deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-18 00:07:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merged PR 9146: merging master

Browse Source
This commit is contained in:
Justin Hall 2018-06-18 19:14:56 +00:00
commit 9da138680b
63 changed files with 1889 additions and 1087 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
browsers/edge/emie-to-improve-compatibility.md
View File

@ -43,14 +43,14 @@ Microsoft Edge doesn't support ActiveX controls, Browser Helper Objects, VBScrip
### Set up Microsoft Edge to use the Enterprise Mode site list
You must turn on the **Use Enterprise Mode Site List** Group Policy setting before Microsoft Edge can use the Enterprise Mode site list. This Group Policy applies to both Microsoft Edge and IE11, letting Microsoft Edge switch to IE11 as needed, based on the Enterprise Mode site list. For more info about IE11 and Enterprise Mode, see [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377).
You must turn on the **Configure the Enterprise Mode Site List** Group Policy setting before Microsoft Edge can use the Enterprise Mode site list. This Group Policy applies to both Microsoft Edge and IE11, letting Microsoft Edge switch to IE11 as needed, based on the Enterprise Mode site list. For more info about IE11 and Enterprise Mode, see [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377).
> **Note**<br>
> If theres an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.<p>If youre already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.
**To turn on Enterprise Mode using Group Policy**
1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Microsoft Edge\\Allows you to configure the Enterprise Mode Site list** setting.<p>Turning this setting on also requires you to create and store a site list.<p>![Local Group Policy Editor for using a site list](images/edge-emie-grouppolicysitelist.png)
1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Microsoft Edge\\Configure the Enterprise Mode Site List** policy.<p>Turning this setting on also requires you to create and store a site list.<p>![Local Group Policy Editor for using a site list](images/edge-emie-grouppolicysitelist.png)
2. Click **Enabled**, and then in the **Options** area, type the location to your site list.

2
browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
View File

@ -17,7 +17,7 @@ You can use the Group Policy setting, **Set a default associations configuration
**To set the default browser as Internet Explorer 11**
1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.<p>
1. Open your Group Policy editor and go to the **Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.<p>
Turning this setting on also requires you to create and store a default associations configuration file, locally or on a network share. For more information about creating this file, see [Export or Import Default Application Associations]( https://go.microsoft.com/fwlink/p/?LinkId=618268).
![set default associations group policy setting](images/setdefaultbrowsergp.png)

8
devices/hololens/hololens-kiosk.md
View File

@ -42,7 +42,8 @@ If you use [MDM, Microsoft Intune](#intune-kiosk), or a [provisioning package](#
>[!NOTE]
>Because a single-app kiosk launches the kiosk app when a user signs in, there is no Start screen displayed.
### Start layout file for Intune
<span id="start-layout-file-for-intune" />
### Start layout file for MDM (Intune and others)
Save the following sample as an XML file. You will select this file when you configure the kiosk in Microsoft Intune (or in another MDM service that provides a kiosk profile).
@ -92,7 +93,7 @@ You will [create an XML file](#ppkg-kiosk) to define the kiosk configuration to
<span id="intune-kiosk"/>
## Set up kiosk mode using Microsoft Intune or MDM (Windows 10, version 1803)
For HoloLens devices that are managed by Microsoft Intune, you [create a device restriction profile](https://docs.microsoft.com/intune/device-profile-create) and configure the [Kiosk (Preview) settings](https://docs.microsoft.com/intune/device-restrictions-windows-holographic#kiosk-preview).
For HoloLens devices that are managed by Microsoft Intune, you [create a device profile](https://docs.microsoft.com/intune/device-profile-create) and configure the [Kiosk settings](https://docs.microsoft.com/intune/kiosk-settings).
For other MDM services, check your provider's documentation for instructions. If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, [create an XML file that defines the kiosk configuration](#create-xml-file), and make sure to include the [Start layout](#start-layout-for-a-provisioning-package) in the XML file.
@ -212,8 +213,7 @@ Use the following snippet in your kiosk configuration XML to enable the **Guest*
## More information
Watch how to configure a kiosk in Microsoft Intune.
>[!VIDEO https://www.microsoft.com/videoplayer/embed/ce9992ab-9fea-465d-b773-ee960b990c4a?autoplay=false]
Watch how to configure a kiosk in a provisioning package.
>[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false]

2
devices/hololens/hololens-microsoft-layout-app.md
View File

@ -25,7 +25,7 @@ Microsoft Layout works with a HoloLens, or with a Windows Mixed Reality headset
| OS requirements | Details |
|:----------------------------------|:-----------------------------------------------------------|
| Build 10.0.17134.77 or above | See [Manage updates to HoloLens](hololens-updates.md) for instructions on upgrading to this build. |
| Build 10.0.17134.77 or above | See [Update HoloLens](https://support.microsoft.com/help/12643/hololens-update-hololens) for instructions on upgrading to this build. |
#### Windows Mixed Reality headset requirements

2
devices/hololens/hololens-provisioning.md
View File

@ -22,7 +22,7 @@ Some of the HoloLens configurations that you can apply in a provisioning package
- Set up a Wi-Fi connection
- Apply certificates to the device
To create provisioning packages, you must install Windows Configuration Designer [from Microsoft Store]((https://www.microsoft.com/store/apps/9nblggh4tx22)) or [from the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). If you install Windows Configurations Designer from the Windows ADK, select **Configuration Designer** from the **Select the features you want to install** dialog box.
To create provisioning packages, you must install Windows Configuration Designer [from Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22) or [from the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). If you install Windows Configurations Designer from the Windows ADK, select **Configuration Designer** from the **Select the features you want to install** dialog box.

