Get Minecraft Education Edition
description: Learn how to get and distribute Minecraft Education Edition.
keywords: school, minecraft
keywords: school, Minecraft, education edition
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library

BIN
education/windows/images/suspc_createpackage_recommendedapps_office061217.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 130 KiB

2
education/windows/school-get-minecraft.md
View File

@ -1,7 +1,7 @@
---
title: For IT administrators get Minecraft Education Edition
description: Learn how IT admins can get and distribute Minecraft in their schools.
keywords: ["school"]
keywords: Minecraft, Education Edition, IT admins, acquire
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library

2
education/windows/set-up-students-pcs-to-join-domain.md
View File

@ -1,7 +1,7 @@
---
title: Set up student PCs to join domain
description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory.
keywords: school
keywords: school, student PC setup, Windows Configuration Designer
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library

2
education/windows/set-up-students-pcs-with-apps.md
View File

@ -1,7 +1,7 @@
---
title: Provision student PCs with apps
description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory.
keywords: ["shared cart", "shared PC", "school"]
keywords: shared cart, shared PC, school, provision PCs with apps, Windows Configuration Designer
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library

2
education/windows/take-a-test-app-technical.md
View File

@ -1,7 +1,7 @@
---
title: Take a Test app technical reference
description: The policies and settings applied by the Take a Test app.
keywords: take a test, test taking, school
keywords: take a test, test taking, school, policies
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library

2
education/windows/take-a-test-multiple-pcs.md
View File

@ -1,7 +1,7 @@
---
title: Set up Take a Test on multiple PCs
description: Learn how to set up and use the Take a Test app on multiple PCs.
keywords: ["take a test", "test taking", "school"]
keywords: take a test, test taking, school, set up on multiple PCs
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library

2
education/windows/take-a-test-single-pc.md
View File

@ -1,7 +1,7 @@
---
title: Set up Take a Test on a single PC
description: Learn how to set up and use the Take a Test app on a single PC.
keywords: take a test, test taking, school
keywords: take a test, test taking, school, set up on single PC
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library

2
education/windows/take-tests-in-windows-10.md
View File

@ -1,7 +1,7 @@
---
title: Take tests in Windows 10
description: Learn how to set up and use the Take a Test app.
keywords: take a test, test taking, school
keywords: take a test, test taking, school, how to, use Take a Test
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library

2
education/windows/teacher-get-minecraft.md
View File

@ -1,7 +1,7 @@
---
title: For teachers get Minecraft Education Edition
description: Learn how teachers can get and distribute Minecraft.
keywords: ["school", "minecraft"]
keywords: school, Minecraft, Education Edition, educators, teachers, acquire, distribute
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library

12
education/windows/use-set-up-school-pcs-app.md
View File

@ -1,7 +1,7 @@
---
title: Use Set up School PCs app
description: Learn how the Set up School PCs app works and how to use it.
keywords: shared cart, shared PC, school, set up school pcs
keywords: shared cart, shared PC, school, Set up School PCs, overview, how to use
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@ -145,7 +145,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
![Only skip Wi-Fi if you have a wired Ethernet connection](images/suspc_createpackage_skipwifi_modaldialog.png)
5. To assign a name to the student PCs, in the **Assign a name to these student PCs** page:
5. To assign a name to the student PCs, in the **Name these devices** page:
1. Add a short name that Set up School PCs will use as a prefix to identify and easily manage the group of devices, apps, and other settings through your device management client.
> [!NOTE]
@ -191,13 +191,17 @@ The **Set up School PCs** app guides you through the configuration choices for t
3. Click **Next** or **Skip** depending on whether you want to set up Take a Test.
8. In the **Add recommended apps** page, you can choose from a set of recommended Microsoft Store apps to provision. The recommended apps include Minecraft: Education Edition and several STEM and Makerspace apps.
8. In the **Add recommended apps** page, you can choose from a set of recommended Microsoft Store apps to provision. The recommended apps include the following:
* **Office 365 for Windows 10 S (Education Preview)** - Your student PCs must be running Windows 10 S to install this app. If you try to install this app on other editions of Windows, setup will fail.
* **Minecraft: Education Edition** - Free trial
* Popular **STEM and Makerspace apps**
1. Select the apps that you would like to provision and then click **Next** when you're done.
2. Click **Skip** if you don't want to provision any apps.
**Figure 6** - Select from a set of recommended Microsoft Store apps
![Select from a set of recommended Microsoft Store apps](images/suspc_createpackage_recommendedapps.png)
![Select from a set of recommended Microsoft Store apps](images/suspc_createpackage_recommendedapps_office061217.png)
The set of recommended Microsoft Store for Education apps may vary from what we show here.

3
mdop/docfx.json
View File

@ -20,7 +20,8 @@
"ms.technology": "mdop",
"ms.sitesec": "library",
"ms.topic": "article",
"ms.author": "jamiet"
"ms.author": "jamiet",
"ms.date": "04/05/2017"
},
"externalReference": [
],

1
store-for-business/TOC.md
View File

@ -27,4 +27,5 @@
### [Update Microsoft Store for Business and Microsoft Store for Education account settings](update-windows-store-for-business-account-settings.md)
### [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-windows-store-for-business.md)
## [Troubleshoot Microsoft Store for Business](troubleshoot-windows-store-for-business.md)
## [Notifications in Microsoft Store for Business and Education](notifications-microsoft-store-business.md)

3
store-for-business/docfx.json
View File

@ -35,7 +35,8 @@
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"ms.author": "trudyha",
"ms.technology": "windows",
"ms.topic": "article"
"ms.topic": "article",
"ms.date": "05/09/2017"
},
"fileMetadata": {},
"template": [],

1
store-for-business/education/TOC.md
View File

@ -32,4 +32,5 @@
### [Update Microsoft Store for Business and Microsoft Store for Education account settings](/microsoft-store/update-windows-store-for-business-account-settings?toc=/microsoft-store/education/toc.json)
### [Manage user accounts in Microsoft Store for Business and Education](/microsoft-store/manage-users-and-groups-windows-store-for-business?toc=/microsoft-store/education/toc.json)
## [Troubleshoot Microsoft Store for Business](/microsoft-store/troubleshoot-windows-store-for-business?toc=/microsoft-store/education/toc.json)
## [Notifications in Microsoft Store for Business and Education](/microsoft-store/notifications-microsoft-store-business?toc=/microsoft-store/education/toc.json)

33
store-for-business/notifications-microsoft-store-business.md Normal file
View File

@ -0,0 +1,33 @@
---
title: Notifications in Microsoft Store for Business and Education (Windows 10)
description: Notifications alert you to issues or outages with Micrososft Store for Business and Education.
keywords: notifications, alerts
ms.assetid:
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
localizationpriority: high
---
# Notifications in Microsoft Store for Business and Education
**Applies to**
- Windows 10
- Windows 10 Mobile
Microsoft Store for Business and Microsoft Store for Education use a set of notifications to alert admins if there is an issue or outage with Microsoft Store.
## Notifications for admins
| Store area | Notification message | Customer impact |
| ---------- | -------------------- | --------------- |
| General | Were on it. Something happened on our end with the Store. Waiting a bit might help. | You might be unable to sign in. There might be an intermittent Azure AD outage. |
| Manage | Were on it. Something happened on our end with management for apps and software. Were working to fix the problem. | You might be unable to manage inventory, including viewing inventory, distributing apps, assigning licenses, or viewing and managing order history. |
| Shop | Were on it. Something happened on our end with purchasing. Were working to fix the problem. | Shop might not be available. You might not be able to purchase new, or additional licenses. |
| Private store | Were on it. Something happened on our end with your organizations private store. People in your organization cant download apps right now. Were working to fix the problem. | People in your organization might not be able to view the private store, or get apps. |
| Acquistion and licensing | Were on it. People in your org might not be able to install or use certain apps. Were working to fix the problem. | People in your org might not be able to claim a license from your private store. |
| Partner | Were on it. Something happened on our end with Find a Partner. Were working to fix the problem. | You might not be able to search for a partner. |

6
store-for-business/windows-store-for-business-overview.md
View File

@ -472,7 +472,7 @@ Microsoft Store for Business and Education is currently available in these marke
<li>United Kingdom</li>
<li>United States</li>
<li>Uruguay</li>
<li>Viet Nam</li>
<li>Vietnam</li>
<li>Virgin Islands, U.S.</li>
<li>Zambia</li>
<li>Zimbabwe<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</li>
@ -488,7 +488,11 @@ Customers in these markets can use Microsoft Store for Business and Education to
### Support for free apps and Minecraft: Education Edition
Customers in these markets can use Microsoft Store for Business and Education to acquire free apps and Minecraft: Education Edition:
- Albania
- Bosnia
- Brazil
- Georgia
- Korea
- Taiwan
- Ukraine

5
windows/access-protection/docfx.json
View File

@ -33,7 +33,10 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows"
"ms.technology": "windows",
"ms.topic": "article",
"ms.author": "justinha",
"ms.date": "04/05/2017"
},
"fileMetadata": {},
"template": [],

5
windows/application-management/docfx.json
View File

@ -33,7 +33,10 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows"
"ms.technology": "windows",
"ms.topic": "article",
"ms.author": "elizapo",
"ms.date": "04/05/2017"
},
"fileMetadata": {},
"template": [],

2
windows/client-management/TOC.md
View File

@ -9,5 +9,5 @@
## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)
## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)
## [Windows libraries](windows-libraries.md)
## [Mobile device management protocol](mdm/index.md)
## [Mobile device management for solution providers](mdm/index.md)
## [Change history for Client management](change-history-for-client-management.md)

8
windows/client-management/change-history-for-client-management.md
View File

@ -8,12 +8,20 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: jdeckerMS
ms.author: jdecker
ms.date: 06/13/2017
---
# Change history for Client management
This topic lists new and updated topics in the [Client management](index.md) documentation for Windows 10 and Windows 10 Mobile.
## June 2017
| New or changed topic | Description |
| --- | --- |
| [Create mandatory user profiles](mandatory-user-profile.md) | Added Windows 10, version 1703, to profile extension table |
## April 2017
| New or changed topic | Description |
|----------------------|-------------|

5
windows/client-management/docfx.json
View File

@ -33,7 +33,10 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows"
"ms.technology": "windows",
"ms.topic": "article",
"ms.author": "dongill",
"ms.date": "04/05/2017"
},
"fileMetadata": {},
"template": [],

1
windows/client-management/index.md
View File

@ -28,4 +28,5 @@ Learn about the administrative tools, tasks and best practices for managing Wind
|[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)| Instructions for resetting a Windows 10 Mobile device using either *factory* or *'wipe and persist'* reset options|
|[Deploy Windows 10 Mobile](windows-10-mobile-and-mdm.md)| Considerations and instructions for deploying Windows 10 Mobile|
|[Windows libraries](windows-libraries.md)| Considerations and instructions for managing Windows 10 libraries such as My Documents, My Pictures, and My Music.|
|[Mobile device management for solution providers](mdm/index.md) | Procedural and reference documentation for solution providers providing mobile device management (MDM) for Windows 10 devices. |
|[Change history for Client management](change-history-for-client-management.md) | This topic lists new and updated topics in the Client management documentation for Windows 10 and Windows 10 Mobile. |

4
windows/client-management/mandatory-user-profile.md
View File

@ -6,6 +6,8 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.author: jdecker
ms.date: 06/13/2017
---
# Create mandatory user profiles
@ -38,7 +40,7 @@ The name of the folder in which you store the mandatory profile must use the cor
| Windows 8 | Windows Server 2012 | v3 |
| Windows 8.1 | Windows Server 2012 R2 | v4 |
| Windows 10, versions 1507 and 1511 | N/A | v5 |
| Windows 10, version 1607 (also known as the Anniversary Update) | Windows Server 2016 | v6 |
| Windows 10, version 1607 (Anniversary Update) and version 1703 (Creators Update) | Windows Server 2016 | v6 |
For more information, see [Deploy Roaming User Profiles, Appendix B](https://technet.microsoft.com/library/jj649079.aspx) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/kb/3056198).

2
windows/client-management/mdm/TOC.md
View File

@ -198,6 +198,8 @@
#### [SUPL DDF file](supl-ddf-file.md)
### [SurfaceHub CSP](surfacehub-csp.md)
#### [SurfaceHub DDF file](surfacehub-ddf-file.md)
### [TPMPolicy CSP](tpmpolicy-csp.md)
#### [TPMPolicy DDF file](tpmpolicy-ddf-file.md)
### [UnifiedWriteFilter CSP](unifiedwritefilter-csp.md)
#### [UnifiedWriteFilter DDF file](unifiedwritefilter-ddf.md)
### [Update CSP](update-csp.md)

42
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -11,6 +11,9 @@ author: nickbrower
# Configuration service provider reference
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. Some configuration service providers support the WAP format, some support SyncML, and some support both. SyncML is only used overtheair for Open Mobile Alliance Device Management (OMA DM), whereas WAP can be used overtheair for OMA Client Provisioning, or it can be included in the phone image as a .provxml file that is installed during boot.
For information about the bridge WMI provider classes that map to these CSPs, see [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224).
@ -1164,10 +1167,10 @@ The following tables show the configuration service providers support in Windows
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
@ -2044,6 +2047,34 @@ The following tables show the configuration service providers support in Windows
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[TPMPolicy CSP](tpmpolicy-csp.md)
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--EndCSP-->
<!--StartCSP-->
[UnifiedWriteFilter CSP](unifiedwritefilter-csp.md)
@ -2358,7 +2389,8 @@ The following tables show the configuration service providers support in Windows
 Footnotes:
- 1 - Added in Windows 10, version 1607
- 2 - Added in Windows 10, version 1703
- 2 - Added in Windows 10, version 1703
- 3 - Added in the next major update to Windows 10
> [!Note]
> You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip).

