deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 13:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'atp-tomeralpert' of https://github.com/Microsoft/win-cpub-itpro-docs into atp-tomeralpert

Browse Source
This commit is contained in:
jcaparas 2017-06-05 17:00:03 -07:00
commit 95888cf86d
40 changed files with 742 additions and 2098 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
education/windows/index.md
View File

@ -44,7 +44,7 @@ author: CelesteDG
<p><b>[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)</b><br />Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.</p>
<p><b><a href="https://technet.microsoft.com/en-us/windows/mt574244" target="_blank">Try it out: Windows 10 deployment (for education)</a></b><br />Learn how to upgrade devices running the Windows 7 operating system to Windows 10 Anniversary Update, and how to manage devices, apps, and users in Windows 10 Anniversary Update.<br /><br />For the best experience, use this guide in tandem with the <a href="https://vlabs.holsystems.com/vlabs/technet?eng=VLabs&auth=none&src=vlabs&altadd=true&labid=20949&lod=true" target="_blank">TechNet Virtual Lab: IT Pro Try-It-Out</a>.</p>
### ![Switch to Windows 10 for Education](images/windows.png) Switch
## ![Switch to Windows 10 for Education](images/windows.png) Switch
<p><b>[Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md)</b><br />If you have an education tenant and use Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education.</p>

2
education/windows/set-up-school-pcs-technical.md
View File

@ -70,7 +70,7 @@ To make this as seamless as possible, in your Azure AD tenant:
![Set maximum number of devices per user to unlimited](images/azuread_usersandgroups_devicesettings_maxnumberofdevicesperuser.png)
- Clear your Azure AD tokens from time to time. Your tenant can only have 50 automated Azure AD tokens active at any one time.
- Clear your Azure AD tokens from time to time. Your tenant can only have 500 automated Azure AD tokens active at any one time.
In the Azure portal, select **Azure Active Directory**. Go to **Users and groups > All users** and look at the list of user names. User names that start with **package_** followed by a string of letters and numbers. These are the user accounts that are created automatically for the tokens and you can safely delete these.

4
education/windows/switch-to-pro-education.md
View File

@ -159,7 +159,7 @@ Once you enable the setting to switch to Windows 10 Pro Education, the switch wi
**To turn on the automatic switch to Windows 10 Pro Education**
1. Sign in to [Microsoft Store for Education](https://businessstore.microsoft.com/) with your work or school account.
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your work or school account.
If this is the first time you're signing into the Microsoft Store for Education, you'll be prompted to accept the Microsoft Store for Education Terms of Use.
@ -341,7 +341,7 @@ Once the automatic switch to Windows 10 Pro Education is turned off, the change
**To roll back Windows 10 Pro Education to Windows 10 Pro**
1. Log in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/Store/Apps) with your school or work account, or follow the link from the notification email to turn off the automatic switch.
1. Log in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your school or work account, or follow the link from the notification email to turn off the automatic switch.
2. Select **Manage > Benefits** and locate the section **Windows 10 Pro Education** and follow the link.
3. In the **Revert to Windows 10 Pro** page, click **Revert to Windows 10 Pro**.

8
store-for-business/update-windows-store-for-business-account-settings.md
View File

@ -61,13 +61,13 @@ Taxes for Microsoft Store for Business purchases are determined by your business
- Switzerland
- United Kingdom
These countries can provide their VAT number or local equivalent in **Payments & billing**. However, they can only acquire free apps.
These countries can provide their VAT number or local equivalent in **Payments & billing**.
|Market| Tax identifier |
|------|----------------|
| Brazil | CPNJ (required), CCMID (optional) |
| India | CST ID, VAT ID |
| Taiwan | Unified business number|
| Brazil | CNPJ (required) |
| India | CST ID, VAT ID (both are optional) |
| Taiwan | VAT ID (optional) |
### Tax-exempt status

226
store-for-business/windows-store-for-business-overview.md
View File

@ -157,6 +157,193 @@ For more information, see [Manage settings in the Store for Business](manage-set
Microsoft Store for Business and Education is currently available in these markets.
<!--- <table>
<tr>
<th align="center" colspan="4">Support for free and paid apps</th>
</tr>
<tr align="left">
<td>
<ul>
<li>Algeria</li>
<li>Angola</li>
<li>Argentina</li>
<li>Australia</li>
<li>Austria</li>
<li>Bahamas</li>
<li>Bahrain</li>
<li>Bangladesh</li>
<li>Barbados</li>
<li>Belgium</li>
<li>Belize</li>
<li>Bermuda</li>
<li>Bhutan</li>
<li>Bolivia</li>
<li>Botswana</li>
<li>Brunei Darussalam</li>
<li>Bulgaria</li>
<li>Cambodia</li>
<li>Cameroon</li>
<li>Canada</li>
<li>Republic of Cabo Verde</li>
<li>Cayman Islands</li>
<li>Chile</li>
<li>Colombia</li>
<li>Costa Rica</li>
<li>C&ocirc;te D'ivoire</li>
<li>Croatia</li>
<li>Cur&ccedil;ao</li>
<li>Cyprus</li>
</ul>
</td>
<td>
<ul>
<li>Czech Republic</li>
<li>Denmark</li>
<li>Dominican Republic</li>
<li>Ecuador</li>
<li>Egypt</li>
<li>El Salvador</li>
<li>Estonia</li>
<li>Faroe Islands</li>
<li>Fiji</li>
<li>Finland</li>
<li>France</li>
<li>Germany</li>
<li>Ghana</li>
<li>Greece</li>
<li>Guadeloupe</li>
<li>Guatemala</li>
<li>Honduras</li>
<li>Hong Kong SAR</li>
<li>Hungary</li>
<li>Iceland</li>
<li>Indonesia</li>
<li>Iraq</li>
<li>Ireland</li>
<li>Israel</li>
<li>Italy</li>
<li>Jamaica</li>
<li>Japan</li>
<li>Jordan</li>
<li>Kenya</li>
</ul>
</td>
<td>
<ul>
<li>Kuwait</li>
<li>Latvia</li>
<li>Lebanon</li>
<li>Libya</li>
<li>Liechtenstein</li>
<li>Lithuania</li>
<li>Luxembourg</li>
<li>Malaysia</li>
<li>Malta</li>
<li>Mauritius</li>
<li>Mexico</li>
<li>Mongolia</li>
<li>Montenegro</li>
<li>Morocco</li>
<li>Mozambique</li>
<li>Namibia</li>
<li>Netherlands</li>
<li>New Zealand</li>
<li>Nicaragua</li>
<li>Nigeria</li>
<li>Norway</li>
<li>Oman</li>
<li>Pakistan</li>
<li>Palestinian Authority</li>
<li>Panama</li>
<li>Paraguay</li>
<li>Peru</li>
<li>Philippines</li>
<li>Poland</li>
</ul>
</td>
<td>
<ul>
<li>Portugal</li>
<li>Puerto Rico</li>
<li>Qatar</li>
<li>Romania</li>
<li>Rwanda</li>
<li>Saint Kitts and Nevis</li>
<li>Saudi Arabia</li>
<li>Senegal</li>
<li>Serbia</li>
<li>Singapore</li>
<li>Slovakia</li>
<li>Slovenia</li>
<li>South Africa</li>
<li>Spain</li>
<li>Sweden</li>
<li>Switzerland</li>
<li>Tanzania</li>
<li>Thailand</li>
<li>Trinidad and Tobago</li>
<li>Tunisia</li>
<li>Turkey</li>
<li>Uganda</li>
<li>United Arab Emirates</li>
<li>United Kingdom</li>
<li>United States</li>
</ul>
</td>
<td>
<ul>
<li>Uruguay</li>
<li>Viet Nam</li>
<li>Virgin Islands, U.S.</li>
<li>Zambia</li>
<li>Zimbabwe<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</li>
</ul>
</td>
</tr>
</table>
<table>
<tr>
<th align="center">Support for free apps only</th>
</tr>
<tr align="left">
<td>
<ul>
<li>Russia</li>
</ul>
</td>
</tr>
</table>
<table>
<tr>
<th align="center">Support for free apps and Minecraft: Education Edition</th>
</tr>
<tr align="left">
<td>
<ul>
<li>Albania</li>
<li>Armenia</li>
<li>Azerbaijan</li>
<li>Belarus</li>
<li>Bosnia</li>
<li>Brazil</li>
<li>Georgia</li>
<li>India</li>
<li>Kazakhstan</li>
<li>Korea</li>
<li>Kyrgyzstan</li>
<li>Moldova</li>
<li>Taiwan</li>
<li>Tajikistan</li>
<li>Turkmenistan</li>
<li>Ukraine</li>
<li>Uzbekistan</li>
</ul>
</td>
</tr>
</table> -->
### Support for free and paid apps
<table>
<tr>
<th align="center" colspan="4">Support for free and paid apps</th>
@ -294,22 +481,29 @@ Microsoft Store for Business and Education is currently available in these marke
</tr>
</table>
<table>
<tr>
<th align="center">Support for free apps only</th>
</tr>
<tr align="left">
<td>
<ul>
<li>Brazil</li>
<li>India</li>
<li>Russia</li>
<li>Taiwan</li>
<li>Ukraine</li>
</ul>
</td>
</tr>
</table>
### Support for free apps
Customers in these markets can use Microsoft Store for Business and Education to acquire free apps:
- India
- Russia
### Support for free apps and Minecraft: Education Edition
Customers in these markets can use Microsoft Store for Business and Education to acquire free apps and Minecraft: Education Edition:
- Brazil
- Taiwan
- Ukraine
This table summarize what customers can purchase, depending on which Microsoft Store they are using.
| Store | Free apps | Minecraft: Education Edition |
| ----- | --------- | ---------------------------- |
| Microsoft Store for Business | supported | not supported |
| Microsoft Store for Education | supported | supported; invoice payment required |
> [!NOTE]
> **Microsoft Store for Education customers with support for free apps and Minecraft: Education Edition**
- Admins can acquire free apps from **Microsoft Store for Education**.
- Admins need to use an invoice to purchase **Minecraft: Education Edition**. For more information, see [Invoice payment option](https://docs.microsoft.com/education/windows/school-get-minecraft#invoices).
- Teachers, or people with the Basic Purachaser role, can acquire free apps, but not **Minecraft: Education Edition**.
## Privacy notice