1
devices/hololens/hololens-setup.md
View File

@ -19,7 +19,6 @@ Before you get started setting up your HoloLens, make sure you have a Wi-Fi netw
The first time you use your HoloLens, you'll be guided through connecting to a Wi-Fi network. You need to connect HoloLens to a Wi-Fi network with Internet connectivity so that the user account can be authenticated.
- It can be an open Wi-Fi or password-protected Wi-Fi network.
- The Wi-Fi network cannot require you to navigate to a webpage to connect.
- The Wi-Fi network cannot require certificates to connect.
- The Wi-Fi network does not need to provide access to enterprise resources or intranet sites.

2
devices/hololens/hololens-updates.md
View File

@ -12,7 +12,7 @@ ms.date: 04/30/2018
# Manage updates to HoloLens
>**Looking for how to get the latest update? See [Update HoloLens](https://support.microsoft.com/help/12643/hololens-update-hololens).**
Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. As with desktop devices, administrators can manage updates to the HoloLens operating system using [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb).

2
devices/surface-hub/manage-windows-updates-for-surface-hub.md
View File

@ -44,7 +44,7 @@ Microsoft publishes two types of Surface Hub releases broadly on an ongoing basi
In order to improve release quality and simplify deployments, all new releases that Microsoft publishes for Windows 10, including Surface Hub, will be cumulative. This means new feature updates and quality updates will contain the payloads of all previous releases (in an optimized form to reduce storage and networking requirements), and installing the release on a device will bring it completely up to date. Also, unlike earlier versions of Windows, you cannot install a subset of the contents of a Windows 10 quality update. For example, if a quality update contains fixes for three security vulnerabilities and one reliability issue, deploying the update will result in the installation of all four fixes.
The Surface Hub operating system receives updates on the [Semi-Annual Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes). Like other editions of Windows 10, the servicing lifetime ois finite. You must install new feature updates on machines running these branches in order to continue receiving quality updates.
The Surface Hub operating system receives updates on the [Semi-Annual Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes). Like other editions of Windows 10, the servicing lifetime is finite. You must install new feature updates on machines running these branches in order to continue receiving quality updates.
For more information on Windows as a Service, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview).

2
devices/surface-hub/surface-hub-downloads.md
View File

@ -18,7 +18,7 @@ This topic provides links to useful Surface Hub documents, such as product datas
| --- | --- |
| [Surface Hub Site Readiness Guide (PDF)](http://download.microsoft.com/download/3/8/8/3883E991-DFDB-4E70-8D28-20B26045FC5B/Surface-Hub-Site-Readiness-Guide_EN.pdf) | Make sure your site is ready for Surface Hub, including structural and power requirements, and get technical specs for Surface Hub. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/27/aa/27aa7dd7-7cb7-40ea-9bd6-c7de0795f68c.mov?n=04.07.16_installation_video_01_site_readiness.mov) |
| [Surface Hub Setup Guide (English, French, Spanish) (PDF)](http://download.microsoft.com/download/0/1/6/016363A4-8602-4F01-8281-9BE5C814DC78/Setup-Guide_EN-FR-SP.pdf) | Get a quick overview of how to set up the environment for your new Surface Hub. |
| [Surface Hub Quick Reference Guide (PDF)](http://download.microsoft.com/download/9/E/E/9EE660F8-3FC6-4909-969E-89EA648F06DB/Surface Hub Quick Reference Guide_en-us.pdf) | Use this quick reference guide to get information about key features and functions of the Surface Hub. |
| [Surface Hub Quick Reference Guide (PDF)](http://download.microsoft.com/download/9/E/E/9EE660F8-3FC6-4909-969E-89EA648F06DB/Surface%20Hub%20Quick%20Reference%20Guide_en-us.pdf) | Use this quick reference guide to get information about key features and functions of the Surface Hub. |
| [Surface Hub User Guide (PDF)](http://download.microsoft.com/download/3/6/B/36B6331E-0C63-4E71-A05D-EE88D05081F8/surface-hub-user-guide-en-us.pdf) | Learn how to use Surface Hub in scheduled or ad-hoc meetings. Invite remote participants, use the built-in tools, save data from your meeting, and more. |
| [Surface Hub Replacement PC Drivers](https://www.microsoft.com/download/details.aspx?id=52210) | The Surface Hub Replacement PC driver set is available for those customers who have chosen to disable the Surface Hubs internal PC and use an external computer with their 84” or 55” Surface Hub. This download is meant to be used with the Surface Hub Admin Guide , which contains further details on configuring a Surface Hub Replacement PC. |
| [Surface Hub SSD Replacement Guide (PDF)](http://download.microsoft.com/download/1/F/2/1F202254-7156-459F-ABD2-39CF903A25DE/surface-hub-ssd-replacement-guide_en-us.pdf) | Learn how to replace the solid state drive (SSD) for the 55- and 84-inch Surface Hub. |