4
windows/client-management/mdm/firewall-csp.md
View File

@ -13,10 +13,12 @@ author: nickbrower
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage both domain joined and non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP is new in the next major update to Windows 10.
The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP is new in the next major update to Windows 10.
Firewall configuration commands must be wrapped in an Atomic block in SyncML.
For detailed information on some of the fields below see [[MS-FASP]: Firewall and Advanced Security Protocol documentation](https://msdn.microsoft.com/en-us/library/mt620101.aspx).
The following diagram shows the Firewall configuration service provider in tree format.
![firewall csp](images/provisioning-csp-firewall.png)

BIN
windows/client-management/mdm/images/provisioning-csp-tpmpolicy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.2 KiB

56
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -14,6 +14,8 @@ author: nickbrower
# What's new in MDM enrollment and management
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic provides information about what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices.
@ -640,6 +642,16 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>SmartScreen/EnableAppInstallControl</li>
<li>SmartScreen/EnableSmartScreenInShell</li>
<li>SmartScreen/PreventOverrideForFilesInShell</li>
<li>Start/AllowPinnedFolderDocuments</li>
<li>Start/AllowPinnedFolderDownloads</li>
<li>Start/AllowPinnedFolderFileExplorer</li>
<li>Start/AllowPinnedFolderHomeGroup</li>
<li>Start/AllowPinnedFolderMusic</li>
<li>Start/AllowPinnedFolderNetwork</li>
<li>Start/AllowPinnedFolderPersonalFolder </li>
<li>Start/AllowPinnedFolderPictures</li>
<li>Start/AllowPinnedFolderSettings</li>
<li>Start/AllowPinnedFolderVideos</li>
<li>Start/HideAppList</li>
<li>Start/HideChangeAccountSettings</li>
<li>Start/HideFrequentlyUsedApps</li>
@ -661,6 +673,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>TextInput/AllowKeyboardTextSuggestions</li>
<li>TimeLanguageSettings/AllowSet24HourClock</li>
<li>Update/ActiveHoursMaxRange</li>
<li>Update/AutoRestartDeadlinePeriodInDays</li>
<li>Update/AutoRestartNotificationSchedule</li>
<li>Update/AutoRestartNotificationStyle</li>
<li>Update/AutoRestartRequiredNotificationDismissal</li>
@ -892,6 +905,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>[Policy CSP](policy-configuration-service-provider.md)</li>
</ul>
</td></tr>
<tr class="even">
<td style="vertical-align:top">[TPMPolicy CSP](tpmpolicy-csp.md)</td>
<td style="vertical-align:top">New CSP added in Windows 10, version 1703.</td>
</tr>
</tbody>
</table> 
@ -1180,7 +1197,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<td style="vertical-align:top">[Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md)</td>
<td style="vertical-align:top">Added a list of registry locations that ingested policies are allowed to write to.</td>
</tr>
<tr class="odd">
<tr class="even">
<td style="vertical-align:top">[Firewall CSP](firewall-csp.md)</td>
<td style="vertical-align:top">Added the following nodes:
<ul>
@ -1191,6 +1208,37 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>Status</li>
</ul>
Also Added [Firewall DDF file](firewall-ddf-file.md).</td></tr>
<tr class="odd">
<td style="vertical-align:top">[TPMPolicy CSP](tpmpolicy-csp.md)</td>
<td style="vertical-align:top">New CSP added in Windows 10, version 1703.</td>
</tr>
<tr class="even">
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top">
<p>Added the following new policies for Windows 10, version 1703:</p>
<ul>
<li>Start/AllowPinnedFolderDocuments</li>
<li>Start/AllowPinnedFolderDownloads</li>
<li>Start/AllowPinnedFolderFileExplorer</li>
<li>Start/AllowPinnedFolderHomeGroup</li>
<li>Start/AllowPinnedFolderMusic</li>
<li>Start/AllowPinnedFolderNetwork</li>
<li>Start/AllowPinnedFolderPersonalFolder </li>
<li>Start/AllowPinnedFolderPictures</li>
<li>Start/AllowPinnedFolderSettings</li>
<li>Start/AllowPinnedFolderVideos</li>
<li>Update/AutoRestartDeadlinePeriodInDays</li>
</ul>
<p>Added the following new policies for Windows 10, version 1709:</p>
<ul>
<li>Power/DisplayOffTimeoutOnBattery</li>
<li>Power/DisplayOffTimeoutPluggedIn</li>
<li>Power/HibernateTimeoutOnBattery</li>
<li>Power/HibernateTimeoutPluggedIn</li>
<li>Power/StandbyTimeoutOnBattery</li>
<li>Power/StandbyTimeoutPluggedIn</li>
</ul>
</td></tr>
</tbody>
</table>
@ -1266,7 +1314,7 @@ Also Added [Firewall DDF file](firewall-ddf-file.md).</td></tr>
</td></tr>
<tr class="even">
<td style="vertical-align:top">[Firewall CSP](firewall-csp.md)</td>
<td style="vertical-align:top"><p>Added new CSP in the next major update to Windows 10.</p>
<td style="vertical-align:top"><p>Added new CSP in Windows 10, version 1709.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">MDM support for Windows 10 S</td>
@ -1780,7 +1828,7 @@ Also Added [Firewall DDF file](firewall-ddf-file.md).</td></tr>
</td></tr>
<tr class="even">
<td style="vertical-align:top">[CM_CellularEntries CSP](cm-cellularentries-csp.md)</td>
<td style="vertical-align:top"><p>To PurposeGroups setting, added the following values for the next major update of Windows 10:</p>
<td style="vertical-align:top"><p>To PurposeGroups setting, added the following values Windows 10, version 1709:</p>
<ul>
<li>Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB </li>
<li>Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364</li>
@ -1788,7 +1836,7 @@ Also Added [Firewall DDF file](firewall-ddf-file.md).</td></tr>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[CellularSettings CSP](cellularsettings-csp.md)<p>[CM_CellularEntries CSP](cm-cellularentries-csp.md)</p><p>[EnterpriseAPN CSP](enterpriseapn-csp.md)</p></td>
<td style="vertical-align:top"><p>In the next major update of Windows 10, support was added for Windows 10 Home, Pro, Enterprise, and Education editions.</p>
<td style="vertical-align:top"><p>In the Windows 10, version 1709, support was added for Windows 10 Home, Pro, Enterprise, and Education editions.</p>
</td></tr>
<tr class="even">
<td style="vertical-align:top">Updated the DDF topics.</td>

4
windows/client-management/mdm/passportforwork-csp.md
View File

@ -201,9 +201,9 @@ This cloud service encrypts a recovery secret, which is stored locally on the cl
<a href="" id="biometrics-facialfeaturesuseenhancedantispoofing--only-for---device-vendor-msft-"></a>**Biometrics/FacialFeaturesUseEnhancedAntiSpoofing** (only for ./Device/Vendor/MSFT)
<p style="margin-left: 20px">Boolean value used to enable or disable enhanced anti-spoofing for facial feature recognition on Windows Hello face authentication. This node was added in Windows 10, version 1511.
<p style="margin-left: 20px">Default value is false. If you set this policy to true or don't configure this setting, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. Windows Hello face authentication is disabled on devices that do not support enhanced anti-spoofing.
<p style="margin-left: 20px">Default value is false. If you set this policy to false or don't configure this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication.
<p style="margin-left: 20px">If you set this policy to false, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication.
<p style="margin-left: 20px">If you set this policy to true, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. Windows Hello face authentication is disabled on devices that do not support enhanced anti-spoofing.
<p style="margin-left: 20px">Note that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices.

1782
windows/client-management/mdm/policy-configuration-service-provider.md
View File

File diff suppressed because it is too large Load Diff

55
windows/client-management/mdm/tpmpolicy-csp.md Normal file
View File

@ -0,0 +1,55 @@
---
title: TPMPolicy CSP
description: TPMPolicy CSP
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# TPMPolicy CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (telemetry or otherwise, such as downloading background images, Windows Updates, etc.) from Windows and inbox applications to public IP addresses unless directly intended by the user. This allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval.
The TPMPolicy CSP was added in Windows 10, version 1703.
The following diagram shows the TPMPolicy configuration service provider in tree format.
![tpmpolicy csp](images/provisioning-csp-tpmpolicy.png)
<a href="" id="--device-vendor-msft-tpmpolicy"></a>**./Device/Vendor/MSFT/TPMPolicy**
<p style="margin-left: 20px">Defines the root node.</p>
<a href="" id="isactivezeroexhaust"></a>**IsActiveZeroExhaust**
<p style="margin-left: 20px">Boolean value that indicates whether network traffic from the device to public IP addresses are not allowed unless directly intended by the user (zero exhaust). Default value is false. Some examples when zero exhaust is configured:</p>
<ul>
<li>There should be no traffic when machine is on idle. When the user is not interacting with the system/device, no traffic is expected. </li>
<li>There should be no traffic during installation of Windows and first logon when local ID is used.</li>
<li>Launching and using a local app (Notepad, Paint, etc.) should not send any traffic. Similarly, performing common tasks (clicking on start menu, browsing folders, etc.) should not send any traffic.</li>
<li>Launching and using Internet enabled apps should not send any unexpected traffic (for maintenance, diagnostic, telemetry, etc.) to Microsoft.</li>
</ul>
Here is an example:
``` syntax
                <Replace>
                    <CmdID>101</CmdID>
                    <Item>
                        <Target>
                            <LocURI>
                                ./Vendor/MSFT/TpmPolicy/IsActiveZeroExhaust
                            </LocURI>
                        </Target>
                        <Meta>
<Format>bool</Format>
               <Type>text/plain</Type>
        </Meta>
        <Data>true</Data>
                    </Item>
                </Replace>
```

71
windows/client-management/mdm/tpmpolicy-ddf-file.md Normal file
View File

@ -0,0 +1,71 @@
---
title: TPMPolicy DDF file
description: TPMPolicy DDF file
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# TPMPolicy DDF file
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **TPMPolicy** configuration service provider. The TPMPolicy CSP was added in Windows 10, version 1703.
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>TPMPolicy</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/TPMPolicy</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>IsActiveZeroExhaust</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>False</DefaultValue>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</MgmtTree>
```

8
windows/client-management/mdm/understanding-admx-backed-policies.md
View File

@ -240,17 +240,13 @@ This section describes sample SyncML for the various ADMX elements like Text, Mu
### <a href="" id="how-a-group-policy-policy-category-path-and-name-are-mapped-to-a-mdm-area-and-policy-name"></a>How a Group Policy policy category path and name are mapped to a MDM area and policy name
Below is the internal OS mapping of a Group Policy to a MDM area and name. This is part of a set of Windows manifests (extension **wm.xml**) that when compiled parses out the associated ADMX file, finds the specified Group Policy policy and stores that definition (metadata) in the MDM Policy CSP client store.  ADMX backed policies are organized hierarchically. Their scope can be **machine**, **user**, or have a scope of **both**. When the MDM policy is referred to through a SyncML command and the Policy CSP URI, as shown below, this metadata is referenced and determines what registry keys are set or removed. Machine-scope policies are referenced via .\Device and the user scope policies via .\User.
Below is the internal OS mapping of a Group Policy to a MDM area and name. This is part of a set of Windows manifest that when compiled parses out the associated ADMX file, finds the specified Group Policy policy and stores that definition (metadata) in the MDM Policy CSP client store.  ADMX backed policies are organized hierarchically. Their scope can be **machine**, **user**, or have a scope of **both**. When the MDM policy is referred to through a SyncML command and the Policy CSP URI, as shown below, this metadata is referenced and determines what registry keys are set or removed. Machine-scope policies are referenced via .\Device and the user scope policies via .\User.
`./[Device|User]/Vendor/MSFT/Policy/Config/[config|result]/<area>/<policy>`
The **wm.xml** for each mapped area can be found in its own directory under:
`\\SDXROOT\onecoreuap\admin\enterprisemgmt\policymanager\policydefinition\`
Note that the data payload of the SyncML needs to be encoded so that it does not conflict with the boilerplate SyncML XML tags. Use this online tool for encoding and encoding the policy data [Coder's Toolbox](http://coderstoolbox.net/string/#!encoding=xml&action=encode&charset=us_ascii)
**Snippet of wm.xml for AppVirtualization area:**
**Snippet of manifest for AppVirtualization area:**
```XML
<identity xmlns="urn:Microsoft.CompPlat/ManifestSchema.v1.00" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" owner="Microsoft" namespace="Windows-DeviceManagement-PolicyDefinition" name="AppVirtualization">

5
windows/configuration/docfx.json
View File

@ -33,7 +33,10 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows"
"ms.technology": "windows",
"ms.topic": "article",
"ms.author": "jdecker",
"ms.date": "04/05/2017"
},
"fileMetadata": {},
"template": [],

6
windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -8,6 +8,8 @@ ms.mktglfcycl: manage
ms.sitesec: library
localizationpriority: high
author: brianlic-msft
ms.author: brianlic-msft
ms.date: 06/13/2017
---
# Manage connections from Windows operating system components to Microsoft services
@ -1692,6 +1694,10 @@ If you're running Windows 10, version 1607 or later, you only need to enable the
- Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one).
-and-
- Create a new REG\_DWORD registry setting in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one).
If you're not running Windows 10, version 1607 or later, you can use the other options in this section.
- Configure the following in **Settings**:

2
windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
View File

@ -21,7 +21,7 @@ localizationpriority: high
A single-use or *kiosk* device is easy to set up in Windows 10 for desktop editions.
- Use the [Provision kiosk devices wizard](#wizard) in Windows Configuration Designer to create a provisioning package that configures a kiosk device running either a Universal Windows app or a Classic Windows application (Windows 10 Enterprise or Education only).
- Use the [Provision kiosk devices wizard](#wizard) in Windows Configuration Designer (Windows 10, version 1607 or later) to create a provisioning package that configures a kiosk device running either a Universal Windows app or a Classic Windows application (Windows 10 Enterprise or Education only).
or