5
windows/access-protection/enterprise-certificate-pinning.md
View File

@ -189,9 +189,12 @@ Sign-in to the reference computer using domain administrator equivalent credenti
8. Right-click the **Registry** node and click **New**.
9. In the **New Registry Properties** dialog box, select **Update** from the **Action** list. Select **HKEY_LOCAL_MACHINE** from the **Hive** list.
10. For the **Key Path**, click **…** to launch the **Registry Item Browser**. Navigate to the following registry key and select the **PinRules** registry value name:
HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config
Click **Select** to close the **Registry Item Browser**.
11. The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REGBINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal). Click **OK** to save your settings and close the dialog box.
11. The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REG\_BINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal). Click **OK** to save your settings and close the dialog box.
![PinRules Properties](images/enterprise-certificate-pinning-pinrules-properties.png)

2
windows/client-management/TOC.md
View File

@ -9,5 +9,5 @@
## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)
## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)
## [Windows libraries](windows-libraries.md)
## [Mobile Device Management](mdm/index.md)
## [Mobile device management protocol](mdm/index.md)
## [Change history for Client management](change-history-for-client-management.md)

755
windows/client-management/mdm/enterpriseassignedaccess-csp.md
View File

@ -16,9 +16,8 @@ The EnterpriseAssignedAccess configuration service provider allows IT administra
> **Note**   The EnterpriseAssignedAccess CSP is only supported in Windows 10 Mobile.
 
For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](https://msdn.microsoft.com/library/windows/hardware/mt186983).
To use an app to create a lockdown XML see [Use the Lockdown Designer app to create a Lockdown XML file](https://docs.microsoft.com/en-us/windows/configuration/mobile-devices/mobile-lockdown-designer). For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](https://msdn.microsoft.com/library/windows/hardware/mt186983).
The following diagram shows the EnterpriseAssignedAccess configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
@ -44,137 +43,103 @@ When using the AssignedAccessXml in the EnterpriseAssignedAccess CSP through an
When using the AssignedAccessXml in a provisioning package using the Windows Imaging and Configuration Designer (ICD) tool, do not use escaped characters.
 