93
education/get-started/inclusive-classroom-it-admin.md
View File

@ -1,7 +1,7 @@
---
title: Inclusive Classroom IT Admin Guide
description: Learning which Inclusive Classroom features are available in which apps and in which versions of Microsoft Office.
keywords: Test
keywords: Inclusive Classroom, Admin, Administrator, Microsoft Intune, Intune, Ease of Access, Office 365, account
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@ -11,43 +11,72 @@ ms.pagetype: edu
ROBOTS: noindex,nofollow
author: alhughes
ms.author: alhughes
ms.date: 03/18/2018
ms.date: 06/12/2018
---
|Reading features|Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | Office 365 Web | Office Mac | Office iPad |
|---|---|---|---|---|---|---|---|---|---|
| Read aloud with simultaneous highlighting | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS</li></ul> | | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | | <p style="text-align: center;">X</p> | | |
| Adjustable text spacing and font size | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iPad</li><li>Outlook Web Access</li><li>Office Lens on iOS</li></ul> | | <p style="text-align: center;">X</p> |<p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | | <p style="text-align: center;">X</p> | | |
| Syllabification | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word Online</li><li>Outlook Web Access</li></ul> | | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | | <p style="text-align: center;">X</p> | | |
| Parts of speech identification | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS</li></ul> | | <p style="text-align: center;">X</p> | | | | <p style="text-align: center;">X</p> | | <p style="text-align: center;">X</p> |
| Line focus mode | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS</li></ul> | | | | | | <p style="text-align: center;">X</p> | | |
| Picture Dictionary | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS</li></ul> | | | | | | <p style="text-align: center;">X</p> | | <p style="text-align: center;">X</p> |
# Inclusive Classroom IT Admin Guide
The following guide will show you what Inclusive Classroom features are available in which apps and which versions of Microsoft Office.
You will also learn how to deploy apps using Microsoft Intune, turn on or off Ease of access settings for users, and change how you pay for your Office 365 subscription.
1. [Inclusive Classroom features](#features)
2. [Deploying apps with Microsoft Intune](#intune)
3. [How to show/hide the Ease of Accesss settings for text in Windows 10](#ease)
4. [How to change your Office 365 account from monthly, semi-annual, or yearly](#account)
## <a name="features"></a>Inclusive Classroom features
|Reading features|Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) |
|---|---|---|---|---|---|---|
| Read aloud with simultaneous highlighting | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul> | | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)</p> | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Outlook PC)</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps or Outlook PC)</p> |
| Adjustable text spacing and font size | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iPad</li><li>Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul> | | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)</p> |<p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p> |
| Syllabification | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word Online</li><li>Outlook Web Access</li></ul> | | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word for iOS, Word Online, Outlook Web Access)</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word iOS)</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word iOS)</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps or Word iOS)</p> |
| Parts of speech identification | <ul><li>OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac</li><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul> | | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word Online, Outlook Web Access)</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p> |
| Line focus mode | <ul><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul> | | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word Online, Outlook Web Access)</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p> |
| Picture Dictionary | <ul><li>Word 2016, Word Online, Word Mac, Word for iOS</li><li>Outlook 2016, Outlook Web Access</li><li>Office Lens on iOS, Android</li></ul> | | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for Word Online, Outlook Web Access)</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p> | <p style="text-align: center;">X</p> <p style="text-align: center;">(N/A for any OneNote apps)</p> |
</br>
| Writing and proofing features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | Office 365 Web | Office Mac | Office iPad |
|---|---|---|---|---|---|---|---|---|---|
| Dictation | <ul><li>OneNote 2016, OneNote for Windows 10</li><li>Word 2016</li><li>Outlook 2016</li><li>PowerPoint 2016</li></ul> | | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | | | | | |
| Spelling suggestions for phonetic misspellings | <ul><li>Word 2016, Word Online, Word for Mac</li><li>Outlook 2016</li></ul> | | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | | | | |
| Synonyms alongside spelling suggestions that can be read aloud | <ul><li>Word 2016</li><li>Outlook 2016</li></ul> | | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | | | | |
| Grammar checks | <ul><li>Word 2016, Word Online, Word for Mac</li><li>Outlook 2016</li></ul> | | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | | | | | |
| Customizable writing critiques | <ul><li>Word 2016, Word for Mac</li><li>Outlook 2016</li></ul> | | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | | | | | |
| Tell me what you want to do | <ul><li>Office 2016</li><li>Office Online</li><li>Office on iOS, Android, Windows 10</li></ul> | | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | | <p style="text-align: center;">X</p> | | |
| Editor | <ul><li>Word 2016</li></ul> | | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | | | | | |
| Writing and proofing features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) |
|---|---|---|---|---|---|---|
| Dictation | <ul><li>OneNote 2016, OneNote for Windows 10</li><li>Word 2016</li><li>Outlook 2016</li><li>PowerPoint 2016</li></ul> | | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | | |
| Spelling suggestions for phonetic misspellings | <ul><li>Word 2016, Word Online, Word for Mac</li><li>Outlook 2016</li></ul> | | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | |
| Synonyms alongside spelling suggestions that can be read aloud | <ul><li>Word 2016</li><li>Outlook 2016</li></ul> | | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | |
| Grammar checks | <ul><li>Word 2016, Word Online, Word for Mac</li><li>Outlook 2016</li></ul> | | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | | |
| Customizable writing critiques | <ul><li>Word 2016, Word for Mac</li><li>Outlook 2016</li></ul> | | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | | |
| Tell me what you want to do | <ul><li>Office 2016</li><li>Office Online</li><li>Office on iOS, Android, Windows 10</li></ul> | | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | |
| Editor | <ul><li>Word 2016</li></ul> | | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | | |
</br>
| Creating accessible content features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | Office 365 Web | Office Mac | Office iPad |
|---|---|---|---|---|---|---|---|---|---|
| Accessibility Checker | <ul><li>All Office 365 authoring applications on PC, Mac, Web</li></ul> | | | | | | | | |
| Accessible Templates | <ul><li>Word for PCs, Mac</li><li>Excel for PCs, Mac</li><li>PowerPoint for PCs, Mac</li><li>Sway on iOS, Web, Windows 10</li></ul> | | | | | | | | |
| Ability to add alt-text for images | <ul><li>Word for PCs (includes automatic suggestions for image descriptions)</li><li>SharePoint Online (includes automatic suggestions for image descriptions)</li><li>PowerPoint for PCs (includes automatic suggestions for image descriptions)</li><li>OneNote (includes automatic extraction of text in images)</li><li>All Office 365 authoring applications (include ability to add alt-text manually)</li></ul> | | | | | | | | |
| Ability to add captions to videos | <ul><li>PowerPoint for PCs</li><li>Sway on iOS, Web, Windows 10</li></ul> | | | | | | | | |
| Export as tagged PDF | <ul><li>Word for PCs, Mac</li><li>Sway on iOS, Web, Windows 10</li></ul> | | | | | | | | |
| Ability to request accessible content | <ul><li>Outlook Web Access</li></ul> | | | | | | | | |
| Creating accessible content features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) |
|---|---|---|---|---|---|---|
| Accessibility Checker | <ul><li>All Office 365 authoring applications on PC, Mac, Web</li></ul> | | <p style="text-align: center;">X</p> | | | |
| Accessible Templates | <ul><li>Word for PCs, Mac</li><li>Excel for PCs, Mac</li><li>PowerPoint for PCs, Mac</li><li>Sway on iOS, Web, Windows 10</li></ul> | | <p style="text-align: center;">X</p> | | | |
| Ability to add alt-text for images | <ul><li>Word for PCs (includes automatic suggestions for image descriptions)</li><li>SharePoint Online (includes automatic suggestions for image descriptions)</li><li>PowerPoint for PCs (includes automatic suggestions for image descriptions)</li><li>OneNote (includes automatic extraction of text in images)</li><li>All Office 365 authoring applications (include ability to add alt-text manually)</li></ul> | | <p style="text-align: center;">X</p> | | | |
| Ability to add captions to videos | <ul><li>PowerPoint for PCs</li><li>Sway on iOS, Web, Windows 10</li><li>Microsoft Stream (includes ability to have captions auto-generated for videos in English and Spanish)</li></ul> | | <p style="text-align: center;">X</p> | | | |
| Export as tagged PDF | <ul><li>Word for PCs, Mac</li><li>Sway on iOS, Web, Windows 10</li></ul> | | | | | |
| Ability to request accessible content | <ul><li>Outlook Web Access</li></ul> | | | | | |
</br>
| Communication features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) |
|---|---|---|---|---|---|---|
| Microsoft Translator | <ul><li>Word 2016</li><li>Excel 2016</li><li>"Translator for Outlook" Add-in</li><li>PowerPoint 2016 (and PowerPoint Garage Add-in)</li></ul> | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> | <p style="text-align: center;">X</p> |
</br>
| Communication features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | Office 365 Web | Office Mac | Office iPad |
|---|---|---|---|---|---|---|---|---|---|
| Translate Language of Document | <ul><li>Word 2016</li><li>PowerPoint 2016</li></ul> | | | | | | | | |
| PowerPoint Translator | <ul><li>PowerPoint 2016 Add-in</li></ul> | | | | | | | | |
</br>
## <a name="intune"></a>Deploying apps with Microsoft Intune
Microsoft Intune can be used to deploy apps such as Immersive Reader and Microsoft Translator to all the devices connected in the same groups.
1. Go to the <a href="https://admin.manage.microsoft.com" target="_blank">Intune for Education portal</a> and log in with your account.
2. Select the **Apps** page.
3. Find the app you're looking for in the included list (if it's not there, you can select **Add app** and download it from the Microsoft Store).
4. Selecting your app will show you if it has been deployed to any of the groups that have been set up. From the **Groups** page you can select **Change group assignment** and choose which groups you want to deploy the app(s) to.
## <a name="ease"></a>How to show/hide the Ease of access settings for text in Windows 10
The Ease of access settings in Windows 10 are very useful accessibility tools, but having those options could be a bit much for everyone in a group to have in their device. With the following instructions you can chose to hide or show the Ease of access settings on users' devices.
1. Go to the <a href="https://admin.manage.microsoft.com" target="_blank">Intune for Education portal</a> and login with your account.
2. Select the **Groups** page and then select your desired group.
3. Select **Settings** and under the **User access and device settings** section you will find the toggle to set **Ease of access** to **Blocked** or **Not blocked**.
4. Select **Save** after making your selection.
## <a name="account"></a>How to change your Office 365 account from monthly, semi-annual, or yearly
Depending on how you plan to do billing, you can have Office 365 accounts that are set to renew monthly, semi-annually, or yearly.
1. Sign-in to your <a href="https://account.microsoft.com/services" target="_blank">services and subscriptions<a/> with your Microsoft account.
2. Find the subscription in the list, then select **Change how you pay**.
>**Note:** If you don't see **Change how you pay**, it could be because auto-renew is not turned on. You won't be able to change how you pay if auto-renew is off because the subscription has already been paid and will end when its duration expires.
3. Choose a new way to pay from the list or select **Add a new way to pay** and follow the instructions.