12
windows/configuration/start-layout-xml-desktop.md
View File

@ -6,6 +6,8 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.author: jdecker
ms.date: 06/13/2017
localizationpriority: high
---
@ -52,9 +54,9 @@ The following table lists the supported elements and attributes for the LayoutMo
| RequiredStartGroupsCollection</br></br>Parent:</br>LayoutModificationTemplate | n/a | Use to contain collection of RequiredStartGroups |
| [RequiredStartGroups](#requiredstartgroups)</br></br>Parent:</br>RequiredStartGroupsCollection | Region | Use to contain the AppendGroup tags, which represent groups that can be appended to the default Start layout |
| [AppendGroup](#appendgroup)</br></br>Parent:</br>RequiredStartGroups | Name | Use to specify the tiles that need to be appended to the default Start layout |
| [start:Tile](#specify-start-tiles)</br></br>Parent:</br>AppendGroup | AppUserModelID</br>Size</br>Row</br>Column | Use to specify any of the following:</br>- A Universal Windows app</br>- A Windows 8 or Windows 8.1 app |
| [start:Tile](#specify-start-tiles)</br></br>Parent:</br>AppendGroup | AppUserModelID</br>Size</br>Row</br>Column | Use to specify any of the following:</br>- A Universal Windows app</br>- A Windows 8 or Windows 8.1 app</br></br>Note that AppUserModelID is case-sensitive. |
| start:DesktopApplicationTile</br></br>Parent:</br>AppendGroup | DesktopApplicationID</br>DesktopApplicationLinkPath</br>Size</br>Row</br>Column | Use to specify any of the following:</br>- A Windows desktop application with a known AppUserModelID</br>- An application in a known folder with a link in a legacy Start Menu folder</br>- A Windows desktop application link in a legacy Start Menu folder</br>- A Web link tile with an associated .url file that is in a legacy Start Menu folder |
| start:SecondaryTile</br></br>Parent:</br>AppendGroup | AppUserModelID</br>TileID</br>Arguments</br>DisplayName</br>Square150x150LogoUri</br>ShowNameOnSquare150x150Logo</br>ShowNameOnWide310x150Logo</br>Wide310x150LogoUri</br>BackgroundColor</br>ForegroundText</br>IsSuggestedApp</br>Size</br>Row</br>Column | Use to pin a Web link through a Microsoft Edge secondary tile |
| start:SecondaryTile</br></br>Parent:</br>AppendGroup | AppUserModelID</br>TileID</br>Arguments</br>DisplayName</br>Square150x150LogoUri</br>ShowNameOnSquare150x150Logo</br>ShowNameOnWide310x150Logo</br>Wide310x150LogoUri</br>BackgroundColor</br>ForegroundText</br>IsSuggestedApp</br>Size</br>Row</br>Column | Use to pin a Web link through a Microsoft Edge secondary tile. Note that AppUserModelID is case-sensitive. |
| TopMFUApps</br></br>Parent:</br>LayoutModificationTemplate | n/a | Use to add up to 3 default apps to the frequently used apps section in the system area |
| Tile</br></br>Parent:</br>TopMFUApps | AppUserModelID | Use with the TopMFUApps tags to specify an app with a known AppUserModelID |
| DesktopApplicationTile</br></br>Parent:</br>TopMFUApps | LinkFilePath | Use with the TopMFUApps tags to specify an app without a known AppUserModelID |
@ -144,6 +146,9 @@ You can use the **start:Tile** tag to pin any of the following apps to Start:
To specify any one of these apps, you must set the **AppUserModelID** attribute to the application user model ID that's associated with the corresponding app.
>[!IMPORTANT]
>**AppUserModelID** (AUMID) is case-sensitive.
The following example shows how to pin the Microsoft Edge Universal Windows app:
```XML
@ -181,6 +186,7 @@ You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop ap
- By using the application's application user model ID, if this is known. If the Windows desktop application doesn't have one, use the shortcut link option.
You can use the [Get-StartApps cmdlet](https://technet.microsoft.com/library/dn283402.aspx) on a PC that has the application pinned to Start to obtain the app ID.
To pin a Windows desktop application through this method, you must set the **DesktopApplicationID** attribute to the application user model ID that's associated with the corresponding app.
@ -239,7 +245,7 @@ The following table describes the other attributes that you can use with the **s
| Attribute | Required/optional | Description |
| --- | --- | --- |
| AppUserModelID | Required | Must point to Microsoft Edge. |
| AppUserModelID | Required | Must point to Microsoft Edge. Note that AppUserModelID is case-sensitive. |
| TileID | Required | Must uniquely identify your Web site tile. |
| Arguments | Required | Must contain the URL of your Web site. |
| DisplayName | Required | Must specify the text that you want users to see. |

5
windows/deployment/docfx.json
View File

@ -33,7 +33,10 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows"
"ms.technology": "windows",
"ms.topic": "article",
"ms.author": "greglin",
"ms.date": "04/05/2017"
},
"fileMetadata": {},
"template": [],

BIN
windows/deployment/update/images/uc-01-wdav.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 56 KiB

100
windows/deployment/update/update-compliance-get-started.md
View File

@ -1,6 +1,7 @@
---
title: Get started with Update Compliance (Windows 10)
description: Explains how to configure Update Compliance.
description: Configure Update Compliance in OMS to see the status of updates and antimalware protection on devices in your network.
keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@ -10,100 +11,99 @@ author: greg-lindsay
# Get started with Update Compliance
This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance.
This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance.
Steps are provided in sections that follow the recommended setup process:
1. Ensure that [prerequisites](#update-compliance-prerequisites) are met.
2. [Add Update Compliance](#add-update-compliance-to-microsoft-operations-management-suite) to Microsoft Operations Management Suite
3. [Deploy your Commercial ID](#deploy-your-commercial-id-to-your-windows-10-devices) to your organizations devices
2. [Add Update Compliance](#add-update-compliance-to-microsoft-operations-management-suite) to Microsoft Operations Management Suite.
3. [Deploy your Commercial ID](#deploy-your-commercial-id-to-your-windows-10-devices) to your organizations devices.
## Update Compliance Prerequisites
## Update Compliance prerequisites
Update Compliance has the following requirements:
1. Update Compliance is currently only compatible with Windows 10 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops).
2. The solution requires that Windows 10 telemetry is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) enabled. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization).
3. The telemetry of your organizations Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for different aspects of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on telemetry endpoints and summarizes the use of each endpoint:
Update Compliance has the following requirements:
1. Update Compliance is currently only compatible with Windows 10 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops).
2. The solution requires that Windows 10 telemetry is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) enabled. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization).
3. The telemetry of your organizations Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for each of the telemetry services](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on telemetry endpoints and summarizes the use of each endpoint:
<TABLE BORDER=1>
<TR><TD BGCOLOR="#cceeff">Service<TD BGCOLOR="#cceeff">Endpoint
<TR><TD>Connected User Experience and Telemetry component<TD>v10.vortex-win.data.microsoft.com
<BR>settings-win.data.microsoft.com
<TR><TD>Windows Error Reporting <TD>watson.telemetry.microsoft.com
<TR><TD>Online Crash Analysis <TD>oca.telemetry.microsoft.com
</TABLE>
Service | Endpoint
--- | ---
Connected User Experience and Telemetry component | v10.vortex-win.data.microsoft.com<BR>settings-win.data.microsoft.com
Windows Error Reporting | watson.telemetry.microsoft.com
Online Crash Analysis | oca.telemetry.microsoft.com
4. To use Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a 3rd party AV program), and must have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) content library for more information on enabling, configuring, and validating Windows Defender AV.
4. To use Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a 3rd party AV program), and must have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) content library for more information on enabling, configuring, and validating Windows Defender AV.
## Add Update Compliance to Microsoft Operations Management Suite
Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
If you are already using OMS, youll find Update Compliance in the Solutions Gallery. Select the **Update Compliance** tile in the gallery and then click **Add** on the solution's details page. Update Compliance is now visible in your workspace.
If you are not yet using OMS, use the following steps to subscribe to OMS Update Compliance:
1. Go to [Operations Management Suites page](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
[![](images/uc-02a.png)](images/uc-02.png)
<P><TABLE BORDER=1><TR><TD>
<A HREF="images/uc-02.png"><img src="images/uc-02a.png"></A>
<TABLE>
2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
<P><TABLE BORDER=1><TR><TD>
<A HREF="images/uc-03.png"><img src="images/uc-03a.png"></A>
<TABLE>
3. Create a new OMS workspace.
[![](images/uc-03a.png)](images/uc-03.png)
<P><TABLE BORDER=1><TR><TD>
<A HREF="images/uc-04.png"><img src="images/uc-04a.png"></A>
<TABLE>
3. Create a new OMS workspace.
[![](images/uc-04a.png)](images/uc-04.png)
4. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Click **Create**.
<P><TABLE BORDER=1><TR><TD>
<A HREF="images/uc-05.png"><img src="images/uc-05a.png"></A>
<TABLE>
[![](images/uc-05a.png)](images/uc-05.png)
5. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organizations Azure administrator. If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. If you do not yet have an Azure subscription, follow [this guide](https://blogs.technet.microsoft.com/upgradeanalytics/2016/11/08/linking-operations-management-suite-workspaces-to-microsoft-azure/) to create and link an Azure subscription to an OMS workspace.
<P><TABLE BORDER=1><TR><TD>
<A HREF="images/uc-06.png"><img src="images/uc-06a.png"></A>
<TABLE>
[![](images/uc-06a.png)](images/uc-06.png)
6. To add the Update Compliance solution to your workspace, go to the Solutions Gallery.
<P><TABLE BORDER=1><TR><TD>
<A HREF="images/uc-07.png"><img src="images/uc-07a.png"></A>
<TABLE>
7. Select the **Update Compliance** tile in the gallery and then select **Add** on the solutions details page. You might need to scroll to find **Update Compliance**. The solution is now visible on your workspace.
[![](images/uc-07a.png)](images/uc-07.png)
7. Select the **Update Compliance** tile in the gallery and then select **Add** on the solutions details page. You might need to scroll to find **Update Compliance**. The solution is now visible in your workspace.
[![](images/uc-08a.png)](images/uc-08.png)
<P><TABLE BORDER=1><TR><TD>
<A HREF="images/uc-08.png"><img src="images/uc-08a.png"></A>
<TABLE>
8. Click the **Update Compliance** tile to configure the solution. The **Settings Dashboard** opens.
<P><TABLE BORDER=1><TR><TD>
<A HREF="images/uc-09.png"><img src="images/uc-09a.png"></A>
<TABLE>
[![](images/uc-09a.png)](images/uc-09.png)
9. Click **Subscribe** to subscribe to OMS Update Compliance. You will then need to distribute your Commercial ID across all your organizations devices. More information on the Commercial ID is provided below.
<P><TABLE BORDER=1><TR><TD>
<A HREF="images/uc-10.png"><img src="images/uc-10a.png"></A>
<TABLE>
[![](images/uc-10a.png)](images/uc-10.png)
After you are subscribed to OMS Update Compliance and your devices have a Commercial ID, you will begin receiving data. It will typically take 24 hours for the first data to begin appearing. The following section explains how to deploy your Commercial ID to your Windows 10 devices.
>[!NOTE]
>You can unsubscribe from the Update Compliance solution if you no longer want to monitor your organizations devices. User device data will continue to be shared with Microsoft while the opt-in keys are set on user devices and the proxy allows traffic.
## Deploy your Commercial ID to your Windows 10 devices
In order for your devices to show up in Windows Analytics: Update Compliance, they must be configured with your organizations Commercial ID. This is so that Microsoft knows that a given device is a member of your organization and to feed that devices data back to you. There are two primary methods for widespread deployment of your Commercial ID: Group Policy and Mobile Device Management (MDM).
In order for your devices to show up in Windows Analytics: Update Compliance, they must be configured with your organizations Commercial ID. This is so that Microsoft knows that a given device is a member of your organization and to feed that devices data back to you. There are two primary methods for widespread deployment of your Commercial ID: Group Policy and Mobile Device Management (MDM).
- Using Group Policy<BR><BR>
Deploying your Commercial ID using Group Policy can be accomplished by configuring domain Group Policy Objects with the Group Policy Management Editor, or by configuring local Group Policy using the Local Group Policy Editor.
@ -117,4 +117,4 @@ In order for your devices to show up in Windows Analytics: Update Compliance, th
## Related topics
[Use Update Compliance to monitor Windows Updates](update-compliance-using.md)
[Use Update Compliance to monitor Windows Updates](update-compliance-using.md)

34
windows/deployment/update/update-compliance-monitor.md
View File

@ -1,6 +1,7 @@
---
title: Monitor Windows Updates with Update Compliance (Windows 10)
description: Introduction to Update Compliance.
title: Monitor Windows Updates and Windows Defender AV with Update Compliance (Windows 10)
description: You can use Update Compliance in OMS to monitor the progress of updates and key antimalware protection features on devices in your network.
keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@ -8,26 +9,26 @@ ms.pagetype: deploy
author: greg-lindsay
---
# Monitor Windows Updates with Update Compliance
# Monitor Windows Updates and Windows Defender Antivirus with Update Compliance
## Introduction
With Windows 10, organizations need to change the way they approach monitoring and deploying updates. Update Compliance is a powerful set of tools that enable organizations to monitor and track all important aspects of Microsofts new servicing strategy: [Windows as a Service](waas-overview.md).
With Windows 10, organizations need to change the way they approach monitoring and deploying updates. Update Compliance is a powerful set of tools that enable organizations to monitor and track all important aspects of the new servicing strategy from Microsoft: [Windows as a Service](waas-overview.md).