Entry | Description
----------- | ------------
ActionCenter | You can enable or disable the Action Center (formerly known as Notification Center) on the device. Set to true to enable the Action Center, or set to false to disable the Action Center.
ActionCenter | Example: `<ActionCenter enabled="true"></ActionCenter>`
ActionCenter | In Windows 10, when the Action Center is disabled, Above Lock notifications and toasts are also disabled. When the Action Center is enabled, the following policies are also enabled; **AboveLock/AllowActionCenterNotifications** and **AboveLock/AllowToasts**. For more information about these policies, see [Policy CSP](policy-configuration-service-provider.md)
ActionCenter | You can also add the following optional attributes to the ActionCenter element to override the default behavior: **aboveLockToastEnabled** and **actionCenterNotificationEnabled**. Valid values are 0 (policy disabled), 1 (policy enabled), and -1 (not set, policy enabled). In this example, the Action Center is enabled and both policies are disabled.: `<ActionCenter enabled="true" aboveLockToastEnabled="0" actionCenterNotificationEnabled="0"/>`
ActionCenter | These optional attributes are independent of each other. In this example, Action Center is enabled, the notifications policy is disabled, and the toast policy is enabled by default because it is not set. `<ActionCenter enabled="true" actionCenterNotificationEnabled="0"/>`
StartScreenSize | Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions. Valid values: **Small** - sets the width to 4 columns on device with short axis &lt;400epx or 6 columns on devices with short axis &gt;=400epx. **Large** - sets the width to 6 columns on devices with short axis &lt;400epx or 8 columns on devices with short axis &gt;=400epx.
StartScreenSize | If you have existing lockdown XML, you must update it if your device has &gt;=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4. Example: `<StartScreenSize>Large</StartScreenSize>`
Application | Provide the product ID for each app that will be available on the device. You can find the product ID for a locally developed app in the AppManifest.xml file of the app. For the list of product ID and AUMID see [ProductIDs in Windows 10 Mobile](#productid).
Application | To turn on the notification for a Windows app, you must include the application's AUMID in the lockdown XML. However, the user can change the setting at any time from user interface. Example: `<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail"/>`
Application | <img src="images/enterpriseassignedaccess-csp.png" alt="modern app notification" />
Application | Include PinToStart to display an app on the Start screen. For apps pinned to the Start screen, identify a tile size (small, medium, or large), and a location. The size of a small tile is 1 column x 1 row, a medium tile is 2 x 2, and a large tile is 4 x 2. For the tile location, the first value indicates the column and the second value indicates the row. A value of 0 (zero) indicates the first column, a value of 1 indicates the second column, and so on. Include autoRun as an attribute to configure the application to run automatically.
Application example:
``` syntax
<Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}" autoRun="true">
<PinToStart>
<Size>Large</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>2</LocationY>
</Location>
</PinToStart>
</Application>
```
Entry | Description
----------- | ------------
Application | Multiple App Packages enable multiple apps to exist inside the same package. Since ProductIds identify packages and not applications, specifying a ProductId is not enough to distinguish between individual apps inside a multiple app package. Trying to include application from a multiple app package with just a ProductId can result in unexpected behavior. To support pinning applications in multiple app packages, use an AUMID parameter in lockdown XML. For the list of product ID and AUMID, see [ProductIDs in Windows 10 Mobile](#productid). The following example shows how to pin both Outlook mail and Outlook calendar.
Application example:
``` syntax
<Apps>
<!-- Outlook Calendar -->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}"
aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
<PinToStart>
<Size>Large</Size>
<Location>
<LocationX>1</LocationX>
<LocationY>4</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Outlook Mail-->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}"
aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail">
<PinToStart>
<Size>Large</Size>
<Location>
<LocationX>1</LocationX>
<LocationY>6</LocationY>
</Location>
</PinToStart>
</Application>
</Apps>
```
Entry | Description
----------- | ------------
Folder | A folder should be contained in &lt;Applications/&gt; node among with other &lt;Application/&gt; nodes, it shares most grammar with the Application Node, **folderId** is mandatory, **folderName** is optional, which is the folder name displayed on Start. **folderId** is a unique unsigned integer for each folder.
Folder example:
``` syntax
<Application folderId="4" folderName="foldername">
<PinToStart>
<Size>Large</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>2</LocationY>
</Location>
</PinToStart>
</Application>
```
An application that belongs in the folder would add an optional attribute **ParentFolderId**, which maps to **folderId** of the folder. In this case, the location of this application will be located inside the folder.
``` syntax
<Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
<PinToStart>
<Size>Medium</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>0</LocationY>
</Location>
<ParentFolderId>2</ParentFolderId>
</PinToStart>
</Application>
```
Entry | Description
----------- | ------------
Settings | Starting in Windows 10, version 1511, you can specify the following settings pages in the lockdown XML file.
> [!Important]
> Do not specify a group entry without a page entry because it will cause an undefined behavior.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Entry</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top"><p>ActionCenter</p></td>
<td><p>You can enable or disable the Action Center (formerly known as Notification Center) on the device. Set to true to enable the Action Center, or set to false to disable the Action Center.</p>
<p>Example:</p>
<pre class="syntax" space="preserve"><code>&lt;ActionCenter enabled=&quot;true&quot;&gt;&lt;/ActionCenter&gt;</code></pre>
<p>In Windows 10, when the Action Center is disabled, Above Lock notifications and toasts are also disabled. When the Action Center is enabled, the following policies are also enabled:</p>
<ul>
<li>AboveLock/AllowActionCenterNotifications</li>
<li>AboveLock/AllowToasts</li>
</ul>
<p>For more information about these policies, see [Policy CSP](policy-configuration-service-provider.md)</p>
<p>You can also add the following optional attributes to the ActionCenter element to override the default behavior:</p>
<ul>
<li>aboveLockToastEnabled</li>
<li>actionCenterNotificationEnabled</li>
</ul>
<p>Valid values are 0 (policy disabled), 1 (policy enabled), and -1 (not set, policy enabled).</p>
<p>In this example, the Action Center is enabled and both policies are disabled.</p>
<pre class="syntax" space="preserve"><code>&lt;ActionCenter enabled=&quot;true&quot; aboveLockToastEnabled=&quot;0&quot; actionCenterNotificationEnabled=&quot;0&quot;/&gt;</code></pre>
<p>These optional attributes are independent of each other.</p>
<p>In this example, Action Center is enabled, the notifications policy is disabled, and the toast policy is enabled by default because it is not set.</p>
<pre class="syntax" space="preserve"><code>&lt;ActionCenter enabled=&quot;true&quot; actionCenterNotificationEnabled=&quot;0&quot;/&gt;</code></pre></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>StartScreenSize</p></td>
<td><p>Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions.</p>
<p>Valid values:</p>
<ul>
<li><strong>Small</strong> sets the width to 4 columns on device with short axis &lt;400epx or 6 columns on devices with short axis &gt;=400epx.</li>
<li><strong>Large</strong> sets the width to 6 columns on devices with short axis &lt;400epx or 8 columns on devices with short axis &gt;=400epx.</li>
</ul>
<p>If you have existing lockdown XML, you must update it if your device has &gt;=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4.</p>
<p>Example:</p>
<pre class="syntax" space="preserve"><code>&lt;StartScreenSize&gt;Large&lt;/StartScreenSize&gt;</code></pre></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>Application</p></td>
<td><p>Provide the product ID for each app that will be available on the device.</p>
<p>You can find the product ID for a locally developed app in the AppManifest.xml file of the app. For the list of product ID and AUMID see [ProductIDs in Windows 10 Mobile](#productid).</p>
<p>To turn on the notification for a Windows app, you must include the application's AUMID in the lockdown XML. However, the user can change the setting at any time from user interface.</p>
<pre class="syntax" space="preserve"><code>&lt;Application productId=&quot;{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}&quot; aumid=&quot;microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail&quot;/&gt;</code></pre>
<img src="images/enterpriseassignedaccess-csp.png" alt="modern app notification" />
<p>Include PinToStart to display an app on the Start screen. For apps pinned to the Start screen, identify a tile size (small, medium, or large), and a location. The size of a small tile is 1 column x 1 row, a medium tile is 2 x 2, and a large tile is 4 x 2.</p>
<p>For the tile location, the first value indicates the column and the second value indicates the row. A value of <strong>0</strong> indicates the first column, a value of <strong>1</strong> indicates the second column, and so on.</p>
<p>Include autoRun as an attribute to configure the application to run automatically.</p>
<p>Example:</p>
<pre class="syntax" space="preserve"><code>&lt;Application productId=&quot;{2A4E62D8-8809-4787-89F8-69D0F01654FB}&quot; autoRun=&quot;true&quot;&gt;
&lt;PinToStart&gt;
&lt;Size&gt;Large&lt;/Size&gt;
&lt;Location&gt;
&lt;LocationX&gt;0&lt;/LocationX&gt;
&lt;LocationY&gt;2&lt;/LocationY&gt;
&lt;/Location&gt;
&lt;/PinToStart&gt;
&lt;/Application&gt;</code></pre>
<p>Multiple App Packages enable multiple apps to exist inside the same package. Since ProductIds identify packages and not applications, specifying a ProductId is not enough to distinguish between individual apps inside a multiple app package. Trying to include application from a multiple app package with just a ProductId can result in unexpected behavior.</p>
<p>To support pinning applications in multiple app packages, use an AUMID parameter in lockdown XML. For the list of product ID and AUMID, see [ProductIDs in Windows 10 Mobile](#productid). The following example shows how to pin both Outlook mail and Outlook calendar.</p>
<pre class="syntax" space="preserve"><code>&lt;Apps&gt;
&lt;!-- Outlook Calendar --&gt;
&lt;Application productId=&quot;{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}&quot;
aumid=&quot;microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar&quot;&gt;
&lt;PinToStart&gt;
&lt;Size&gt;Large&lt;/Size&gt;
&lt;Location&gt;
&lt;LocationX&gt;1&lt;/LocationX&gt;
&lt;LocationY&gt;4&lt;/LocationY&gt;
&lt;/Location&gt;
&lt;/PinToStart&gt;
&lt;/Application&gt;
&lt;!-- Outlook Mail--&gt;
&lt;Application productId=&quot;{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}&quot;
aumid=&quot;microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail&quot;&gt;
&lt;PinToStart&gt;
&lt;Size&gt;Large&lt;/Size&gt;
&lt;Location&gt;
&lt;LocationX&gt;1&lt;/LocationX&gt;
&lt;LocationY&gt;6&lt;/LocationY&gt;
&lt;/Location&gt;
&lt;/PinToStart&gt;
&lt;/Application&gt;
&lt;/Apps&gt;</code></pre></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>Folder</p></td>
<td><p>A folder should be contained in &lt;Applications/&gt; node among with other &lt;Application/&gt; nodes, it shares most grammar with the Application Node, <strong>folderId</strong> is mandatory, <strong>folderName</strong> is optional, which is the folder name displayed on Start. <strong>folderId</strong> is a unique unsigned integer for each folder.</p>
<p>For example:</p>
<pre class="syntax" space="preserve"><code>&lt;Application folderId=&quot;4&quot; folderName=&quot;foldername&quot;&gt;
&lt;PinToStart&gt;
&lt;Size&gt;Large&lt;/Size&gt;
&lt;Location&gt;
&lt;LocationX&gt;0&lt;/LocationX&gt;
&lt;LocationY&gt;2&lt;/LocationY&gt;
&lt;/Location&gt;
&lt;/PinToStart&gt;
&lt;/Application&gt;</code></pre>
<p>An application that belongs in the folder would add an optional attribute <strong>ParentFolderId</strong>, which maps to <strong>folderId</strong> of the folder. In this case, the location of this application will be located inside the folder.</p>
<pre class="syntax" space="preserve"><code>&lt;Application productId=&quot;{2A4E62D8-8809-4787-89F8-69D0F01654FB}&quot;&gt;
&lt;PinToStart&gt;
&lt;Size&gt;Medium&lt;/Size&gt;
&lt;Location&gt;
&lt;LocationX&gt;0&lt;/LocationX&gt;
&lt;LocationY&gt;0&lt;/LocationY&gt;
&lt;/Location&gt;
&lt;ParentFolderId&gt;2&lt;/ParentFolderId&gt;
&lt;/PinToStart&gt;
&lt;/Application&gt;</code></pre></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>Settings</p></td>
<td><p><strong>Settings pages</strong></p>
<p>Starting in Windows 10, version 1511, you can specify the following settings pages in the lockdown XML file.</p>
<div class="alert">
<strong>Important</strong>  Do not specify a group entry without a page entry because it will cause an undefined behavior.
</div>
<div>
 