1
education/index.md
View File

@ -6,6 +6,7 @@ description: Learn about product documentation and resources available for schoo
author: CelesteDG
ms.topic: hub-page
ms.author: celested
ms.collection: ITAdminEDU
ms.date: 10/30/2017
---
<div id="main" class="v2">

4
education/windows/use-set-up-school-pcs-app.md
View File

@ -2,7 +2,7 @@
title: Use Set up School PCs app
description: Learn how the Set up School PCs app works and how to use it.
keywords: shared cart, shared PC, school, Set up School PCs, overview, how to use
ms.prod: w10
ms.prod: w10
ms.technology: Windows
ms.mktglfcycl: deploy
ms.sitesec: library
@ -198,7 +198,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
If you select this option, this adds a **Guest** account button in the PC's sign-in screen to allow anyone to use the PC.
- Select **Enable Autopilot Reset** to reset student PCs from the lock screen any time and apply original settings and device management enrollment (Azure AD and MDM) so they’re ready to use. Make sure you are running Windows 10, version 1709 on the student PCs if you want to use Autopilot Reset through the Set up School PCs app.
- Select **Enable Autopilot Reset** to reset student PCs from the lock screen any time and apply original settings and device management enrollment (Azure AD and MDM) so they're ready to use. Make sure you are running Windows 10, version 1709 on the student PCs if you want to use Autopilot Reset through the Set up School PCs app.
- To change the default lock screen background or to use your school's custom lock screen background, click **Browse** to select a new lock screen background.
**Figure 4** - Configure student PC settings

121
mdop/appv-v5/how-to-deploy-the-app-v-50-server-using-a-script.md
View File

@ -7,7 +7,7 @@ ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
ms.date: 06/16/2016
ms.date: 06/15/2018
---
@ -16,18 +16,17 @@ ms.date: 06/16/2016
In order to complete the **appv\_server\_setup.exe** Server setup successfully using the command line, you must specify and combine multiple parameters.
**To Install the App-V 5.0 server using a script**
Use the following tables for more information about installing the App-V 5.0 server using the command line.
- Use the following tables for more information about installing the App-V 5.0 server using the command line.
>[!NOTE]  
>The information in the following tables can also be accessed using the command line by typing the following command:
>```
> appv\_server\_setup.exe /?
>```
**Note**  
The information in the following tables can also be accessed using the command line by typing the following command: **appv\_server\_setup.exe /?**.
## Common parameters and Examples
 
**Common parameters and Examples**
<table>
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
@ -67,10 +66,8 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tr>
</tbody>
</table>
 
<table>
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
@ -109,11 +106,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
<p>/EXISTING_MANAGEMENT_DB_NAME =”AppVManagement”</p></td>
</tr>
</tbody>
</table>
</table>  
 
<table>
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
@ -153,10 +148,8 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tr>
</tbody>
</table>
 
<table>
 
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
@ -191,9 +184,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tbody>
</table>
 
<table>
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
@ -228,9 +219,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tbody>
</table>
 
<table>
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
@ -255,9 +244,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tbody>
</table>
 
<table>
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
@ -298,9 +285,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tbody>
</table>
 
<table>
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
@ -339,9 +324,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tbody>
</table>
 
<table>
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
@ -380,9 +363,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tbody>
</table>
 
<table>
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
@ -417,9 +398,7 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tbody>
</table>
 
<table>
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
@ -454,13 +433,11 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tbody>
</table>
 
## Parameter Definitions
**Parameter Definitions**
### General Parameters
**General Parameters**
<table>
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
@ -503,11 +480,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tbody>
</table>
 
### Management Server Installation Parameters
**Management Server Installation Parameters**
<table>
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
@ -538,11 +513,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tbody>
</table>
 
### Parameters for the Management Server Database
**Parameters for the Management Server Database**
<table>
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
@ -585,11 +558,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tbody>
</table>
 
### Parameters for Installing Publishing Server
**Parameters for Installing Publishing Server**
<table>
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
@ -620,11 +591,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tbody>
</table>
 
### Parameters for Reporting Server
**Parameters for Reporting Server**
<table>
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
@ -653,9 +622,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
 
**Parameters for using an Existing Reporting Server Database**
### Parameters for using an Existing Reporting Server Database
<table>
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
@ -690,11 +659,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tbody>
</table>
 
### Parameters for installing Reporting Server Database
**Parameters for installing Reporting Server Database**
<table>
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
@ -733,11 +700,9 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
</tbody>
</table>
 
### Parameters for using an existing Management Server Database
**Parameters for using an existing Management Server Database**
<table>
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
@ -770,15 +735,13 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
<td align="left"><p>Specifies the name of the existing management database that should be used. Example usage: <strong>/EXISITING_MANAGEMENT_DB_NAME=”AppVMgmtDB”</strong>. If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored.</p>
<p></p>
<p><strong>Got a suggestion for App-V</strong>? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). <strong>Got an App-V issu</strong>e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).</p></td>
</tr>
</tbody>
</table>
 