Update Compliance is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service which has a flexible servicing subscription based off data usage/retention. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
Update Compliance uses the Windows telemetry that is part of all Windows 10 devices. It collects system data including update installation progress, Windows Update for Business (WUfB) configuration data, and other update-specific information, and then sends this data privately to a secure cloud to be stored for analysis and usage within the solution.
Update Compliance uses the Windows telemetry that is part of all Windows 10 devices. It collects system data including update installation progress, Windows Update for Business (WUfB) configuration data, Windows Defender Antivirus data, and other update-specific information, and then sends this data privately to a secure cloud to be stored for analysis and usage within the solution.
Update Compliance provides the following:
- An overview of your organizations devices that just works.
- Dedicated drill-downs for devices that might need attention.
- An inventory of devices, including the version of Windows they are running and their update status.
- An overview of WUfB deferral configurations (Windows 10 Anniversary Update [1607] and later).
- Powerful built-in [log analytics](https://www.microsoft.com/en-us/cloud-platform/insight-and-analytics?WT.srch=1&WT.mc_id=AID529558_SEM_%5B_uniqid%5D&utm_source=Bing&utm_medium=CPC&utm_term=log%20analytics&utm_campaign=Hybrid_Cloud_Management) to create useful custom queries.
- Cloud-connected access utilizing Windows 10 telemetry means no need for new complex, customized infrastructure.
- Dedicated drill-downs for devices that might need attention
- An inventory of devices, including the version of Windows they are running and their update status
- The ability to track protection and threat status for Windows Defender Antivirus-enabled devices
- An overview of WUfB deferral configurations (Windows 10 Anniversary Update [1607] and later)
- Powerful built-in [log analytics](https://www.microsoft.com/en-us/cloud-platform/insight-and-analytics?WT.srch=1&WT.mc_id=AID529558_SEM_%5B_uniqid%5D&utm_source=Bing&utm_medium=CPC&utm_term=log%20analytics&utm_campaign=Hybrid_Cloud_Management) to create useful custom queries
- Cloud-connected access utilizing Windows 10 telemetry means no need for new complex, customized infrastructure
See the following topics in this guide for detailed information about configuring and use the Update Compliance solution:
See the following topics in this guide for detailed information about configuring and using the Update Compliance solution:
- [Get started with Update Compliance](update-compliance-get-started.md): How to add Update Compliance to your environment.
- [Using Update Compliance](update-compliance-using.md): How to begin using Update Compliance.
@ -36,19 +37,20 @@ An overview of the processes used by the Update Compliance solution is provided
## Update Compliance architecture
The Update Compliance architecture and data flow is summarized by the following five step process:
The Update Compliance architecture and data flow is summarized by the following five-step process:
**(1)** User computers send telemetry data to a secure Microsoft data center using the Microsoft Data Management Service.<BR>
**(2)** Telemetry data is analyzed by the Update Compliance Data Service.<BR>
**(3)** Telemetry data is pushed from the Update Compliance Data Service to your OMS workspace.<BR>
**(4)** Telemetry data is available in the Update Compliance solution.<BR>
**(5)** You are able to monitor and troubleshoot Windows updates on your network.<BR>
**(5)** You are able to monitor and troubleshoot Windows updates and Windows Defender AV in your environment.<BR>
These steps are illustrated in following diagram:
![Update Compliance architecture](images/uc-01.png)
![Update Compliance architecture](images/uc-01-wdav.png)
>This process assumes that Windows telemetry is enabled and devices are assigned your Commercial ID.
>[!NOTE]
>This process assumes that Windows telemetry is enabled and you [have assigned your Commercial ID to devices](update-compliance-get-started#deploy-your-commercial-id-to-your-windows-10-devices.

1
windows/deployment/update/update-compliance-using.md
View File

@ -19,6 +19,7 @@ Update Compliance:
- Provides a workflow that can be used to quickly identify which devices require attention.
- Enables you to track deployment compliance targets for updates.
>[!NOTE]
>Information is refreshed daily so that update progress can be monitored. Changes will be displayed about 24 hours after their occurrence, so you always have a recent snapshot of your devices.
In OMS, the aspects of a solution's dashboard are usually divided into <I>blades</I>. Blades are a slice of information, typically with a summarization tile and an enumeration of the items that makes up that data. All data is presented through <I>queries</I>. <I>Perspectives</I> are also possible, wherein a given query has a unique view designed to display custom data. The terminology of blades, tiles, and perspectives will be used in the sections that follow.

531
windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
View File

@ -20,7 +20,473 @@ For an overview of the process described in the following procedures, see [Deplo
The process for creating a golden code integrity policy from a reference system is straightforward. This section outlines the process that is required to successfully create a code integrity policy with Windows PowerShell. First, for this example, you must initiate variables to be used during the creation process. Rather than using variables, you can simply use the full file paths in the command. Next, you create the code integrity policy by scanning the system for installed applications. When created, the policy file is converted to binary format so that Windows can consume its contents.
> **Note**&nbsp;&nbsp;Before you begin this procedure, ensure that the reference PC is clean of viruses or malware. Each piece of installed software should be validated as trustworthy before you create this policy. Also, be sure that any software that you would like to be scanned is installed on the system before you create the code integrity policy.
> [!Note]
> Before you begin this procedure, make sure that the reference PC is virus and malware-free,and that any software you want to be scanned is installed on the system before creating the code integrity policy.
### Scripting and applications
Each installed software application should be validated as trustworthy before you create a policy. We recommend that you review the reference PC for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed, and Windows Script Host (WSH), which can be manually disabled if you do not want it to run scripts.
You can remove or disable such software on reference PCs used to create code integrity policies. You can also fine-tune your control by using Device Guard in combination with AppLocker, as described in [Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker).
Members of the security community<sup>*</sup> continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Device Guard code integrity policies.
In certain circumstances, if the use case is appropriate, for example if your operational scenario requires elevated security, you may want to block these applications. For example, if you have a code integrity policy that trusts all Microsoft-signed applications, we recommend that you block the following applications (optional in the case of cscript.exe and wscript.exe) from running on your systems:
- bash.exe
- bginfo.exe
- cdb.exe
- cscript.exe<sup>1</sup>
- csi.exe
- dnx.exe
- fsi.exe
- kd.exe
- lxssmanager.dll
- msbuild.exe<sup>2</sup>
- mshta.exe
- ntsd.exe
- rcsi.exe
- windbg.exe
- wscript.exe<sup>1</sup>
<sup>1</sup> Microsoft Windows Script Host (WSH) is an automation technology for Microsoft Windows operating systems that allows scripts to load and run. It comprises two files, wscript.exe and cscript.exe. When WSH is enabled, scripts are allowed. However, when Device Guard is enabled, the functionality of WSH scripts is restricted by default.
<sup>2</sup> If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you whitelist msbuild.exe in your code integrity policies. However, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe.
<sup>*</sup> Microsoft recognizes the efforts of those in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people:
<br />
|Name|Twitter|
|---|---|
|Casey Smith |@subTee|
|Matt Graeber | @mattifestation|
|Matt Nelson | @enigma0x3|
|Oddvar Moe |@Oddvarmoe|
<br />
>[!Note]
>This application list is fluid and will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered.
When an application version is upgraded, you may want to add deny rules to your code integrity policies for that applications previous, less secure versions, especially to fix a vulnerability or potential Device Guard bypass. Certain vendors may or may not intend to update their software to work with Device Guard.
To block the listed applications, you can merge this policy into your existing policy by adding the following deny rules using the PowerShell Merge-CIPolicy cmdlet:
```
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.0.0</VersionEx>
<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
<Rule>
<Option>Enabled:Audit Mode</Option>
</Rule>
<Rule>
<Option>Enabled:Advanced Boot Options Menu</Option>
</Rule>
<Rule>
<Option>Required:Enforce Store Applications</Option>
</Rule>
<Rule>
<Option>Enabled:UMCI</Option>
</Rule>
</Rules>
<!--EKUS-->
<EKUs />
<!--File Rules-->
<FileRules>
<Deny ID="ID_DENY_BGINFO" FriendlyName="bginfo.exe" FileName="BGINFO.Exe" MinimumFileVersion = "4.21.0.0" />
<Deny ID="ID_DENY_CBD" FriendlyName="cdb.exe" FileName="CDB.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_KD" FriendlyName="kd.exe" FileName="kd.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_WINDBG" FriendlyName="windbg.exe" FileName="windbg.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_MSBUILD" FriendlyName="MSBuild.exe" FileName="MSBuild.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_CSI" FriendlyName="csi.exe" FileName="csi.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_DNX" FriendlyName="dnx.exe" FileName="dnx.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_RCSI" FriendlyName="rcsi.exe" FileName="rcsi.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_NTSD" FriendlyName="ntsd.exe" FileName="ntsd.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_LXSS" FriendlyName="LxssManager.dll" FileName="LxssManager.dll" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_BASH" FriendlyName="bash.exe" FileName="bash.exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_FSI" FriendlyName="fsi.exe" FileName="fsi.exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_MSHTA" FriendlyName="mshta.exe" FileName="mshta.exe" MinimumFileVersion = "65535.65535.65535.65535" />
</FileRules>
<!--Signers-->
<Signers />
<!--Driver Signing Scenarios-->
<SigningScenarios>
<SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Driver Signing Scenarios">
<ProductSigners>
<FileRulesRef>
<FileRuleRef RuleID="ID_DENY_KD" />
</FileRulesRef>
</ProductSigners>
</SigningScenario>
<SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="User Mode Signing Scenarios">
<ProductSigners>
<FileRulesRef>
<FileRuleRef RuleID="ID_DENY_BGINFO"/>
<FileRuleRef RuleID="ID_DENY_CBD"/>
<FileRuleRef RuleID="ID_DENY_KD"/>
<FileRuleRef RuleID="ID_DENY_WINDBG"/>
<FileRuleRef RuleID="ID_DENY_MSBUILD"/>
<FileRuleRef RuleID="ID_DENY_CSI"/>
<FileRuleRef RuleID="ID_DENY_DNX"/>
<FileRuleRef RuleID="ID_DENY_RCSI"/>
<FileRuleRef RuleID="ID_DENY_NTSD"/>
<FileRuleRef RuleID="ID_DENY_LXSS"/>
<FileRuleRef RuleID="ID_DENY_BASH"/>
<FileRuleRef RuleID="ID_DENY_FSI"/>
<FileRuleRef RuleID="ID_DENY_MSHTA"/>
</FileRulesRef>
</ProductSigners>
</SigningScenario>
</SigningScenarios>
<UpdatePolicySigners />
<CiSigners />
<HvciOptions>0</HvciOptions>
</SiPolicy>
```
### Disable Windows Script Host
If you are using Device Guard code integrity policies, the policies place constraints on PowerShell and WSH scripts. When Device Guard is enabled, by default, PowerShell scripts execute in “ConstrainedLanguage” language mode, in which neither wscript.exe and cscript.exe can invoke untrusted Active X controls or COM objects. However, signed PowerShell scripts are permitted to execute in “FullLanguage” language mode, and trusted or signed wscript or cscript scripts can invoke Active X controls or COM objects. For further information on PowerShell language modes, see [Language Modes](https://msdn.microsoft.com/en-us/powershell/reference/4.0/microsoft.powershell.core/about/about_language_modes).
Alternatively, though script hosts are safer with Device Guard enabled, if your reference PC does not require any scripting, you may want to completely disable WSH. Disabling WSH prevents all users from running any scripts, including VBScript and JScript scripts. Note that some applications may require WSH to be enabled. You can disable WSH by configuring Device Guard code integrity policies.
### Disable Windows Script Host using code integrity policies
To disable Windows Script Hosting, you can simply create further deny rules to add the script hosts (wscript.exe and cscript.exe) to the list of blocked applications in your code integrity policy as follows:
```
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy" FriendlyName="Windows Recommended Deny List Policy">
<VersionEx>1.0.0.0</VersionEx>
<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
<Rule>
<Option>Enabled:Advanced Boot Options Menu</Option>
</Rule>
<Rule>
<Option>Required:Enforce Store Applications</Option>
</Rule>
<Rule>
<Option>Enabled:UMCI</Option>
</Rule>
</Rules>
<!--EKUS-->
<EKUs />
<!--File Rules-->
<FileRules>
<Deny ID="ID_DENY_BGINFO" FriendlyName="bginfo.exe" FileName="BGINFO.Exe" MinimumFileVersion = "4.21.0.0” />