</div>
<ul>
<li>System (main menu) - SettingsPageGroupPCSystem
<ul>
@ -278,9 +243,14 @@ aumid=&quot;microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowsl
<li>Extensibility - SettingsPageExtensibility</li>
</ul></li>
</ul>
<p><strong>Quick action settings</strong></p>
<p>Starting in Windows 10, version 1511, you can specify the following quick action settings in the lockdown XML file. The following list shows the quick action settings and settings page dependencies (group and page). </p>
<p>Note: Only Windows 10, versions 1511 and 1607, the dependent settings group and pages are automatically added when the quick action item is specified in the lockdown XML. This statement does not apply to Windows 10, version 1703.</p>
**Quick action settings**
Starting in Windows 10, version 1511, you can specify the following quick action settings in the lockdown XML file. The following list shows the quick action settings and settings page dependencies (group and page).
> [!Note]
> Only Windows 10, versions 1511 and 1607, the dependent settings group and pages are automatically added when the quick action item is specified in the lockdown XML. This statement does not apply to Windows 10, version 1703.
<ul>
<li><p>SystemSettings_System_Display_QuickAction_Brightness</p>
<p>Dependencies - SettingsPageSystemDisplay, SettingsPageDisplay</p></li>
@ -315,277 +285,265 @@ aumid=&quot;microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowsl
<li><p>SystemSettings_QuickAction_Camera</p>
<p>Dependencies - none</p></li>
</ul>
<p>In this example, all settings pages and quick action settings are allowed. An empty &lt;Settings&gt; node indicates that none of the settings are blocked.</p>
<pre class="syntax" space="preserve"><code>&lt;Settings&gt;
&lt;/Settings&gt;</code></pre>
<p>In this example, all System setting pages are enabled. Note that the System page group is added as well as all of the System subpage names.</p>
<pre class="syntax" space="preserve"><code>&lt;Settings&gt;
&lt;System name=&quot;SettingsPageGroupPCSystem&quot; /&gt;
&lt;System name=&quot;SettingsPageDisplay&quot; /&gt;
&lt;System name=&quot;SettingsPageAppsNotifications&quot; /&gt;
&lt;System name=&quot;SettingsPageCalls&quot; /&gt;
&lt;System name=&quot;SettingsPageMessaging&quot; /&gt;
&lt;System name=&quot;SettingsPageBatterySaver&quot; /&gt;
&lt;System name=&quot;SettingsPageStorageSenseStorageOverview&quot; /&gt;
&lt;System name=&quot;SettingsPageGroupPCSystemDeviceEncryption&quot; /&gt;
&lt;System name=&quot;SettingsPageDrivingMode&quot; /&gt;
&lt;System name=&quot;SettingsPagePCSystemInfo&quot; /&gt;
&lt;/Settings&gt;</code></pre>
<p>To remove access to all of the settings in the system, the settings application would simply not be listed in the app list for a particular role.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>Buttons</p></td>
<td><p>The following list identifies the hardware buttons on the device that you can lock down in <strong>ButtonLockdownList</strong>. When a user taps a button that is in the lockdown list, nothing will happen.</p>
In this example, all settings pages and quick action settings are allowed. An empty \<Settings> node indicates that none of the settings are blocked.
``` syntax
<Settings>
</Settings>
```
In this example, all System setting pages are enabled. Note that the System page group is added as well as all of the System subpage names.
``` syntax
<Settings>
<System name="SettingsPageGroupPCSystem" />
<System name="SettingsPageDisplay" />
<System name="SettingsPageAppsNotifications" />
<System name="SettingsPageCalls" />
<System name="SettingsPageMessaging" />
<System name="SettingsPageBatterySaver" />
<System name="SettingsPageStorageSenseStorageOverview" />
<System name="SettingsPageGroupPCSystemDeviceEncryption" />
<System name="SettingsPageDrivingMode" />
<System name="SettingsPagePCSystemInfo" />
</Settings>
```
Entry | Description
----------- | ------------
Buttons | The following list identifies the hardware buttons on the device that you can lock down in <strong>ButtonLockdownList</strong>. When a user taps a button that is in the lockdown list, nothing will happen.
<ul>
<li><p>Start</p>
<div class="alert">
<strong>Note</strong>  
<p>Lock down of the Start button only prevents the press and hold event.</p>
</div>
<div>
 
</div></li>
<li><p>Back</p></li>
<li><p>Search</p></li>
<li><p>Camera</p></li>
<li><p>Custom1</p></li>
<li><p>Custom2</p></li>
<li><p>Custom3</p>
<div class="alert">
<strong>Note</strong>  
<p>Custom buttons are hardware buttons that can be added to devices by OEMs.</p>
</div>
<div>
 
</div></li>
<li><p>Custom3</p></li>
</ul>
<p>Example:</p>
<pre class="syntax" space="preserve"><code>&lt;Buttons&gt;
&lt;ButtonLockdownList&gt;
&lt;!-- Lockdown all buttons --&gt;
&lt;Button name=&quot;Search&quot;&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Camera&quot;&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Custom1&quot;&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Custom2&quot;&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Custom3&quot;&gt;
&lt;/Button&gt;
&lt;/ButtonLockdownList&gt;</code></pre>
<p>The Search and custom buttons can be <em>remapped</em> or configured to open a specific application. Button remapping takes effect for the device and applies to all users.</p>
<div class="alert">
<strong>Note</strong>  
<p>The lockdown settings for a button, per user role, will apply regardless of the button mapping.</p>
</div>
<div>
 
</div>
<div class="alert">
<strong>Warning</strong>  
<p>Button remapping can enable a user to open an application that is not in the Allow list. Use button lock down to prevent application access for a user role.</p>
</div>
<div>
 