</tr>
</tbody>
</table>
 
## Related topics
[Deploying the App-V 5.0 Server](deploying-the-app-v-50-server.md)
 

175
mdop/mbam-v25/how-to-move-the-mbam-25-databases.md
View File

@ -7,7 +7,7 @@ ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
ms.prod: w10
ms.date: 05/23/2018
ms.date: 06/15/2018
---
# How to Move the MBAM 2.5 Databases
@ -64,8 +64,8 @@ The high-level steps for moving the Recovery Database are:
To automate this procedure, you can use Windows PowerShell to enter a command that is similar to the following:
```syntax
PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
```powershell
Stop-Website "Microsoft BitLocker Administration and Monitoring"
```
@ -130,8 +130,8 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
4. In Windows PowerShell, run the script that is stored in the file and similar to the following:
```syntax
PS C:\> Invoke-Sqlcmd -InputFile
```powershell
Invoke-Sqlcmd -InputFile
'Z:\BackupMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
```
5. Use the following value to replace the values in the code example with values that match your environment:
@ -144,24 +144,24 @@ Use Windows Explorer to move the **MBAM Compliance Status Database Data.bak** fi
To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
```syntax
PS C:\> Copy-Item “Z:\MBAM Recovery Database Data.bak”
```powershell
Copy-Item “Z:\MBAM Recovery Database Data.bak”
\\$SERVERNAME$\$DESTINATIONSHARE$
PS C:\> Copy-Item “Z:\SQLServerInstanceCertificateFile”
Copy-Item “Z:\SQLServerInstanceCertificateFile”
\\$SERVERNAME$\$DESTINATIONSHARE$
PS C:\> Copy-Item “Z:\SQLServerInstanceCertificateFilePrivateKey”
Copy-Item “Z:\SQLServerInstanceCertificateFilePrivateKey”
\\$SERVERNAME$\$DESTINATIONSHARE$
```
Use the information in the following table to replace the values in the code example with values that match your environment.
| **Parameter** | **Description** |
|----------------------|---------------------------------------------------------------|
| $SERVERNAME$ | Name of the server to which the files will be copied. |
| **Parameter** | **Description** |
|----------------------|------------------|
| $SERVERNAME$ | Name of the server to which the files will be copied. |
| $DESTINATIONSHARE$ | Name of the share and path to which the files will be copied. |
|---|---|
### Restore the Recovery Database on Server B
@ -173,7 +173,7 @@ Use the information in the following table to replace the values in the code exa
4. To automate this procedure, create a SQL file (.sql) that contains the following SQL script:
```syntax
```
-- Restore MBAM Recovery Database.
USE master
@ -219,8 +219,8 @@ Use the information in the following table to replace the values in the code exa
6. In Windows PowerShell, run the script that is stored in the file and similar to the following:
```syntax
PS C:\> Invoke-Sqlcmd -InputFile 'Z:\RestoreMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
```powershell
Invoke-Sqlcmd -InputFile 'Z:\RestoreMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
```
7. Use the following value to replace the values in the code example with values that match your environment.
@ -245,19 +245,19 @@ Use the information in the following table to replace the values in the code exa
6. To automate this process, you can use the Windows PowerShell command prompt to enter a command line on the Administration and Monitoring Server that is similar to the following:
```syntax
PS C:\> reg add "HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\MBAM Server\\Web" /v
```powershell
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\MBAM Server\\Web" /v
RecoveryDBConnectionString /t REG_SZ /d "Integrated Security=SSPI;Initial
Catalog=$DATABASE$;Data Source=$SERVERNAME$\$SQLINSTANCENAME$" /f
PS C:\> Set-WebConfigurationProperty
Set-WebConfigurationProperty
'connectionStrings/add[@name="KeyRecoveryConnectionString"]' -PSPath
"IIS:\sites\Microsoft Bitlocker Administration and
Monitoring\MBAMAdministrationService" -Name "connectionString" -Value “Data
Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery and
Hardware;Integrated Security=SSPI;”
PS C:\> Set-WebConfigurationProperty
Set-WebConfigurationProperty
'connectionStrings/add[\@name="Microsoft.Mbam.RecoveryAndHardwareDataStore.ConnectionString"]'
-PSPath "IIS:\sites\Microsoft Bitlocker Administration and
Monitoring\MBAMRecoveryAndHardwareService" -Name "connectionString" -Value
@ -271,52 +271,11 @@ Use the information in the following table to replace the values in the code exa
7. Use the following table to replace the values in the code example with values that match your environment.
```html
<table>
|Parameter|Description|
|---------|-----------|
|$SERVERNAME$/\$SQLINSTANCENAME$|Server name and instance of SQL Server where the Recovery Database is located.|
|$DATABASE$|Name of the Recovery database.|
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Parameter</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>$SERVERNAME$\$SQLINSTANCENAME$</p></td>
<td align="left"><p>Server name and instance of SQL Server where the Recovery Database is located.</p></td>
</tr>
<tr class="even">
<td align="left"><p>$DATABASE$</p></td>
<td align="left"><p>Name of the Recovery database.</p></td>
</tr>
</tbody>
</table>
```
### Install MBAM Server software and run the MBAM Server Configuration wizard on Server B
@ -334,8 +293,8 @@ On the server that is running the Administration and Monitoring Website, use the
To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
```syntax
PS C:\> Start-Website "Microsoft BitLocker Administration and Monitoring"
```powershell
Start-Website "Microsoft BitLocker Administration and Monitoring"
```
>[!NOTE]
@ -366,8 +325,8 @@ The high-level steps for moving the Compliance and Audit Database are:
To automate this procedure, you can use Windows PowerShell to enter a command that is similar to the following:
```syntax
PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
```powershell
Stop-Website "Microsoft BitLocker Administration and Monitoring"
```
@ -380,8 +339,7 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
2. To automate this procedure, create a SQL file (.sql) that contains the following SQL script:
```syntax
```
USE master;
GO
@ -414,8 +372,8 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
3. Run the script that is stored in the .sql file by using a Windows PowerShell command that is similar to the following:
```syntax
PS C:\> Invoke-Sqlcmd -InputFile "Z:\BackupMBAMComplianceStatusDatabaseScript.sql" ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
```powershell
Invoke-Sqlcmd -InputFile "Z:\BackupMBAMComplianceStatusDatabaseScript.sql" ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
```
@ -429,10 +387,9 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
2. To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
```syntax
PS C:\> Copy-Item "Z:\MBAM Compliance Status Database Data.bak"
```powershell
Copy-Item "Z:\MBAM Compliance Status Database Data.bak"
\\$SERVERNAME$\$DESTINATIONSHARE$
```
3. Using the following table, replace the values in the code example with values that match your environment.
@ -441,7 +398,7 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
|----------------------|---------------------------------------------------------------|
| $SERVERNAME$ | Name of the server to which the files will be copied. |
| $DESTINATIONSHARE$ | Name of the share and path to which the files will be copied. |
|---|---|
### Restore the Compliance and Audit Database on Server B
@ -453,7 +410,7 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
4. To automate this procedure, create a SQL file (.sql) that contains the following SQL script:
```syntax
```
-- Create MBAM Compliance Status Database Data logical backup devices.
Use master
@ -472,8 +429,8 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
5. In Windows PowerShell, run the script that is stored in the file and similar to the following:
```syntax
PS C:\> Invoke-Sqlcmd -InputFile "Z:\RestoreMBAMComplianceStatusDatabaseScript.sql" -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
```powershell
Invoke-Sqlcmd -InputFile "Z:\RestoreMBAMComplianceStatusDatabaseScript.sql" -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$
```
@ -500,8 +457,8 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
6. To automate this process, you can use the Windows PowerShell command prompt to enter a command line on the Administration and Monitoring Server that is similar to the following:
```syntax
PS C:\> reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM Server\Web" /v
```powershell
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM Server\Web" /v
ComplianceDBConnectionString /t REG_SZ /d "Integrated Security=SSPI;Initial
Catalog=$DATABASE$;Data Source=$SERVERNAME$\$SQLINSTANCENAME$" /f
@ -512,52 +469,10 @@ PS C:\> Stop-Website "Microsoft BitLocker Administration and Monitoring"
7. Using the following table, replace the values in the code example with values that match your environment.
```html
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Parameter</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>$SERVERNAME$\$SQLINSTANCENAME$</p></td>
<td align="left"><p>Server name and instance of SQL Server where the Recovery Database is located.</p></td>
</tr>
<tr class="even">
<td align="left"><p>$DATABASE$</p></td>
<td align="left"><p>Name of the recovered database.</p></td>
</tr>
</tbody>
</table>
```
|Parameter | Description |
|---------|------------|
|$SERVERNAME$\$SQLINSTANCENAME$ | Server name and instance of SQL Server where the Recovery Database is located.|
|$DATABASE$|Name of the recovered database.|
### Install MBAM Server software and run the MBAM Server Configuration wizard on Server B
@ -575,8 +490,8 @@ On the server that is running the Administration and Monitoring Website, use the
To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following:
```syntax
PS C:\> Start-Website "Microsoft BitLocker Administration and Monitoring"
```powershell
Start-Website "Microsoft BitLocker Administration and Monitoring"
```