<Deny ID="ID_DENY_CBD" FriendlyName="cdb.exe" FileName="CDB.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_KD" FriendlyName="kd.exe" FileName="kd.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_WINDBG" FriendlyName="windbg.exe" FileName="windbg.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_MSBUILD" FriendlyName="MSBuild.exe" FileName="MSBuild.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_WSCRIPT" FriendlyName="wscript.exe" FileName="wscript.exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_CSCRIPT" FriendlyName="cscript.exe" FileName="cscript.exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_CSI" FriendlyName="csi.exe" FileName="csi.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_DNX" FriendlyName="dnx.exe" FileName="dnx.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_RCSI" FriendlyName="rcsi.exe" FileName="rcsi.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_NTSD" FriendlyName="ntsd.exe" FileName="ntsd.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_LXSS" FriendlyName="LxssManager.dll" FileName="LxssManager.dll" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_BASH" FriendlyName="bash.exe" FileName="bash.exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_FSI" FriendlyName="fsi.exe" FileName="fsi.exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_MSHTA" FriendlyName="mshta.exe" FileName="mshta.exe" MinimumFileVersion = "65535.65535.65535.65535" />
</FileRules>
<!--Signers-->
<Signers>
</Signers>
<SigningScenarios>
<!--Kernel Mode Signing Scenario-->
<SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_KMCI" FriendlyName="Kernel Mode Signing Scenario">
<ProductSigners />
</SigningScenario>
<!--User Mode Signing Scenario-->
<SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_UMCI" FriendlyName="User Mode Signing Scenario">
<ProductSigners>
<FileRulesRef>
<FileRuleRef RuleID="ID_DENY_BGINFO"/>
<FileRuleRef RuleID="ID_DENY_CBD"/>
<FileRuleRef RuleID="ID_DENY_KD"/>
<FileRuleRef RuleID="ID_DENY_WINDBG"/>
<FileRuleRef RuleID="ID_DENY_MSBUILD"/>
<FileRuleRef RuleID="ID_DENY_WSCRIPT"/>
<FileRuleRef RuleID="ID_DENY_CSCRIPT"/>
<FileRuleRef RuleID="ID_DENY_CSI"/>
<FileRuleRef RuleID="ID_DENY_DNX"/>
<FileRuleRef RuleID="ID_DENY_RCSI"/>
<FileRuleRef RuleID="ID_DENY_NTSD"/>
<FileRuleRef RuleID="ID_DENY_LXSS"/>
<FileRuleRef RuleID="ID_DENY_BASH"/>
<FileRuleRef RuleID="ID_DENY_FSI"/>
<FileRuleRef RuleID="ID_DENY_MSHTA"/>
</FileRulesRef>
</ProductSigners>
</SigningScenario>
</SigningScenarios>
<UpdatePolicySigners />
<CiSigners />
</SiPolicy>
```
<br />
The June 2017 Windows updates resolve a vulnerability in PowerShell that allowed an attacker to bypass Device Guard code integrity policies. Powershell cmdlets cannot be blocked by name or version, and therefore must be blocked by their corresponding hashes. We recommend that you block the following PowerShell cmdlets and merge this policy into your existing policy by adding the following deny rules using the Merge-CIPolicy cmdlet:
```
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.0.0</VersionEx>
<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
<Rule>
<Option>Enabled:Audit Mode</Option>
</Rule>
<Rule>
<Option>Enabled:Advanced Boot Options Menu</Option>
</Rule>
<Rule>
<Option>Required:Enforce Store Applications</Option>
</Rule>
<Rule>
<Option>Enabled:UMCI</Option>
</Rule>
</Rules>
<!--EKUS-->
<EKUs />
<!--File Rules-->
<FileRules>
<Deny ID="ID_DENY_D_0" FriendlyName="Powershell 0" Hash="1AC4D8D8B672A2D74AB1815E8A3FEF6952892D1E" />
<Deny ID="ID_DENY_D_1" FriendlyName="Powershell 1" Hash="25C57E0305E7FFB4C259D741B87F90D66BDA9801AE68A0F589D9F15D95C15821" />
<Deny ID="ID_DENY_D_2" FriendlyName="Powershell 2" Hash="AA085BE6498D2E3F527F3D72A5D1C604508133F0CDC05AD404BB49E8E3FB1A1B" />
<Deny ID="ID_DENY_D_3" FriendlyName="Powershell 3" Hash="573129BCCA3C8492498C35E45676B3D348438464" />
<Deny ID="ID_DENY_D_4" FriendlyName="Powershell 4" Hash="FBA274406B503B464B349805149E6AA722909CC9" />
<Deny ID="ID_DENY_D_5" FriendlyName="Powershell 5" Hash="91459EF46223540305C42FD50DF0B3C62148A0DB70F6B588AB29D11C5750F784" />
<Deny ID="ID_DENY_D_6" FriendlyName="Powershell 6" Hash="BACA825D0852E2D8F3D92381D112B99B5DD56D9F" />
<Deny ID="ID_DENY_D_7" FriendlyName="Powershell 7" Hash="3AF2587E8B62F88DC363D7F5308EE4C1A6147338" />
<Deny ID="ID_DENY_D_8" FriendlyName="Powershell 8" Hash="A9E655A96A124BC361D9CC5C7663FC033AA6F6609916EFAA76B6A6E9713A0D32" />
<Deny ID="ID_DENY_D_9" FriendlyName="Powershell 9" Hash="8BC6761CDB3A2114DC04B3167C27CD9A8D3F8F08" />
<Deny ID="ID_DENY_D_10" FriendlyName="Powershell 10" Hash="11F936112832738AD9B3A1C67537D5542DE8E86856CF2A5893C4D26CF3A2C558" />
<Deny ID="ID_DENY_D_11" FriendlyName="Powershell 11" Hash="7DBB41B87FAA887DE456C8E6A72E09D2839FA1E7" />
<Deny ID="ID_DENY_D_12" FriendlyName="Powershell 12" Hash="632CC37793AC704329C943765A684F9D22DBE50A1D951CAA576E72613F4BFC82" />
<Deny ID="ID_DENY_D_13" FriendlyName="Powershell 13" Hash="FA2F82EAAE3E9F04E7ABCBF3BEA5403F3D7D67CE" />
<Deny ID="ID_DENY_D_14" FriendlyName="Powershell 14" Hash="55A114886D75A8CAD1B8B8A867D42384CF6E337E" />
<Deny ID="ID_DENY_D_15" FriendlyName="Powershell 15" Hash="DED853481A176999723413685A79B36DD0F120F9" />
<Deny ID="ID_DENY_D_16" FriendlyName="Powershell 16" Hash="D027E09D9D9828A87701288EFC91D240C0DEC2C3" />
<Deny ID="ID_DENY_D_17" FriendlyName="Powershell 17" Hash="46936F4F0AFE4C87D2E55595F74DDDFFC9AD94EE" />
<Deny ID="ID_DENY_D_18" FriendlyName="Powershell 18" Hash="5090F22BB9C0B168C7F5E9E800784A05AFCCBC4F" />
<Deny ID="ID_DENY_D_19" FriendlyName="Powershell 19" Hash="A920D0706FCEA648D28638E9198BCC368996B8FD" />
<Deny ID="ID_DENY_D_20" FriendlyName="Powershell 20" Hash="93E22F2BA6C8B1C09F100F9C0E3B06FAF2D1DDB6" />
<Deny ID="ID_DENY_D_21" FriendlyName="Powershell 21" Hash="943E307BE7B0B381715CA5CC0FAB7B558025BA80" />
<Deny ID="ID_DENY_D_22" FriendlyName="Powershell 22" Hash="DDE4D9A08514347CDE706C42920F43523FC74DEA" />
<Deny ID="ID_DENY_D_23" FriendlyName="Powershell 23" Hash="48092864C96C4BF9B68B5006EAEDAB8B57B3738C" />
<Deny ID="ID_DENY_D_24" FriendlyName="Powershell 24" Hash="7F6725BA8CCD2DAEEFD0C9590A5DF9D98642CCEA" />
<Deny ID="ID_DENY_D_25" FriendlyName="Powershell 25" Hash="AEBFE7497F4A1947B5CB32650843CA0F85BD56D0" />
<Deny ID="ID_DENY_D_26" FriendlyName="Powershell 26" Hash="8FB604CD72701B83BC265D87F52B36C6F14E5DBE" />
<Deny ID="ID_DENY_D_27" FriendlyName="Powershell 27" Hash="CE70309DB83C9202F45028EBEC252747F4936E6F" />
<Deny ID="ID_DENY_D_28" FriendlyName="Powershell 28" Hash="DE6A02520E1D7325025F2761A97D36E407E8490C" />
<Deny ID="ID_DENY_D_29" FriendlyName="Powershell 29" Hash="B663138BF1D91C74EB25C68378B3E68E3F9E936A" />
<Deny ID="ID_DENY_D_30" FriendlyName="Powershell 30" Hash="79D5991CF1ED52C7E6AE7F5FDE3F0D9240BE62F3" />
<Deny ID="ID_DENY_D_31" FriendlyName="Powershell 31" Hash="9D71AD914DBB2FDF793742AA63AEEF4E4A430790" />
<Deny ID="ID_DENY_D_32" FriendlyName="Powershell 32" Hash="7484FD78A9298DBA24AC5C882D16DB6146E53712" />
<Deny ID="ID_DENY_D_33" FriendlyName="Powershell 33" Hash="CE2DAA6B3E9F5DF9216F2060AFB48B7558033B66" />
<Deny ID="ID_DENY_D_34" FriendlyName="Powershell 34" Hash="4C4847F430305B8BF755EB09F02F3DD229F6BC2D" />
<Deny ID="ID_DENY_D_35" FriendlyName="Powershell 35" Hash="CC968868EDC6718DA14DDDB11228A04D5D5BD9A5" />
<Deny ID="ID_DENY_D_36" FriendlyName="Powershell 36" Hash="78C3C6AEF52A6A5392C55F1EC98AF18053B3087D" />
<Deny ID="ID_DENY_D_37" FriendlyName="Powershell 37" Hash="783FFB771F08BCF55C2EA474B5460EB65EA9444C" />
<Deny ID="ID_DENY_D_38" FriendlyName="Powershell 38" Hash="7386F0FFAEED9F14CB087719A82633CE341AF18C" />
<Deny ID="ID_DENY_D_39" FriendlyName="Powershell 39" Hash="D60BC43CAD0E2CD119F0F29BA3E85EDA6B6409B0" />
<Deny ID="ID_DENY_D_40" FriendlyName="Powershell 40" Hash="B303D1689ED99613E4F52CE6E5F96AAEBC3A45C3" />
<Deny ID="ID_DENY_D_41" FriendlyName="Powershell 41" Hash="DB5C6CB23C23BA6A3CD4FD4EC0A4DAEE3FC66500" />
<Deny ID="ID_DENY_D_42" FriendlyName="Powershell 42" Hash="24F46E8804F5411A1EBE7CE8454AF87C7E93A310" />
<Deny ID="ID_DENY_D_43" FriendlyName="Powershell 43" Hash="1194192ECDA6751D8261F17A491618E707152DA6" />
<Deny ID="ID_DENY_D_44" FriendlyName="Powershell 44" Hash="789D0657689DB6F0900A787BEF52A449585A92B5" />
<Deny ID="ID_DENY_D_45" FriendlyName="Powershell 45" Hash="C1E08AD32F680100C51F138C6C095139E7230C3B" />
<Deny ID="ID_DENY_D_46" FriendlyName="Powershell 46" Hash="E89C29D38F554F6CB73B5FD3D0A783CC12FFEBC3" />
<Deny ID="ID_DENY_D_47" FriendlyName="Powershell 47" Hash="AF37DB4C03EFB0AADB9A670FF9A656AEF8D92A2F" />
<Deny ID="ID_DENY_D_48" FriendlyName="Powershell 48" Hash="7749D36155F967D01ED610C777F1B3AF9F6C225B" />
<Deny ID="ID_DENY_D_49" FriendlyName="Powershell 49" Hash="5B5E7942233D7C8A325A429FC4F4AE281325E8F9" />
<Deny ID="ID_DENY_D_50" FriendlyName="Powershell 50" Hash="926DCACC6983F85A8ABBCB5EE13F3C756705A1D5" />
<Deny ID="ID_DENY_D_51" FriendlyName="Powershell 51" Hash="395ACEC4E5123A3EF2C5E88620F827E929CF6D32" />
<Deny ID="ID_DENY_D_52" FriendlyName="Powershell 52" Hash="55A9B372FF02D16127AD7D5A9C32FC666D6397ED" />
<Deny ID="ID_DENY_D_53" FriendlyName="Powershell 53" Hash="6FE6723A355DEB4BC6B8637A634D1B43AFA64112" />
<Deny ID="ID_DENY_D_54" FriendlyName="Powershell 54" Hash="8D5599B34BED4A660DACC0922F6C2F112F264758" />
<Deny ID="ID_DENY_D_55" FriendlyName="Powershell 55" Hash="F139A9B69295C115BDDA030ABD50354ACF90B4A6" />
<Deny ID="ID_DENY_D_56" FriendlyName="Powershell 56" Hash="C10A9A496BAE83272BC7257BB11E15487A51F1B6" />
<Deny ID="ID_DENY_D_57" FriendlyName="Powershell 57" Hash="CCFB247A3BCA9C64D82F647F3D30A3172E645F13" />
<Deny ID="ID_DENY_D_58" FriendlyName="Powershell 58" Hash="E8EB859531F426CC45A3CB9118F399C92054563E" />
<Deny ID="ID_DENY_D_59" FriendlyName="Powershell 59" Hash="3AE6766D1877340EA7F6DB1A4900501C794C3FC5" />
<Deny ID="ID_DENY_D_60" FriendlyName="Powershell 60" Hash="7E9AE4038C626FC16C52F95F15A86B3A4183F172" />
<Deny ID="ID_DENY_D_61" FriendlyName="Powershell 61" Hash="C92D4EAC917EE4842A437C54F96D87F003199DE8" />
<Deny ID="ID_DENY_D_62" FriendlyName="Powershell 62" Hash="66681D9171981216B31996429695931DA2A638B9" />
<Deny ID="ID_DENY_D_63" FriendlyName="Powershell 63" Hash="98A3F280667CE1F36AAF68B4336F2C2031002791" />
<Deny ID="ID_DENY_D_64" FriendlyName="Powershell 64" Hash="054BBA5AB35A3F704D62F3119CD8B8C3CBD7AEEB" />
<Deny ID="ID_DENY_D_65" FriendlyName="Powershell 65" Hash="9DCA54C85E4C645CB296FE3055E90255B6506A95" />
<Deny ID="ID_DENY_D_66" FriendlyName="Powershell 66" Hash="D3D453EBC368DF7CC2200474035E5898B58D93F1" />
<Deny ID="ID_DENY_D_67" FriendlyName="Powershell 67" Hash="F29A958287788A6EEDE6035D49EF5CB85EEC40D214FDDE5A0C6CAA65AFC00EEC" />
<Deny ID="ID_DENY_D_68" FriendlyName="Powershell 68" Hash="84BB081141DA50B3839CD275FF34854F53AECB96CA9AEB8BCD24355C33C1E73E" />
<Deny ID="ID_DENY_D_69" FriendlyName="Powershell 69" Hash="8D396FEAEED1F0CA709B62B1F27EDC9CCEFF95E3473C923624362A042E91D787" />
<Deny ID="ID_DENY_D_70" FriendlyName="Powershell 70" Hash="7BF44433D3A606104778F64B11B92C52FC99C4BA570C50B70438275D0B587B8E" />
<Deny ID="ID_DENY_D_71" FriendlyName="Powershell 71" Hash="6B3CB996EC5129D345830C3D6D5C7C009372FFD9F08837E8B2572AB31E9648A5" />
<Deny ID="ID_DENY_D_72" FriendlyName="Powershell 72" Hash="C3A5DAB20947CA8FD092E75C25177E7BAE7884CA58710F14827144C09EA1F94B" />
<Deny ID="ID_DENY_D_73" FriendlyName="Powershell 73" Hash="BE3FFE10CDE8B62C3E8FD4D8198F272B6BD15364A33362BB07A0AFF6731DABA1" />
<Deny ID="ID_DENY_D_74" FriendlyName="Powershell 74" Hash="75288A0CF0806A68D8DA721538E64038D755BBE74B52F4B63FEE5049AE868AC0" />
<Deny ID="ID_DENY_D_75" FriendlyName="Powershell 75" Hash="F875E43E12685ECE0BA2D42D55A13798CE9F1FFDE3CAE253D2529F4304811A52" />
<Deny ID="ID_DENY_D_76" FriendlyName="Powershell 76" Hash="6D89FDD29D50C07801FB01F031CDB96E2E14288F066BD895356AE0517ABB09CE" />
<Deny ID="ID_DENY_D_77" FriendlyName="Powershell 77" Hash="326669C4A31E2049E3750BCF4287241BB8B555B3670D31A1ACA74C3AC598DF81" />
<Deny ID="ID_DENY_D_78" FriendlyName="Powershell 78" Hash="38DC1956313B160696A172074C6F5DA9852BF508F55AFB7FA079B98F2849AFB5" />
<Deny ID="ID_DENY_D_79" FriendlyName="Powershell 79" Hash="C6C073A80A8E76DC13E724B5E66FE4035A19CCA0C1AF3FABBC18E5185D1B66CB" />
<Deny ID="ID_DENY_D_80" FriendlyName="Powershell 80" Hash="9EA4BD3D8FB8F490E8099E0412F091E545AF028E3C4CAF179324B679124D1742" />
<Deny ID="ID_DENY_D_81" FriendlyName="Powershell 81" Hash="CD83C3C293EC4D24D3328C74881FA04AAF9CCF73E099631A9EB100BD0F384F58" />
<Deny ID="ID_DENY_D_82" FriendlyName="Powershell 82" Hash="74E207F539C4EAC648A5507EB158AEE9F6EA401E51808E83E73709CFA0820FDD" />
<Deny ID="ID_DENY_D_83" FriendlyName="Powershell 83" Hash="148972F670E18790D62D753E01ED8D22B351A57E45544D88ACE380FEDAF24A40" />
<Deny ID="ID_DENY_D_84" FriendlyName="Powershell 84" Hash="72E4EC687CFE357F3E681A7500B6FF009717A2E9538956908D3B52B9C865C189" />
<Deny ID="ID_DENY_D_85" FriendlyName="Powershell 85" Hash="F16E605B55774CDFFDB0EB99FAFF43A40622ED2AB1C011D1195878F4B20030BC" />
<Deny ID="ID_DENY_D_86" FriendlyName="Powershell 86" Hash="BD3139CE7553AC7003C96304F08EAEC2CDB2CC6A869D36D6F1E478DA02D3AA16" />
<Deny ID="ID_DENY_D_87" FriendlyName="Powershell 87" Hash="71FC552E66327EDAA72D72C362846BD80CB65EECFAE95C4D790C9A2330D95EE6" />
<Deny ID="ID_DENY_D_88" FriendlyName="Powershell 88" Hash="A1D1AF7675C2596D0DF977F57B54372298A56EE0F3E1FF2D974D387D7F69DD4E" />
<Deny ID="ID_DENY_D_89" FriendlyName="Powershell 89" Hash="0D905709AB1174F8E12A063F259A52DABE85CAEB8018985F5411F1CE9C6C99C3" />
<Deny ID="ID_DENY_D_90" FriendlyName="Powershell 90" Hash="939C291D4A2592209EC7664EC832670FA0AC1009F974F47489D866751F4B862F" />
</FileRules>
<!--Signers-->
<Signers />
<!--Driver Signing Scenarios-->
<SigningScenarios>
<SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Auto generated policy on 06-12-2017">
<ProductSigners>
<FileRulesRef>
<FileRuleRef RuleID="ID_DENY_D_11" />
</FileRulesRef>
</ProductSigners>
</SigningScenario>
<SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="Auto generated policy on 06-12-2017">
<ProductSigners>
<FileRulesRef>
<FileRuleRef RuleID="ID_DENY_D_0" />
<FileRuleRef RuleID="ID_DENY_D_1" />
<FileRuleRef RuleID="ID_DENY_D_2" />
<FileRuleRef RuleID="ID_DENY_D_3" />
<FileRuleRef RuleID="ID_DENY_D_4" />
<FileRuleRef RuleID="ID_DENY_D_5" />
<FileRuleRef RuleID="ID_DENY_D_6" />
<FileRuleRef RuleID="ID_DENY_D_7" />
<FileRuleRef RuleID="ID_DENY_D_8" />
<FileRuleRef RuleID="ID_DENY_D_9" />
<FileRuleRef RuleID="ID_DENY_D_10" />
<FileRuleRef RuleID="ID_DENY_D_11" />
<FileRuleRef RuleID="ID_DENY_D_12" />
<FileRuleRef RuleID="ID_DENY_D_13" />
<FileRuleRef RuleID="ID_DENY_D_14" />
<FileRuleRef RuleID="ID_DENY_D_15" />
<FileRuleRef RuleID="ID_DENY_D_16" />
<FileRuleRef RuleID="ID_DENY_D_17" />
<FileRuleRef RuleID="ID_DENY_D_18" />
<FileRuleRef RuleID="ID_DENY_D_19" />
<FileRuleRef RuleID="ID_DENY_D_20" />
<FileRuleRef RuleID="ID_DENY_D_21" />
<FileRuleRef RuleID="ID_DENY_D_22" />
<FileRuleRef RuleID="ID_DENY_D_23" />
<FileRuleRef RuleID="ID_DENY_D_24" />
<FileRuleRef RuleID="ID_DENY_D_25" />
<FileRuleRef RuleID="ID_DENY_D_26" />
<FileRuleRef RuleID="ID_DENY_D_27" />
<FileRuleRef RuleID="ID_DENY_D_28" />
<FileRuleRef RuleID="ID_DENY_D_29" />
<FileRuleRef RuleID="ID_DENY_D_30" />
<FileRuleRef RuleID="ID_DENY_D_31" />
<FileRuleRef RuleID="ID_DENY_D_32" />
<FileRuleRef RuleID="ID_DENY_D_33" />
<FileRuleRef RuleID="ID_DENY_D_34" />
<FileRuleRef RuleID="ID_DENY_D_35" />
<FileRuleRef RuleID="ID_DENY_D_36" />
<FileRuleRef RuleID="ID_DENY_D_37" />
<FileRuleRef RuleID="ID_DENY_D_38" />
<FileRuleRef RuleID="ID_DENY_D_39" />
<FileRuleRef RuleID="ID_DENY_D_40" />
<FileRuleRef RuleID="ID_DENY_D_41" />