</div>
<p>To remap a button in lockdown XML, you supply the button name, the button event (typically &quot;press&quot;), and the product ID for the application the button will open.</p>
<p>Example:</p>
<pre class="syntax" space="preserve"><code>&lt;ButtonRemapList&gt;
&lt;Button name=&quot;Search&quot;&gt;
&lt;ButtonEvent name=&quot;Press&quot;&gt;
&lt;!-- Alarms --&gt;
&lt;Application productId=&quot;{08179793-ED2E-45EA-BA12-BDE3EE9C3CE3}&quot; parameters=&quot;&quot; /&gt;
&lt;/ButtonEvent&gt;
&lt;/Button&gt;
&lt;/ButtonRemapList&gt;</code></pre>
<p><strong>Disabling navigation buttons</strong></p>
<p>To disable navigation buttons (such as Home or Back) in lockdown XML, you supply the name (for example, Start) and button event (typically &quot;press&quot;).</p>
<p>The following section contains a sample lockdown XML file that shows how to disable navigation buttons.</p>
<p>Example:</p>
<pre class="syntax" space="preserve"><code>&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;
&lt;HandheldLockdown version=&quot;1.0&quot; &gt;
&lt;Default&gt;
&lt;ActionCenter enabled=&quot;false&quot; /&gt;
&lt;Apps&gt;
&lt;!-- Settings --&gt;
&lt;Application productId=&quot;{2A4E62D8-8809-4787-89F8-69D0F01654FB}&quot;&gt;
&lt;PinToStart&gt;
&lt;Size&gt;Large&lt;/Size&gt;
&lt;Location&gt;
&lt;LocationX&gt;0&lt;/LocationX&gt;
&lt;LocationY&gt;0&lt;/LocationY&gt;
&lt;/Location&gt;
&lt;/PinToStart&gt;
&lt;/Application&gt;
&lt;!-- Phone Apps --&gt;
&lt;Application productId=&quot;{F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7}&quot;&gt;
&lt;PinToStart&gt;
&lt;Size&gt;Small&lt;/Size&gt;
&lt;Location&gt;
&lt;LocationX&gt;2&lt;/LocationX&gt;
&lt;LocationY&gt;2&lt;/LocationY&gt;
&lt;/Location&gt;
&lt;/PinToStart&gt;
&lt;/Application&gt;
&lt;/Apps&gt;
&lt;Buttons&gt;
&lt;ButtonLockdownList&gt;
&lt;Button name=&quot;Start&quot;&gt;
&lt;ButtonEvent name=&quot;Press&quot; /&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Back&quot;&gt;
&lt;ButtonEvent name=&quot;Press&quot; /&gt;
&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Search&quot;&gt;
&lt;ButtonEvent name=&quot;All&quot; /&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Camera&quot;&gt;
&lt;ButtonEvent name=&quot;Press&quot; /&gt;
&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Custom1&quot;&gt;
&lt;ButtonEvent name=&quot;Press&quot; /&gt;
&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Custom2&quot;&gt;
&lt;ButtonEvent name=&quot;Press&quot; /&gt;
&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Custom3&quot;&gt;
&lt;ButtonEvent name=&quot;Press&quot; /&gt;
&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;
&lt;/Button&gt;
&lt;/ButtonLockdownList&gt;
&lt;ButtonRemapList /&gt;
&lt;/Buttons&gt;
&lt;MenuItems&gt;
&lt;DisableMenuItems/&gt;
&lt;/MenuItems&gt;
&lt;Settings&gt;
&lt;/Settings&gt;
&lt;Tiles&gt;
&lt;EnableTileManipulation/&gt;
&lt;/Tiles&gt;
&lt;StartScreenSize&gt;Small&lt;/StartScreenSize&gt;
&lt;/Default&gt;
&lt;/HandheldLockdown&gt;</code></pre></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>MenuItems</p></td>
<td><p>Use <strong>DisableMenuItems</strong> to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Programs list. You can include this entry in the default profile and in any additional user role profiles that you create.</p>
<p>Example:</p>
<pre class="syntax" space="preserve"><code>&lt;MenuItems&gt;
&lt;DisableMenuItems/&gt;
&lt;/MenuItems&gt;</code></pre>
<div class="alert">
<strong>Important</strong>  
<p>If <strong>DisableMenuItems</strong> is not included in a profile, users of that profile can uninstall apps.</p>
</div>
<div>
 
</div></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>Tiles</p></td>
<td><p><strong>Turning-on tile manipulation</strong></p>
<p>By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the users profile.</p>
<p>If tile manipulation is enabled in the users profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile.</p>
<div class="alert">
<strong>Important</strong>  
<p>If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in users profile.</p>
</div>
<div>
 
</div>
<p>The following sample file contains configuration for enabling tile manipulation.</p>
<div class="alert">
<strong>Note</strong>  
<p>Tile manipulation is disabled when you dont have a <code>&lt;Tiles&gt;</code> node in lockdown XML, or if you have a <code>&lt;Tiles&gt;</code> node but dont have the <code>&lt;EnableTileManipulation/&gt;</code> node.</p>
</div>
<div>
 