175
mdop/mbam-v25/illustrated-features-of-an-mbam-25-deployment.md
View File

@ -7,7 +7,7 @@ ms.pagetype: mdop, security
ms.mktglfcycl: manage
ms.sitesec: library
ms.prod: w10
ms.date: 06/16/2016
ms.date: 06/15/2018
---
@ -34,178 +34,61 @@ The following image and table explain the features in an MBAM Stand-alone topolo
![mbab2\-5](images/mbam2-5-standalonecomponents.png)
Feature type
Feature
Description
Database
Recovery Database
This database stores recovery data that is collected from MBAM client computers.
This feature is configured on a server running Windows Server and a supported SQL Server instance.
Compliance and Audit Database
This database stores compliance data, which is used primarily for the Reports that SQL Server Reporting Services hosts.
This feature is configured on a server running Windows Server and a supported SQL Server instance.
Compliance and Audit Reports
Reporting Web Service
This web service enables communication between the Administration and Monitoring Website and the SQL Server instance where reporting data is stored.
This feature is installed on a server running Windows Server.
Reporting Website (Administration and Monitoring Website)
You view Reports from the Administration and Monitoring Website. The Reports provide recovery audit and compliance status data about the client computers in your enterprise.
This feature is configured on a server running Windows Server.
SQL Server Reporting Services (SSRS)
Reports are configured in an SSRS database instance. Reports can be viewed directly from SSRS or from the Administration and Monitoring Website.
This feature is configured on a server running Windows Server and a supported SQL Server instance that is running SSRS.
Self-Service Server
Self-Service Web Service
This web service is used by the MBAM Client and the Administration and Monitoring Website and Self-Service Portal to communicate to the Recovery Database.
This feature is installed on a computer running Windows Server.
|Feature type|Description|Database|
|-|-|-|
|Recovery Database|This database stores recovery data that is collected from MBAM client computers.|This feature is configured on a server running Windows Server and a supported SQL Server instance.|
|Compliance and Audit Database|This database stores compliance data, which is used primarily for the Reports that SQL Server Reporting Services hosts.|This feature is configured on a server running Windows Server and a supported SQL Server instance.|
|Compliance and Audit Reports|||
|Reporting Web Service|This web service enables communication between the Administration and Monitoring Website and the SQL Server instance where reporting data is stored.|This feature is installed on a server running Windows Server.|
|Reporting Website (Administration and Monitoring Website)|You view Reports from the Administration and Monitoring Website. The Reports provide recovery audit and compliance status data about the client computers in your enterprise.|This feature is configured on a server running Windows Server.|
|SQL Server Reporting Services (SSRS)|Reports are configured in an SSRS database instance. Reports can be viewed directly from SSRS or from the Administration and Monitoring Website.|This feature is configured on a server running Windows Server and a supported SQL Server instance that is running SSRS.|
|Self-Service Server|||
|Self-Service Web Service|This web service is used by the MBAM Client and the Administration and Monitoring Website and Self-Service Portal to communicate to the Recovery Database.|This feature is installed on a computer running Windows Server.|
|Self-Service Website (Self-Service Portal)|This website enables end users on client computers to independently sign in to a website to get a recovery key if they lose or forget their BitLocker password.|This feature is configured on a computer running Windows Server.|
|Administration and Monitoring Server|||
|Administration and Monitoring Web Service|The Monitoring Web Service is used by the MBAM Client and the websites to communicate to the databases.|This feature is installed on a computer running Windows Server.|
**Important**  
The Self-Service Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1, in which the MBAM Client, the Administration and Monitoring Website, and the Self-Service Portal communicate directly with the Recovery Database.
 