<FileRuleRef RuleID="ID_DENY_D_42" />
<FileRuleRef RuleID="ID_DENY_D_43" />
<FileRuleRef RuleID="ID_DENY_D_44" />
<FileRuleRef RuleID="ID_DENY_D_45" />
<FileRuleRef RuleID="ID_DENY_D_46" />
<FileRuleRef RuleID="ID_DENY_D_47" />
<FileRuleRef RuleID="ID_DENY_D_48" />
<FileRuleRef RuleID="ID_DENY_D_49" />
<FileRuleRef RuleID="ID_DENY_D_50" />
<FileRuleRef RuleID="ID_DENY_D_51" />
<FileRuleRef RuleID="ID_DENY_D_52" />
<FileRuleRef RuleID="ID_DENY_D_53" />
<FileRuleRef RuleID="ID_DENY_D_54" />
<FileRuleRef RuleID="ID_DENY_D_55" />
<FileRuleRef RuleID="ID_DENY_D_56" />
<FileRuleRef RuleID="ID_DENY_D_57" />
<FileRuleRef RuleID="ID_DENY_D_58" />
<FileRuleRef RuleID="ID_DENY_D_59" />
<FileRuleRef RuleID="ID_DENY_D_60" />
<FileRuleRef RuleID="ID_DENY_D_61" />
<FileRuleRef RuleID="ID_DENY_D_62" />
<FileRuleRef RuleID="ID_DENY_D_63" />
<FileRuleRef RuleID="ID_DENY_D_64" />
<FileRuleRef RuleID="ID_DENY_D_65" />
<FileRuleRef RuleID="ID_DENY_D_66" />
<FileRuleRef RuleID="ID_DENY_D_67" />
<FileRuleRef RuleID="ID_DENY_D_68" />
<FileRuleRef RuleID="ID_DENY_D_69" />
<FileRuleRef RuleID="ID_DENY_D_70" />
<FileRuleRef RuleID="ID_DENY_D_71" />
<FileRuleRef RuleID="ID_DENY_D_72" />
<FileRuleRef RuleID="ID_DENY_D_73" />
<FileRuleRef RuleID="ID_DENY_D_74" />
<FileRuleRef RuleID="ID_DENY_D_75" />
<FileRuleRef RuleID="ID_DENY_D_76" />
<FileRuleRef RuleID="ID_DENY_D_77" />
<FileRuleRef RuleID="ID_DENY_D_78" />
<FileRuleRef RuleID="ID_DENY_D_79" />
<FileRuleRef RuleID="ID_DENY_D_80" />
<FileRuleRef RuleID="ID_DENY_D_81" />
<FileRuleRef RuleID="ID_DENY_D_82" />
<FileRuleRef RuleID="ID_DENY_D_83" />
<FileRuleRef RuleID="ID_DENY_D_84" />
<FileRuleRef RuleID="ID_DENY_D_85" />
<FileRuleRef RuleID="ID_DENY_D_86" />
<FileRuleRef RuleID="ID_DENY_D_87" />
<FileRuleRef RuleID="ID_DENY_D_88" />
<FileRuleRef RuleID="ID_DENY_D_89" />
<FileRuleRef RuleID="ID_DENY_D_90" />
</FileRulesRef>
</ProductSigners>
</SigningScenario>
</SigningScenarios>
<UpdatePolicySigners />
<CiSigners />
<HvciOptions>0</HvciOptions>
</SiPolicy>
```
<br />
To create a code integrity policy, copy each of the following commands into an elevated Windows PowerShell session, in order:
@ -36,7 +502,7 @@ To create a code integrity policy, copy each of the following commands into an e
` New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy UserPEs 3> CIPolicyLog.txt `
> **Notes**
> [!Notes]
> - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application.
@ -52,7 +518,8 @@ To create a code integrity policy, copy each of the following commands into an e
After you complete these steps, the Device Guard binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary version as a code integrity policy or sign it for additional security.
> **Note**&nbsp;&nbsp;We recommend that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see [Merge code integrity policies](#merge-code-integrity-policies).
> [!Note]
> We recommend that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see [Merge code integrity policies](#merge-code-integrity-policies).
We recommend that every code integrity policy be run in audit mode before being enforced. Doing so allows administrators to discover any issues with the policy without receiving error message dialog boxes. For information about how to audit a code integrity policy, see the next section, [Audit code integrity policies](#audit-code-integrity-policies).
@ -60,7 +527,8 @@ We recommend that every code integrity policy be run in audit mode before being
When code integrity policies are run in audit mode, it allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a code integrity policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. When these logged binaries have been validated, they can easily be added to a new code integrity policy. When the new exception policy is created, you can merge it with your existing code integrity policies.
> **Note**&nbsp;&nbsp;Before you begin this process, you need to create a code integrity policy binary file. If you have not already done so, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic, for a step-by-step walkthrough of the process to create a code integrity policy and convert it to binary format.
> [!Note]
> Before you begin this process, you need to create a code integrity policy binary file. If you have not already done so, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic, for a step-by-step walkthrough of the process to create a code integrity policy and convert it to binary format.
**To audit a code integrity policy with local policy:**
@ -68,7 +536,7 @@ When code integrity policies are run in audit mode, it allows administrators to
2. On the computer you want to run in audit mode, open the Local Group Policy Editor by running **GPEdit.msc**.
> **Notes**
> [!Note]
> - The computer that you will run in audit mode must be clean of viruses or malware. Otherwise, in the process that you follow after auditing the system, you might unintentionally merge in a code integrity policy that allows viruses or malware to run.
@ -76,7 +544,7 @@ When code integrity policies are run in audit mode, it allows administrators to
3. Navigate to **Computer Configuration\\Administrative Templates\\System\\Device Guard**, and then select **Deploy Code Integrity Policy**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1.
> **Notes**
> [!Note]
> - The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). Also, this policy file does not need to be copied to every system. You can instead copy the code integrity policies to a file share to which all computer accounts have access.
@ -124,7 +592,8 @@ Use the following procedure after you have been running a computer with a code i
` New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy UserPEs 3> CIPolicylog.txt`
> **Note**&nbsp;&nbsp;When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy.
> [!Note]
> When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy.
4. Find and review the Device Guard audit policy .xml file that you created. If you used the example variables as shown, the filename will be **DeviceGuardAuditPolicy.xml**, and it will be on your desktop. Look for the following:
@ -134,7 +603,8 @@ Use the following procedure after you have been running a computer with a code i
You can now use this file to update the existing code integrity policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing code integrity policy, see the next section, [Merge code integrity policies](#merge-code-integrity-policies).
> **Note**&nbsp;&nbsp;You may have noticed that you did not generate a binary version of this policy as you did in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). This is because code integrity policies created from an audit log are not intended to run as stand-alone policies but rather to update existing code integrity policies.
> [!Note]
> You may have noticed that you did not generate a binary version of this policy as you did in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). This is because code integrity policies created from an audit log are not intended to run as stand-alone policies but rather to update existing code integrity policies.
## <a href="" id="plug-ins"></a>Use a code integrity policy to control specific plug-ins, add-ins, and modules
@ -166,7 +636,8 @@ New-CIPolicy -Rules $rule -FilePath ".\BlockAddins.xml" -UserPEs
When you develop code integrity policies, you will occasionally need to merge two policies. A common example is when a code integrity policy is initially created and audited. Another example is when you create a single master policy by using multiple code integrity policies previously created from golden computers. Because each computer running Windows 10 can have only one code integrity policy, it is important to properly maintain these policies. In this example, audit events have been saved into a secondary code integrity policy that you then merge with the initial code integrity policy.
> **Note**&nbsp;&nbsp;The following example uses several of the code integrity policy .xml files that you created in earlier sections in this topic. You can follow this process, however, with any two code integrity policies you would like to combine.
> [!Note]
> The following example uses several of the code integrity policy .xml files that you created in earlier sections in this topic. You can follow this process, however, with any two code integrity policies you would like to combine.
To merge two code integrity policies, complete the following steps in an elevated Windows PowerShell session:
@ -182,7 +653,8 @@ To merge two code integrity policies, complete the following steps in an elevate
` $CIPolicyBin=$CIPolicyPath+"NewDeviceGuardPolicy.bin"`
> **Note**&nbsp;&nbsp;The variables in this section specifically expect to find an initial policy on your desktop called **InitialScan.xml** and an audit code integrity policy called **DeviceGuardAuditPolicy.xml**. If you want to merge other code integrity policies, update the variables accordingly.
> [!Note]
> The variables in this section specifically expect to find an initial policy on your desktop called **InitialScan.xml** and an audit code integrity policy called **DeviceGuardAuditPolicy.xml**. If you want to merge other code integrity policies, update the variables accordingly.
2. Use [Merge-CIPolicy](https://technet.microsoft.com/library/mt634485.aspx) to merge two policies and create a new code integrity policy:
@ -198,7 +670,8 @@ Now that you have created a new code integrity policy (for example, called **New
Every code integrity policy is created with audit mode enabled. After you have successfully deployed and tested a code integrity policy in audit mode and are ready to test the policy in enforced mode, complete the following steps in an elevated Windows PowerShell session:
> **Note**&nbsp;&nbsp;Every code integrity policy should be tested in audit mode first. For information about how to audit code integrity policies, see [Audit code integrity policies](#audit-code-integrity-policies), earlier in this topic.
> [!Note]
> Every code integrity policy should be tested in audit mode first. For information about how to audit code integrity policies, see [Audit code integrity policies](#audit-code-integrity-policies), earlier in this topic.
1. Initialize the variables that will be used:
@ -210,7 +683,8 @@ Every code integrity policy is created with audit mode enabled. After you have s
` $CIPolicyBin=$CIPolicyPath+"EnforcedDeviceGuardPolicy.bin"`
> **Note**&nbsp;&nbsp;The initial code integrity policy that this section refers to was created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are using a different code integrity policy, update the **CIPolicyPath** and **InitialCIPolicy** variables.
> [!Note]
> The initial code integrity policy that this section refers to was created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are using a different code integrity policy, update the **CIPolicyPath** and **InitialCIPolicy** variables.
2. Ensure that rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) are set the way that you intend for this policy. We strongly recommend that you enable these rule options before you run any enforced policy for the first time. Enabling these options provides administrators with a pre-boot command prompt, and allows Windows to start even if the code integrity policy blocks a kernel-mode driver from running. When ready for enterprise deployment, you can remove these options.
@ -228,7 +702,8 @@ Every code integrity policy is created with audit mode enabled. After you have s
` Set-RuleOption -FilePath $EnforcedCIPolicy -Option 3 -Delete`
> **Note**&nbsp;&nbsp;To enforce a code integrity policy, you delete option 3, the **Audit Mode Enabled** option. There is no “enforced” option that can be placed in a code integrity policy.
> [!Note]
> To enforce a code integrity policy, you delete option 3, the **Audit Mode Enabled** option. There is no “enforced” option that can be placed in a code integrity policy.
5. Use [ConvertFrom-CIPolicy](https://technet.microsoft.com/library/mt733073.aspx) to convert the new code integrity policy to binary format:
@ -244,7 +719,8 @@ Signing code integrity policies by using an on-premises CA-generated certificate
Before signing code integrity policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath <PathAndFilename> -Option 9` even if you're not sure whether the option is already enabled—if so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Code integrity policy rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-policy-rules) in "Deploy code integrity policies: policy rules and file rules."
> **Note**&nbsp;&nbsp;Signing code integrity policies is the last step in a code integrity deployment. It is much more difficult to remove a signed code integrity policy than an unsigned one. Before you deploy a signed code integrity policy to deployed client computers, be sure to test its effect on a subset of computers.
> [!Note]
> Signing code integrity policies is the last step in a code integrity deployment. It is much more difficult to remove a signed code integrity policy than an unsigned one. Before you deploy a signed code integrity policy to deployed client computers, be sure to test its effect on a subset of computers.
To sign a code integrity policy with SignTool.exe, you need the following components:
@ -264,7 +740,8 @@ If you do not have a code signing certificate, see the [Optional: Create a code
` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
> **Note**&nbsp;&nbsp;This example uses the code integrity policy that you created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
> [!Note]
> This example uses the code integrity policy that you created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the code integrity policy into the signing users personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md).
@ -278,9 +755,9 @@ If you do not have a code signing certificate, see the [Optional: Create a code
` Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath <Path to exported .cer certificate> -Kernel -User Update`
> **Notes**&nbsp;&nbsp;*&lt;Path to exported .cer certificate&gt;* should be the full path to the certificate that you exported in step 3.
> Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed code integrity policies, see the [Disable signed code integrity policies within Windows](#disable-signed-code-integrity-policies-within-windows) section.
> [!Note]
> *&lt;Path to exported .cer certificate&gt;* should be the full path to the certificate that you exported in step 3.
Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed code integrity policies, see the [Disable signed code integrity policies within Windows](#disable-signed-code-integrity-policies-within-windows) section.
6. Use [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) to remove the unsigned policy rule option:
@ -294,7 +771,8 @@ If you do not have a code signing certificate, see the [Optional: Create a code
` <Path to signtool.exe> sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin`
> **Note**&nbsp;&nbsp;The *&lt;Path to signtool.exe&gt;* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the code integrity policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
> [!Note]
> The *&lt;Path to signtool.exe&gt;* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the code integrity policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy code integrity policies, see [Deploy and manage code integrity policies with Group Policy](#deploy-and-manage-code-integrity-policies-with-group-policy).
@ -312,7 +790,8 @@ If the code integrity policy was deployed by using Group Policy, the GPO that is
Signed policies protect Windows from administrative manipulation as well as malware that has gained administrative-level access to the system. For this reason, signed code integrity policies are intentionally more difficult to remove than unsigned policies. They inherently protect themselves from modification or removal and therefore are difficult even for administrators to remove successfully. If the signed code integrity policy is manually enabled and copied to the CodeIntegrity folder, to remove the policy, you must complete the following steps.
> **Note**&nbsp;&nbsp;For reference, signed code integrity policies should be replaced and removed from the following locations:
> [!Note]
> For reference, signed code integrity policies should be replaced and removed from the following locations:
- &lt;EFI System Partition&gt;\\Microsoft\\Boot\\
@ -363,9 +842,11 @@ There may be a time when signed code integrity policies cause a boot failure. Be
Code integrity policies can easily be deployed and managed with Group Policy. A Device Guard administrative template will be available in Windows Server 2016 that allows you to simplify deployment of Device Guard hardware-based security features and code integrity policies. The following procedure walks you through how to deploy a code integrity policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**.
> **Note**&nbsp;&nbsp;This walkthrough requires that you have previously created a code integrity policy and have a computer running Windows 10 on which to test a Group Policy deployment. For more information about how to create a code integrity policy, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic.
> [!Note]
> This walkthrough requires that you have previously created a code integrity policy and have a computer running Windows 10 on which to test a Group Policy deployment. For more information about how to create a code integrity policy, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic.
> **Note**&nbsp;&nbsp;Signed code integrity policies can cause boot failures when deployed. We recommend that signed code integrity policies be thoroughly tested on each hardware platform before enterprise deployment.
> [!Note]
> Signed code integrity policies can cause boot failures when deployed. We recommend that signed code integrity policies be thoroughly tested on each hardware platform before enterprise deployment.
To deploy and manage a code integrity policy with Group Policy:
@ -393,13 +874,15 @@ To deploy and manage a code integrity policy with Group Policy:
In this policy setting, you specify either the local path in which the policy will exist on the client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, with DeviceGuardPolicy.bin on the test computer, the example file path would be C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 5.
> **Note**&nbsp;&nbsp;The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). Also, this policy file does not need to be copied to every computer. You can instead copy the code integrity policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
> [!Note]
> The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). Also, this policy file does not need to be copied to every computer. You can instead copy the code integrity policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
![Group Policy called Deploy Code Integrity Policy](images/dg-fig26-enablecode.png)
Figure 5. Enable the code integrity policy
> **Note**&nbsp;&nbsp;You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Make your code integrity policies friendly and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
> [!Note]
> You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Make your code integrity policies friendly and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
7. Close the Group Policy Management Editor, and then restart the Windows 10 test computer. Restarting the computer updates the code integrity policy. For information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity-policies) section.

13
windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md
View File

@ -25,12 +25,21 @@ This topic provides a roadmap for planning and getting started on the Device Gua
3. **Review how much variety in software and hardware is needed by roles or departments**. When several departments all use the same hardware and software, you might need to deploy only one code integrity policy for them. More variety across departments might mean you need to create and manage more code integrity policies. The following questions can help you clarify how many code integrity policies to create:
- How standardized is the hardware?<br>This can be relevant because of drivers. You could create a code integrity policy on hardware that uses a particular set of drivers, and if other drivers in your environment use the same signature, they would also be allowed to run. However, you might need to create several code integrity policies on different "reference" hardware, then merge the policies together, to ensure that the resulting policy recognizes all the drivers in your environment.
- Is there already a list of accepted applications?<br>A list of accepted applications can be used to help create a baseline code integrity policy.<br>As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser).
- What software does each department or role need? Should they be able to install and run other departments software?<br>If multiple departments are allowed to run the same list of software, you might be able to merge several code integrity policies to simplify management.
- Are there departments or roles where unique, restricted software is used?<br>If one department needs to run an application that no other department is allowed, it might require a separate code integrity policy. Similarly, if only one department must run an old version of an application (while other departments allow only the newer version), it might require a separate code integrity policy.
- Is there already a list of accepted applications?<br>A list of accepted applications can be used to help create a baseline code integrity policy.<br>As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser).
- As part of a threat review process, have you reviewed systems for software that can load arbitrary DLLs or run code or scripts?
In day-to-day operations, your organizations security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Device Guard code integrity policies.
You can also fine-tune your control by using Device Guard in combination with AppLocker, as described in [Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker).
Legitimate applications from trusted vendors provide valid functionality. However, an attacker could also potentially use that same functionality to run malicious executable code that could bypass code integrity policies. For operational scenarios that require elevated security, certain applications with known Code Integrity bypass vulnerabilities may represent a security risk if you whitelist them in your code integrity policies. Other applications whose older versions have vulnerabilities also represent a risk. Therefore, you may want to deny or block such applications from your code integrity policies. Once applications with vulnerabilities are fixed, you can create a rule that only allows the fixed version or newer versions of that application. The decision to allow or block applications depends on the context and on how the reference system is being used.
Security professionals collaborate with Microsoft® continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Device Guard code integrity policies.
Depending on the context, you may want to block these applications. To see the list of applications, and for use case examples such as disabling Windows Script Host (WSH) or disabling msbuild.exe, (See [Deploy code integrity policies: steps](https://technet.microsoft.com/itpro/windows/keep-secure/deploy-code-integrity-policies-steps)).
4. **Identify LOB applications that are currently unsigned**. Although requiring signed code (through code integrity policies) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. For a basic description of catalog files, see the table in [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md). For more background information about catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files).
## Getting started on the deployment process

5
windows/device-security/docfx.json
View File

@ -33,7 +33,10 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows"
"ms.technology": "windows",
"ms.topic": "article",
"ms.author": "justinha",
"ms.date": "04/05/2017"
},
"fileMetadata": {},
"template": [],

BIN
windows/device-security/images/tpm-capabilities.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 91 KiB

BIN
windows/device-security/images/tpm-remote-attestation.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 110 KiB

6
windows/device-security/tpm/tpm-recommendations.md
View File

@ -100,8 +100,8 @@ The following table defines which Windows features require TPM support.
| Windows Features | Windows 10 TPM 1.2 | Windows 10 TPM 2.0 | Details |
|-------------------------|----------------------|----------------------|----------|
| Measured Boot | Required | Required | Measured boot requires TPM 1.2 or 2.0 and UEFI Secure boot. |
| Bitlocker | Required | Required | TPM 1.2 or later required or a removable USB memory device such as a flash drive. |
| Measured Boot | Required | Required | Measured boot requires TPM 1.2 or 2.0 and UEFI Secure Boot. |
| Bitlocker | Required | Required | TPM 1.2 or later required or a removable USB memory device such as a flash drive. Please note that TPM 2.0 requires UEFI Secure Boot in order for BitLocker to work properly. |
| Passport: Domain AADJ Join | Required | Required | Supports both versions of TPM, but requires TPM with HMAC and EK certificate for key attestation support. |
| Passport: MSA or Local Account | Required | Required | TPM 2.0 is required with HMAC and EK certificate for key attestation support. |
| Device Encryption | Not Applicable | Required | TPM 2.0 is required for all InstantGo devices. |
@ -120,4 +120,4 @@ Government customers and enterprise customers in regulated industries may have a
## Related topics
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)

74
windows/device-security/windows-security-baselines.md
View File

@ -1,74 +0,0 @@
---
title: Windows security baselines (Windows 10)
description: Use this topic to learn what security baselines are and how you can use them in your organization to help keep your devices secure.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: brianlic-msft
---
# Windows security baselines
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2012 R2
Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, a large number of organizations still want more granular control of their security configurations. To navigate these large number of controls, organizations need guidance for configuring various security features. Microsoft provides this guidance in the form of security baselines.
We recommend implementing an industry-standard configuration that is broadly known and well-tested, such as a Microsoft security baseline, as opposed to creating one yourself. This helps increase flexibility and reduce costs.
> [!NOTE]
> Microsoft Security Compliance Manager 4.0 is available from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=53353).
## What are security baselines?
Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting their Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
A security baseline is a collection of settings that have a security impact and include Microsofts recommended value for configuring those settings along with guidance on the security impact of those settings. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and
customers.
## Why are security baselines needed?
Security baselines are an essential benefit to customers because they bring together expert knowlege from Microsoft, partners, and customers.
For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of those 4,800 settings, only some of them are security-related. While Microsoft provides extensive guidance on different security features, going through each of them can take a long time. You would have to determine the security impact of each setting on your own. After you've done that, you still need to determine what values each of these settings should be.
In modern organizations, the security threat landscape is constantly evolving. IT pros and policy makers must keep current with security threats and changes to Windows security settings to help mitigate these threats.
To help faster deployments and increase the ease of managing Windows, Microsoft provides customers with security baselines that are available in formats that can be consumed, such as Group Policy Objects backups.
## How can you use security baselines?
You can use security baselines to:
- Ensure that user and device configuration settings are compliant with the baseline.
- Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline.
## Where can I get the security baselines?
Here's a list of security baselines that are currently available.
> [!NOTE]
> If you want to know what has changed with each security baseline, or if you want to stay up-to-date on whats happening with them, check out the [Microsoft Security Guidance](http://blogs.technet.microsoft.com/secguide) blog.
### Windows 10 security baselines
- [Windows 10, version 1607 and Windows Server 2016 security baseline](https://go.microsoft.com/fwlink/?linkid=831663)
- [Windows 10, Version 1511 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799381)
- [Windows 10, Version 1507 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799380)
### Windows Server security baselines
- [Windows 10, version 1607 and Windows Server 2016 security baseline](https://go.microsoft.com/fwlink/?linkid=831663)
- [Windows Server 2012 R2 security baseline](https://go.microsoft.com/fwlink/p/?LinkID=799382)