</div>
<p>Example:</p>
<pre class="syntax" space="preserve"><code>&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;
&lt;HandheldLockdown version=&quot;1.0&quot; &gt;
&lt;Default&gt;
&lt;ActionCenter enabled=&quot;false&quot; /&gt;
&lt;Apps&gt;
&lt;!-- Settings --&gt;
&lt;Application productId=&quot;{2A4E62D8-8809-4787-89F8-69D0F01654FB}&quot;&gt;
&lt;PinToStart&gt;
&lt;Size&gt;Large&lt;/Size&gt;
&lt;Location&gt;
&lt;LocationX&gt;0&lt;/LocationX&gt;
&lt;LocationY&gt;0&lt;/LocationY&gt;
&lt;/Location&gt;
&lt;/PinToStart&gt;
&lt;/Application&gt;
> [!Note]
> Lock down of the Start button only prevents the press and hold event.
>
> Custom buttons are hardware buttons that can be added to devices by OEMs.
&lt;!-- Phone Apps --&gt;
&lt;Application productId=&quot;{F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7}&quot;&gt;
&lt;PinToStart&gt;
&lt;Size&gt;Small&lt;/Size&gt;
&lt;Location&gt;
&lt;LocationX&gt;2&lt;/LocationX&gt;
&lt;LocationY&gt;2&lt;/LocationY&gt;
&lt;/Location&gt;
&lt;/PinToStart&gt;
&lt;/Application&gt;
&lt;/Apps&gt;
&lt;Buttons&gt;
&lt;ButtonLockdownList&gt;
&lt;Button name=&quot;Start&quot;&gt;
&lt;ButtonEvent name=&quot;Press&quot; /&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Back&quot;&gt;
&lt;ButtonEvent name=&quot;Press&quot; /&gt;
&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Search&quot;&gt;
&lt;ButtonEvent name=&quot;All&quot; /&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Camera&quot;&gt;
&lt;ButtonEvent name=&quot;Press&quot; /&gt;
&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Custom1&quot;&gt;
&lt;ButtonEvent name=&quot;Press&quot; /&gt;
&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Custom2&quot;&gt;
&lt;ButtonEvent name=&quot;Press&quot; /&gt;
&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;
&lt;/Button&gt;
&lt;Button name=&quot;Custom3&quot;&gt;
&lt;ButtonEvent name=&quot;Press&quot; /&gt;
&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;
&lt;/Button&gt;
&lt;/ButtonLockdownList&gt;
&lt;ButtonRemapList /&gt;
&lt;/Buttons&gt;
&lt;MenuItems&gt;
&lt;DisableMenuItems/&gt;
&lt;/MenuItems&gt;
&lt;Settings&gt;
&lt;/Settings&gt;
&lt;Tiles&gt;
&lt;EnableTileManipulation/&gt;
&lt;/Tiles&gt;
&lt;StartScreenSize&gt;Small&lt;/StartScreenSize&gt;
&lt;/Default&gt;
&lt;/HandheldLockdown&gt;</code></pre></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>CSP Runner</p></td>
<td><p>Allows CSPs to be executed on the device per user role. You can use this to implement role specific policies, such as changing the color scheme when an admin logs on the device, or to set configurations per role.</p></td>
</tr>
</tbody>
</table>
Buttons example:
``` syntax
<Buttons>
<ButtonLockdownList>
<!-- Lockdown all buttons -->
<Button name="Search">
</Button>
<Button name="Camera">
</Button>
<Button name="Custom1">
</Button>
<Button name="Custom2">
</Button>
<Button name="Custom3">
</Button>
</ButtonLockdownList>
```
The Search and custom buttons can be <em>remapped</em> or configured to open a specific application. Button remapping takes effect for the device and applies to all users.
> [!Note]
> The lockdown settings for a button, per user role, will apply regardless of the button mapping.
>
> Button remapping can enable a user to open an application that is not in the Allow list. Use button lock down to prevent application access for a user role.
To remap a button in lockdown XML, you supply the button name, the button event (typically &quot;press&quot;), and the product ID for the application the button will open.
``` syntax
<ButtonRemapList>
<Button name="Search">
<ButtonEvent name="Press">
<!-- Alarms -->
<Application productId="{08179793-ED2E-45EA-BA12-BDE3EE9C3CE3}" parameters="" />
</ButtonEvent>
</Button>
</ButtonRemapList>
```
**Disabling navigation buttons**
To disable navigation buttons (such as Home or Back) in lockdown XML, you supply the name (for example, Start) and button event (typically "press").
The following section contains a sample lockdown XML file that shows how to disable navigation buttons.
``` syntax
<?xml version="1.0" encoding="utf-8"?>
<HandheldLockdown version="1.0" >
<Default>
<ActionCenter enabled="false" />
<Apps>
<!-- Settings -->
<Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
<PinToStart>
<Size>Large</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Phone Apps -->
<Application productId="{F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7}">
<PinToStart>
<Size>Small</Size>
<Location>
<LocationX>2</LocationX>
<LocationY>2</LocationY>
</Location>
</PinToStart>
</Application>
</Apps>
<Buttons>
<ButtonLockdownList>
<Button name="Start">
<ButtonEvent name="Press" />
</Button>
<Button name="Back">
<ButtonEvent name="Press" />
<ButtonEvent name="PressAndHold" />
</Button>
<Button name="Search">
<ButtonEvent name="All" />
</Button>
<Button name="Camera">
<ButtonEvent name="Press" />
<ButtonEvent name="PressAndHold" />
</Button>
<Button name="Custom1">
<ButtonEvent name="Press" />
<ButtonEvent name="PressAndHold" />
</Button>
<Button name="Custom2">
<ButtonEvent name="Press" />
<ButtonEvent name="PressAndHold" />
</Button>
<Button name="Custom3">
<ButtonEvent name="Press" />
<ButtonEvent name="PressAndHold" />
</Button>
</ButtonLockdownList>
<ButtonRemapList />
</Buttons>
<MenuItems>
<DisableMenuItems/>
</MenuItems>
<Settings>
</Settings>
<Tiles>
<EnableTileManipulation/>
</Tiles>
<StartScreenSize>Small</StartScreenSize>
</Default>
</HandheldLockdown>
```
Entry | Description
----------- | ------------
MenuItems | Use **DisableMenuItems** to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Programs list. You can include this entry in the default profile and in any additional user role profiles that you create.
> [!Important]
> If **DisableMenuItems** is not included in a profile, users of that profile can uninstall apps.
MenuItems example:
``` syntax
<MenuItems>
<DisableMenuItems/>
</MenuItems>
```
Entry | Description
----------- | ------------
Tiles | **Turning-on tile manipulation** - By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the users profile. If tile manipulation is enabled in the users profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile.
> [!Important]
> If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in users profile.
The following sample file contains configuration for enabling tile manipulation.
> [!Note]
> Tile manipulation is disabled when you dont have a `<Tiles>` node in lockdown XML, or if you have a `<Tiles>` node but dont have the `<EnableTileManipulation>` node.
``` syntax
<?xml version="1.0" encoding="utf-8"?>
<HandheldLockdown version="1.0" >
<Default>
<ActionCenter enabled="false" />
<Apps>
<!-- Settings -->
<Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
<PinToStart>
<Size>Large</Size>
<Location>
<LocationX>0</LocationX>
<LocationY>0</LocationY>
</Location>
</PinToStart>
</Application>
<!-- Phone Apps -->
<Application productId="{F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7}">
<PinToStart>
<Size>Small</Size>
<Location>
<LocationX>2</LocationX>
<LocationY>2</LocationY>
</Location>
</PinToStart>
</Application>
</Apps>
<Buttons>
<ButtonLockdownList>
<Button name="Start">
<ButtonEvent name="Press" />
</Button>
<Button name="Back">
<ButtonEvent name="Press" />
<ButtonEvent name="PressAndHold" />
</Button>
<Button name="Search">
<ButtonEvent name="All" />
</Button>
<Button name="Camera">
<ButtonEvent name="Press" />
<ButtonEvent name="PressAndHold" />
</Button>
<Button name="Custom1">
<ButtonEvent name="Press" />
<ButtonEvent name="PressAndHold" />
</Button>
<Button name="Custom2">
<ButtonEvent name="Press" />
<ButtonEvent name="PressAndHold" />
</Button>
<Button name="Custom3">
<ButtonEvent name="Press" />
<ButtonEvent name="PressAndHold" />
</Button>
</ButtonLockdownList>
<ButtonRemapList />
</Buttons>
<MenuItems>
<DisableMenuItems/>
</MenuItems>
<Settings>
</Settings>
<Tiles>
<EnableTileManipulation/>
</Tiles>
<StartScreenSize>Small</StartScreenSize>
</Default>
</HandheldLockdown>
```
Entry | Description
----------- | ------------
CSP Runner | Allows CSPs to be executed on the device per user role. You can use this to implement role specific policies, such as changing the color scheme when an admin logs on the device, or to set configurations per role.
 
<a href="" id="lockscreenwallpaper-"></a>**LockscreenWallpaper/**
@ -734,6 +692,8 @@ Not supported in Windows 10. Use doWipePersistProvisionedData in [RemoteWipe CS
<a href="" id="clock-timezone-"></a>**Clock/TimeZone/**
An integer that specifies the time zone of the device. The following table shows the possible values.
Supported operations are Get and Replace.
<table>
<colgroup>
<col width="20%" />
@ -1161,9 +1121,6 @@ An integer that specifies the time zone of the device. The following table shows
</tbody>
</table>
 
Supported operations are Get and Replace.
<a href="" id="locale-language-"></a>**Locale/Language/**
The culture code that identifies the language to display on a device, and specifies the formatting of numbers, currencies, time, and dates. For language values, see [Locale IDs Assigned by Microsoft](http://go.microsoft.com/fwlink/p/?LinkID=189567).
@ -1172,8 +1129,6 @@ The language setting is configured in the Default User profile only.
> **Note**  Apply the Locale ID only after the corresponding language packs are built into and supported for the OS image running on the device. The specified language will be applied as the phone language and a restart may be required.
 
Supported operations are Get and Replace.
## OMA client provisioning examples

1645
windows/client-management/mdm/policy-configuration-service-provider.md
View File

File diff suppressed because it is too large Load Diff

2
windows/configuration/mobile-devices/mobile-lockdown-designer.md
View File

@ -15,7 +15,7 @@ author: jdeckerms
Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available. This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile.
When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file.
When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. You can deploy the lockdown XML file by [adding it to a provisioning package](lockdown-xml.md#add-lockdown-xml-to-a-provisioning-package) or [by using mobile device management (MDM)](lockdown-xml.md#push-lockdown-xml-using-mdm).
The Lockdown Designer app helps you configure and create a lockdown XML file that you can apply to devices running Windows 10 Mobile, version 1703, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Lockdown Designer also validates the XML. Using Lockdown Designer is easier than [manually creating a lockdown XML file](lockdown-xml.md).