## How can I monitor security baseline deployments?
Microsofts Operation Management Services (OMS) helps you monitor security baseline deployments across your servers. To find out more, check out [Operations Management Suite](https://aka.ms/omssecscm).
You can use [System Center Configuration Manager](https://www.microsoft.com/cloud-platform/system-center-configuration-manager) to monitor security baseline deployments on client devices within your organization.

5
windows/hub/docfx.json
View File

@ -35,7 +35,10 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows"
"ms.technology": "windows",
"ms.topic": "article",
"ms.author": "brianlic",
"ms.date": "04/05/2017"
},
"fileMetadata": {},
"template": [],

2
windows/threat-protection/TOC.md
View File

@ -1,5 +1,5 @@
# [Threat protection](index.md)
## [Windows Defender Security Center](windows-defender-security-center\windows-defender-security-center.md)
## [Windows Defender Advanced Threat Protection](windows-defender-atp\windows-defender-advanced-threat-protection.md)
### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md)
### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md)

5
windows/threat-protection/docfx.json
View File

@ -33,7 +33,10 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows"
"ms.technology": "windows",
"ms.topic": "article",
"ms.author": "justinha",
"ms.date": "04/05/2017"
},
"fileMetadata": {},
"template": [],

6
windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
View File

@ -31,11 +31,11 @@ See the [Windows Defender Advanced Threat Protection](../windows-defender-atp/wi
If you are enrolled in Windows Defender ATP, and you are not using Windows Defender AV as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. On Windows Server 2016 SKUs, Windows Defender AV will not enter into the passive mode and will run alongside your other antivirus product.
In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won't run, and Windows Defender will not provide real-time protection from malware.
In passive mode, Windows Defender AV will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won't run, and Windows Defender AV will not provide real-time protection from malware.
You can still [manage updates for Windows Defender](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
You can still [manage updates for Windows Defender](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender AV into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
If you uninstall the other product, and choose to use Windows Defender to provide protection to your endpoints, Windows Defender will automatically return to its normal active mode.
If you uninstall the other product, and choose to use Windows Defender AV to provide protection to your endpoints, Windows Defender AV will automatically return to its normal active mode.
## Related topics

14
windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
View File

@ -35,12 +35,16 @@ In Windows 10, version 1703 (also known as the Creators Update), the Windows Def
Settings that were previously part of the Windows Defender client and main Windows Settings have been combined and moved to the new app, which is installed by default as part of Windows 10, version 1703.
The app also includes the settings and status of:
> [!IMPORTANT]
> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Firewall](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These will be disabled automatically when a 3rd party antivirus or firewall product is installed and kept up to date.
- The PC (as "device health")
- Windows Firewall
- Windows Defender SmartScreen Filter
- Parental and Family Controls
> [!WARNING]
> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Defender Security Center may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
>It may also prevent Windows Defender AV from enabling itself if you have an old or outdated 3rd party antivirus, or if you uninstall any 3rd party antivirus products you may have previously installed.
>This will significantly lower the protection of your device and could lead to malware infection.
See the [Windows Defender Security Center topic](/windows/threat-protection/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app.
>[!NOTE]
>The Windows Defender Security Center app is a client interface on Windows 10, version 1703. It is not the Windows Defender Security Center web portal that is used to review and manage [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md).

BIN
windows/threat-protection/windows-defender-security-center/images/security-center-home.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 39 KiB

BIN
windows/threat-protection/windows-defender-security-center/images/security-center-start-menu.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 49 KiB

BIN
windows/threat-protection/windows-defender-security-center/images/security-center-taskbar.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.2 KiB

BIN
windows/threat-protection/windows-defender-security-center/images/security-center-turned-off.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

119
windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md Normal file
View File

@ -0,0 +1,119 @@
---
title: Windows Defender Security Center
description: The Windows Defender Security Center brings together common Windows security features into one place
keywords: wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
---
# The Windows Defender Security Center
**Applies to**
- Windows 10, version 1703
In Windows 10, version 1703 we introduced the new Windows Defender Security Center, which brings together common Windows security features into one, easy-to-use app.
![Screen shot of the Windows Defender Security Center showing that the device is protected and five icons for each of the features](images/security-center-home.png)
Many settings that were previously part of the individual features and main Windows Settings have been combined and moved to the new app, which is installed out-of-the-box as part of Windows 10, version 1703.
The app includes the settings and status for the following security features:
- Virus & threat protection, including settings for Windows Defender Antivirus
- Device performance & health, which includes information about drivers, storage space, and general Windows Update issues
- Firewall & network protection, including Windows Firewall
- App & browser control, covering Windows Defender SmartScreen settings
- Family options, which include a number of parental controls along with tips and information for keeping kids safe online
The Windows Defender Security Center uses the [Windows Security Center service](https://technet.microsoft.com/en-us/library/bb457154.aspx#EDAA) to provide the status and information on 3rd party antivirus and firewall products that are installed on the device.
> [!IMPORTANT]
> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Firewall](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These will be disabled automatically when a 3rd party antivirus or firewall product is installed and kept up to date.
> [!WARNING]
> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Defender Security Center may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
>It may also prevent Windows Defender AV from enabling itself if you have an old or outdated 3rd party antivirus, or if you uninstall any 3rd party antivirus products you may have previously installed.
>This will significantly lower the protection of your device and could lead to malware infection.
## Open the Windows Defender Security Center
- Right-click the icon in the notification area on the taskbar and click **Open**.
![Screen shot of the Shield icon for the Windows Defender Security Center in the bottom Windows task bar](images/security-center-taskbar.png)
- Search the Start menu for **Windows Defender Security Center**.
![Screen shot of the Start menu showing the results of a search for Windows Defender Security Center, the first option with a large shield symbol is selected](images/security-center-start-menu.png)
> [!NOTE]
> Settings configured with management tools, such as Group Policy, Microsoft Intune, or System Center Configuration Manager, will generally take precedence over the settings in the Windows Defender Security Center. Review the settings for each feature in its appropriate library. Links for both home user and enterprise or commercial audiences are listed below.
## How the Windows Defender Security Center works with Windows security features
The Windows Defender Security Center operates as a separate app or process from each of the individual features, and will display notifications through the Action Center.
It acts as a collector or single place to see the status and perform some configuration for each of the features.
Disabling any of the individual features (through Group Policy or other management tools, such as System Center Configuration Manager) will prevent that feature from reporting its status in the Windows Defender Security Center. The Windows Defender Security Center itself will still run and show status for the other security features.
> [!IMPORTANT]
> Individually disabling any of the services will not disable the other services or the Windows Defender Security Center itself.
For example, [using a 3rd party antivirus will disable Windows Defender Antivirus](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus). However, the Windows Defender Security Center will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Firewall.
The presence of the 3rd party antivirus will be indicated under the **Virus & threat protection** section in the Windows Defender Security Center.
## More information
See the following links for more information on the features in the Windows Defender Security Center:
- Windows Defender Antivirus
- IT administrators and IT pros can get configuration guidance from the [Windows Defender Antivirus in the Windows Defender Security Center topic](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus) and the [Windows Defender Antivirus documentation library](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)
- Home users can learn more at the [Virus & threat protection in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4012987/windows-10-virus-threat-protection-windows-defender-security-center)
- Device performance & health
- It administrators and IT pros can [configure the Load and unload device drivers security policy setting](https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/load-and-unload-device-drivers), and learn how to [deploy drivers during Windows 10 deployment using System Center Configuration Manager](https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager)
- Home users can learn more at the [Track your device and performance health in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4012986/windows-defender-track-your-device-performance-health)
- Windows Firewall
- IT administrators and IT pros can get configuration guidance from the [Windows Firewall with Advanced Security documentation library](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security)
- Home users can learn more at the [Firewall & network protection in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4012988/windows-10-firewall-network-protection-windows-defender-security-center)
- Windows Defender SmartScreen
- IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview)
- Home users can learn more at the [App & browser control in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4013218/windows-10-app-browser-control-in-windows-defender)
- Family options, which include a number of parental controls along with tips and information for keeping kids safe online
- Home users can learn more at the [Help protection your family online in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4013209/windows-10-protect-your-family-online-in-windows-defender)
>[!NOTE]
>The Windows Defender Security Center app is a client interface on Windows 10, version 1703. It is not the Windows Defender Security Center web portal that is used to review and manage [Windows Defender Advanced Threat Protection](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).

8
windows/whats-new/contribute-to-a-topic.md
View File

@ -1,6 +1,6 @@
---
title: Edit an existing topic using the Edit link
description: Instructions about how to edit an existing topic by using the Contribute link on TechNet.
description: Instructions about how to edit an existing topic by using the Edit link on TechNet.
keywords: contribute, edit a topic
ms.prod: w10
ms.mktglfcycl: explore
@ -10,13 +10,13 @@ ms.sitesec: library
# Editing existing Windows IT professional documentation
You can now make suggestions and update existing, public content with a GitHub account and a simple click of a link.
>**Note**<br>
>[!NOTE]
>At this time, only the English (en-us) content is available for editing.
**To edit a topic**
1. All contributors who are ***not*** a Microsoft employee must [sign a Microsoft Contribution Licensing Agreement (CLA)](https://cla.microsoft.com/) before contributing to any Microsoft repositories.
If you've already contributed to Microsoft repositories in the past, congratulations! You've already completed this step.
1. All contributors who are ***not*** a Microsoft employee must [sign a Microsoft Contribution Licensing Agreement (CLA)](https://cla.microsoft.com/) before updating or adding to any Microsoft repositories.
If you've previously contributed to topics in the Microsoft repositories, congratulations! You've already completed this step.
2. Go to the page on TechNet that you want to update, and then click **Edit**.

5
windows/whats-new/docfx.json
View File

@ -33,7 +33,10 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows"
"ms.technology": "windows",
"ms.topic": "article",
"ms.author": "trudyha",
"ms.date": "04/05/2017"
},
"fileMetadata": {},
"template": [],

4
windows/whats-new/index.md
View File

@ -1,6 +1,6 @@
---
title: What's new in Windows 10 (Windows 10)
description: Learn about new features in Windows 10 for IT professionals, such as Enterprise Data Protection, Windows Hello, Device Guard, and more.
description: Learn about new features in Windows 10 for IT professionals, such as Windows Information Protection, Windows Hello, Device Guard, and more.
ms.assetid: F1867017-76A1-4761-A200-7450B96AEF44
keywords: ["What's new in Windows 10", "Windows 10", "anniversary update", "contribute", "edit topic"]
ms.prod: w10
@ -20,7 +20,7 @@ Windows 10 provides IT professionals with advanced protection against modern sec
- [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md)
- [Edit an existing topic using the Contribute link](contribute-to-a-topic.md)
- [Edit an existing topic using the Edit link](contribute-to-a-topic.md)
## Learn more