BIN
windows/deployment/update/images/update-compliance-wdav-assessment.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 82 KiB

BIN
windows/deployment/update/images/update-compliance-wdav-overview.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 33 KiB

BIN
windows/deployment/update/images/update-compliance-wdav-prot-status.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
windows/deployment/update/images/update-compliance-wdav-query-not-assessed.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
windows/deployment/update/images/update-compliance-wdav-status-add-filter.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 68 KiB

BIN
windows/deployment/update/images/update-compliance-wdav-status-filter-apply.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

BIN
windows/deployment/update/images/update-compliance-wdav-status-filter.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

BIN
windows/deployment/update/images/update-compliance-wdav-status-log.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 52 KiB

BIN
windows/deployment/update/images/update-compliance-wdav-status-query.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.7 KiB

BIN
windows/deployment/update/images/update-compliance-wdav-threat-status.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

35
windows/deployment/update/update-compliance-get-started.md
View File

@ -10,7 +10,7 @@ author: greg-lindsay
# Get started with Update Compliance
This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance.
This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance.
Steps are provided in sections that follow the recommended setup process:
1. Ensure that [prerequisites](#update-compliance-prerequisites) are met.
@ -19,22 +19,25 @@ Steps are provided in sections that follow the recommended setup process:
## Update Compliance Prerequisites
Update Compliance has the following requirements:
1. Update Compliance is currently only compatible with Windows 10 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops).
2. The solution requires that Windows 10 telemetry is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) enabled. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization).
Update Compliance has the following requirements:
1. Update Compliance is currently only compatible with Windows 10 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops).
2. The solution requires that Windows 10 telemetry is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) enabled. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization).
3. The telemetry of your organizations Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for different aspects of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on telemetry endpoints and summarizes the use of each endpoint:
<TABLE BORDER=1>
<TR><TD BGCOLOR="#cceeff">Service<TD BGCOLOR="#cceeff">Endpoint
<TR><TD>Connected User Experience and Telemetry component<TD>v10.vortex-win.data.microsoft.com
<BR>settings-win.data.microsoft.com
<TR><TD>Windows Error Reporting <TD>watson.telemetry.microsoft.com
<TR><TD>Online Crash Analysis <TD>oca.telemetry.microsoft.com
</TABLE>
<TABLE BORDER=1>
<TR><TD BGCOLOR="#cceeff">Service<TD BGCOLOR="#cceeff">Endpoint
<TR><TD>Connected User Experience and Telemetry component<TD>v10.vortex-win.data.microsoft.com
<BR>settings-win.data.microsoft.com
<TR><TD>Windows Error Reporting <TD>watson.telemetry.microsoft.com
<TR><TD>Online Crash Analysis <TD>oca.telemetry.microsoft.com
</TABLE>
4. To use Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a 3rd party AV program), and must have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) content library for more information on enabling, configuring, and validating Windows Defender AV.
## Add Update Compliance to Microsoft Operations Management Suite
Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
If you are already using OMS, youll find Update Compliance in the Solutions Gallery. Select the **Update Compliance** tile in the gallery and then click **Add** on the solution's details page. Update Compliance is now visible in your workspace.
@ -52,7 +55,7 @@ If you are not yet using OMS, use the following steps to subscribe to OMS Update
<A HREF="images/uc-03.png"><img src="images/uc-03a.png"></A>
<TABLE>
3. Create a new OMS workspace.
3. Create a new OMS workspace.
<P><TABLE BORDER=1><TR><TD>
<A HREF="images/uc-04.png"><img src="images/uc-04a.png"></A>
@ -76,7 +79,7 @@ If you are not yet using OMS, use the following steps to subscribe to OMS Update
<A HREF="images/uc-07.png"><img src="images/uc-07a.png"></A>
<TABLE>
7. Select the **Update Compliance** tile in the gallery and then select **Add** on the solutions details page. You might need to scroll to find **Update Compliance**. The solution is now visible on your workspace.
7. Select the **Update Compliance** tile in the gallery and then select **Add** on the solutions details page. You might need to scroll to find **Update Compliance**. The solution is now visible on your workspace.
<P><TABLE BORDER=1><TR><TD>
<A HREF="images/uc-08.png"><img src="images/uc-08a.png"></A>
@ -100,7 +103,7 @@ After you are subscribed to OMS Update Compliance and your devices have a Commer
## Deploy your Commercial ID to your Windows 10 devices
In order for your devices to show up in Windows Analytics: Update Compliance, they must be configured with your organizations Commercial ID. This is so that Microsoft knows that a given device is a member of your organization and to feed that devices data back to you. There are two primary methods for widespread deployment of your Commercial ID: Group Policy and Mobile Device Management (MDM).
In order for your devices to show up in Windows Analytics: Update Compliance, they must be configured with your organizations Commercial ID. This is so that Microsoft knows that a given device is a member of your organization and to feed that devices data back to you. There are two primary methods for widespread deployment of your Commercial ID: Group Policy and Mobile Device Management (MDM).
- Using Group Policy<BR><BR>
Deploying your Commercial ID using Group Policy can be accomplished by configuring domain Group Policy Objects with the Group Policy Management Editor, or by configuring local Group Policy using the Local Group Policy Editor.
@ -114,4 +117,4 @@ In order for your devices to show up in Windows Analytics: Update Compliance, th
## Related topics
[Use Update Compliance to monitor Windows Updates](update-compliance-using.md)
[Use Update Compliance to monitor Windows Updates](update-compliance-using.md)

131
windows/deployment/update/update-compliance-using.md
View File

@ -31,7 +31,8 @@ Update Compliance has the following primary blades:
3. [Latest and Previous Security Update Status](#latest-and-previous-security-update-status)
4. [Overall Feature Update Status](#overall-feature-update-status)
5. [CB, CBB, LTSB Deployment Status](#cb-cbb-ltsb-deployment-status)
6. [List of Queries](#list-of-queries)
6. [Windows Defender Antivirus Assessment](#wdav-assessment)
7. [List of Queries](#list-of-queries)
## OS Update Overview
@ -41,6 +42,7 @@ The first blade of OMS Update Compliance is the General **OS Update Overview** b
![OS Update Overview](images/uc-11.png)
This blade is divided into three sections:
- Device Summary:
- Needs Attention Summary
@ -139,6 +141,133 @@ The Overall Feature Update Status blade focuses around whether or not your devic
Devices are evaluated by OS Version (e.g., 1607) and the count of how many are Current, Not Current, and have Update Failures is displayed. Clicking on any of these counts will allow you to view all those devices, as well as select the **Update Deployment Status** perspective, described below.
<a id="wdav-assessment"></a>
## Windows Defender Antivirus Assessment
You'll notice some new tiles in the Overview blade which provide a summary of Windows Defender AV-related issues, highlighted in the following screenshot.
![verview blade showing a summary of key Windows Defender Antivirus issues](images/update-compliance-wdav-overview.png)
The **AV Signature** chart shows the number of devices that either have up-to-date [protection updates (also known as signatures or definitions)](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus), while the **Windows Defender AV Status** tile indicates the percentage of all assessed devices that are not updated and do not have real-time protection enabled. The Windows Defender Antivirus Assessment section provides more information that lets you investigate potential issues.
If you're using [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) to protect devices in your organization and have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus), you can use this section to review the overall status of key protection features, including the number of devices that have [always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) and up-to-date definitions.
There are two blades in the Windows Defender AV Assessment section:
- Protection status
- Threats status
![Windows Defender Antivirus Assessment blade in Update Compliance](images/update-compliance-wdav-assessment.png)
The **Protection Status** blade shows three key measurements:
1. How many devices have old or current signatures (also known as protection updates or definitions)
2. How many devices have the core Windows Defender AV always-on scanning feature enabled, called real-time protection
![Windows Defender Antivirus protection status in Update Compliance](images/update-compliance-wdav-prot-status.png)
See the [Manage Windows Defender AV updates and apply baselines](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) topic for an overview on how updates work, and further information on applying updates.
The **Threats Status** blade shows the following measurements:
1. How many devices that have threats that have been remediated (removed or quarantined on the device)
2. How many devices that have threats where remediation was not successful (this may indicate a manual reboot or clean is required)
![Windows Defender Antivirus threat status in Update Compliance](images/update-compliance-wdav-threat-status.png)
Devices can be in multiple states at once, as one device may have multiple threats, some of which may or may not be remediated.
> [!IMPORTANT]
> The data reported in Update Compliance can be delayed by up to 24 hours.
See the [Customize, initiate, and review the results of Windows Defender AV scans and remediation](/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus) topic for more information on how to perform scans and other manual remediation tasks.
As with other blades in Update Compliance, clicking on a specific measurement or item will open the associated query that you can use to investigate individual devices and issues, as described below.
### Investigate individual devices and threats
Click on any of the status measurements to be taken to a pre-built log query that shows the impacted devices for that status.
![Sample Windows Defender AV query in Update Compliance](images/update-compliance-wdav-status-log.png)
You can also find a pre-built query on the main Update Compliance screen, under the **Queries** blade, that lists devices that have not been assessed for Windows Defender AV.
![Overview blade showing a summary of key Windows Defender Antivirus issues](images/update-compliance-wdav-query-not-assessed.png)
You can further filter queries by clicking any of the measurement labels for each incident, changing the values in the query filter pane, and then clicking **Apply**.
![Click the Apply button on the left pane](images/update-compliance-wdav-status-filter-apply.png)
Click **+Add** at the bottom of the filter pane to open a list of filters you can apply.
![Click Add to add more filters](images/update-compliance-wdav-status-add-filter.png)
You can also click the **. . .** button next to each label to instantly filter by that label or value.
![Click the elipsis icon to instantly filter by the selected label](images/update-compliance-wdav-status-filter.png)
You can create your own queries by using a query string in the following format:
```
Type:<Group type> <Label>="<Value>"
```
You can use the following `<Group type>` options to scope your query:
- `Type:WDAVStatus` to query information related to signature and real-time protection status
- `Type:WDAVThreat` to query information about threat remediation and specific threats
The `<Label>`, and `<Value>` fields are listed in the following table. All labels and values are case sensitive and must be entered as written below (including spaces).
For queries that use `Type:WDAVStatus`, you can use the following labels and values.
Label | Value
---|---
`Computer`|\<computer name>
`ComputerID`|\<computer ID>
`OSName`|\<Operating system name>
`UpdateStatus`|`Not assessed` <br />`Signature up-to-date` <br />`Signature out-of-date`
`DetailedStatus`|`Unknown` <br />`Non-Microsoft AV` <br />`No AV` <br />`AV expired` <br />`Disabled by GP` <br />`Disabled by LP` <br />`Recently disappeared`
`ProtectionState`|`Real-time protection is off `<br />`Real-time protection is on`
`MoreInformation`| \<free text string>
`LastScan`| \<date and time of the last scan>
For queries that use `Type:WDAVThreat`, you can use the following labels and values.
Label | Value
---|---
`Computer`|\<computer name>
`ComputerID`|\<computer ID>
`ThreatName`|\<detected threat name>
`ThreatStatus`|`Remediation failed`<br/>`Remediated`
`ThreatAction`|`Remediation pending reboot`
`ThreatError`|`Disk full`<br/>`Network issue`<br/>`Operation aborted`
`MoreInformation`|\<free text string>
`LastScan`|\<date and time of the last scan>
You can add multiple label-value pairs in the same query to refine and filter the results.
![Add multiple value and name pairs in your query, separated by spaces](images/update-compliance-wdav-status-query.png)
## CB, CBB, LTSB Deployment Status

12
windows/deployment/upgrade/upgrade-readiness-additional-insights.md
View File

@ -16,17 +16,19 @@ This topic provides information on additional features that are available in Upg
The site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 8.1 and Windows 7. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data.
> Note: Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. In addition, the data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees.
> [!NOTE]
> Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. In addition, the data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees.
### Install prerequisite security update for Internet Explorer
Ensure the following prerequisites are met before using site discovery:
1. Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update.
2. Install the update for customer experience and diagnostic telemetery ([KB3080149](https://support.microsoft.com/kb/3080149)).
3. Enable Internet Explorer data collection, which is disabled by default. The best way to enable it is to modify the [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md) to allow Internet Explorer data collection before you run it.
1. Install the prerequisite KBs to add Site Discovery support and the latest fixes from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/home.aspx). Install the following:
- For Windows 7 and Windows 8.1 - March, 2017 (or later) Security Monthly Rollup
- For Windows 10 - Cumulative Update for Windows 10 Version 1607 (KB4015217) (or later)
2. Enable Internet Explorer data collection, which is disabled by default. The best way to enable it is to modify the [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md) to allow Internet Explorer data collection before you run it. In addition, to enable Site Discovery on Windows 10 set **Enhanced Telemetry Level** for the Feedback and Diagnostics setting (Privacy > Feedback & Diagnostics settings), and enable **Page Prediction within Internet Explorer 11**.
If necessary, you can also enable it by creating the following registry entry.
If necessary, you can also enable data collection by creating the following registry entry.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection

2
windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
View File

@ -84,6 +84,6 @@ Topic | Description
---|---
[Deploy and enable Windows Defender Antivirus protection](deploy-windows-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with System Center Configuration Manager, Microsoft Intune, or Group Policy Objects.
[Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating Windows Defender Antivirus: updating the client on endpoints (product updates), and updating definitions (protection updates). You can update definitions in a number of ways, using System Center Configuration Manager, Group Policy, PowerShell, and WMI.
[Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use System Center Configuration Manager, a third-party SIEM product (by consuming Windows event logs), or Microsoft Intune to monitor protection status and create reports about endpoint protection
[Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use System Center Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, a third-party SIEM product (by consuming Windows event logs), or Microsoft Intune to monitor protection status and create reports about endpoint protection

2
windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
View File

@ -33,7 +33,7 @@ You can also apply [Windows security baselines](https://technet.microsoft.com/en
Windows Defender AV uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as "definitions" or "signature updates".
The cloud-delivered protection is “always-on” and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection.
The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection.
## Product updates

3
windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
View File

@ -28,6 +28,9 @@ There are a number of ways you can review protection status and alerts, dependin
You can use System Center Configuration Manager to [monitor Windows Defender AV protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using the [Microsoft Intune console](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection).
Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Windows Defender AV issues, including protection updates and real-time protection settings.
If you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client events](https://msdn.microsoft.com/en-us/library/windows/desktop/aa964766(v=vs.85).aspx).
Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](https://technet.microsoft.com/library/mt431757.aspx), also see the [Security audting](/windows/device-security/auditing/security-auditing-overview) topic) and [Windows Defender events](troubleshoot-windows-defender-antivirus.md).

4
windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
View File

@ -24,14 +24,14 @@ localizationpriority: high
<span id="sccm1606"/>
## Configure endpoints using System Center Configuration Manager (current branch) version 1606
System Center Configuration Manager (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682).
System Center Configuration Manager (SCCM) (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682).
>[!NOTE]
> If youre using SCCM client version 1606 with server version 1610 or above, you must upgrade the client version to match the server version.
<span id="sccm1602"/>
## Configure endpoints using System Center Configuration Manager earlier versions
You can use System Center Configuration Managers existing functionality to create a policy to configure your endpoints. This is supported in the following System Center Configuration Manager versions:
You can use existing System Center Configuration Manager functionality to create a policy to configure your endpoints. This is supported in the following System Center Configuration Manager versions:
- System Center 2012 Configuration Manager
- System Center 2012 R2 Configuration Manager

BIN
windows/threat-protection/windows-defender-atp/images/atp-actor-alert.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 435 KiB

After

Width:  |  Height:  |  Size: 432 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-alert-details.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 101 KiB

After

Width:  |  Height:  |  Size: 120 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-alert-mgt-pane.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 40 KiB

After

Width:  |  Height:  |  Size: 58 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-alert-process-tree.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 92 KiB

After

Width:  |  Height:  |  Size: 66 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 187 KiB

After

Width:  |  Height:  |  Size: 79 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-alerts-related-to-machine.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 133 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-detailed-actor.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 600 KiB

After

Width:  |  Height:  |  Size: 599 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-incident-graph.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 132 KiB

After

Width:  |  Height:  |  Size: 26 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-machine-details-view.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 212 KiB

After

Width:  |  Height:  |  Size: 572 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 114 KiB

After

Width:  |  Height:  |  Size: 180 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 66 KiB

After

Width:  |  Height:  |  Size: 79 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-machines-timeline.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 51 KiB

After

Width:  |  Height:  |  Size: 48 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-user-details-pane.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 205 KiB

After

Width:  |  Height:  |  Size: 143 KiB