Self-Service Website (Self-Service Portal)
This website enables end users on client computers to independently sign in to a website to get a recovery key if they lose or forget their BitLocker password.
This feature is configured on a computer running Windows Server.
Administration and Monitoring Server
Administration and Monitoring Web Service
The Monitoring Web Service is used by the MBAM Client and the websites to communicate to the databases.
This feature is installed on a computer running Windows Server.
**Important**  
The Monitoring Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since the MBAM Client and the websites communicate directly with the Recovery Database.
 
Administration and Monitoring Website (also known as the Help Desk
This Website is used by Help Desk users (users with the MBAM Report Users rights) to help end users regain access to their computers when they forget their PIN or password.
This feature is configured on a computer running Windows Server.
 
## <a href="" id="bkmk-cmintegrated"></a>System Center Configuration Manager Integration topology
The following image and table explain the features in the System Center Configuration Manager Integration topology.
![mbam2\-5](images/mbam2-5-cmcomponents.png)
Feature type
Feature
Description
Self-Service Server
Self-Service Web Service
This web service is used by the MBAM Client and the Self-Service Portal to communicate to the Recovery Database.
This feature is installed on a computer running Windows Server.
**Important**  
The Self-Service Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1, in which the MBAM Client, the Administration and Monitoring Website, and the Self-Service Portal communicate directly with the Recovery Database.
 
Self-Service Website
This website enables end users on client computers to independently sign in to a website to get a recovery key if they lose or forget their BitLocker password.
This feature is configured on a computer running Windows Server.
Administration and Monitoring Server/Recovery Audit Report
Administration and Monitoring Web Service
This web service enables communication between the Administration and Monitoring Website and the SQL Server databases where reporting data is stored.
This feature is installed on a server running Windows Server.
**Warning**  
The Monitoring Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since the MBAM Client and the websites communicate directly with the Recovery Database.
 
Administration and Monitoring Website
The Recovery Audit report is viewed from the Administration and Monitoring Website. Use the Configuration Manager console to view all other reports, or view reports directly from SQL Server Reporting Services.
This feature is configured on a server running Windows Server.
Databases
Recovery Database
This database stores recovery data that is collected from MBAM client computers.
This feature is configured on a server running Windows Server and a supported SQL Server instance.
Audit Database
This database stores audit information about recovery attempts and activity.
This feature is configured on a server running Windows Server and a supported SQL Server instance.
Configuration Manager Features
Configuration Manager Management console
This console is built into Configuration Manager and is used to view reports.
For viewing reports only, this feature can be installed on any server or client computer.
Configuration Manager Reports
Reports show compliance and recovery audit data for client computers in your enterprise.
The Reports feature is installed on a server running Windows Server and SSRS, and Reports run on a supported SQL Server instance. A reporting services point must be defined in Configuration Manager on the server that is running SSRS.
SQL Server Reporting Services
SSRS enables the MBAM Reports. Reports can be viewed directly from SSRS or from the Configuration Manager console.
SSRS is installed on a server running Windows Server. A reporting services point must be defined in Configuration Manager on the server that is running SSRS.
 
|Feature type|Description|
|-|-|
|Self-Service Server|||
|Self-Service Web Service|This web service is used by the MBAM Client and the Self-Service Portal to communicate to the Recovery Database.|This feature is installed on a computer running Windows Server.|
|Self-Service Website|This website enables end users on client computers to independently sign in to a website to get a recovery key if they lose or forget their BitLocker password.|This feature is configured on a computer running Windows Server.|
|Administration and Monitoring Server/Recovery Audit Report|||
|Administration and Monitoring Web Service|This web service enables communication between the Administration and Monitoring Website and the SQL Server databases where reporting data is stored.|This feature is installed on a server running Windows Server.|
|Administration and Monitoring Website|The Recovery Audit report is viewed from the Administration and Monitoring Website. Use the Configuration Manager console to view all other reports, or view reports directly from SQL Server Reporting Services.|This feature is configured on a server running Windows Server.|
|Databases|||
|Recovery Database|This database stores recovery data that is collected from MBAM client computers.|This feature is configured on a server running Windows Server and a supported SQL Server instance.|
|Audit Database|This database stores audit information about recovery attempts and activity.|This feature is configured on a server running Windows Server and a supported SQL Server instance.|
|Configuration Manager Features|||
|Configuration Manager Management console|This console is built into Configuration Manager and is used to view reports.|For viewing reports only, this feature can be installed on any server or client computer.|
|Configuration Manager Reports|Reports show compliance and recovery audit data for client computers in your enterprise.|The Reports feature is installed on a server running Windows Server and SSRS, and Reports run on a supported SQL Server instance. A reporting services point must be defined in Configuration Manager on the server that is running SSRS.|
|SQL Server Reporting Services|SSRS enables the MBAM Reports. Reports can be viewed directly from SSRS or from the Configuration Manager console.|SSRS is installed on a server running Windows Server. A reporting services point must be defined in Configuration Manager on the server that is running SSRS.|
## Related topics
[High-Level Architecture for MBAM 2.5](high-level-architecture-for-mbam-25.md)
[Getting Started with MBAM 2.5](getting-started-with-mbam-25.md)
 
 
## Got a suggestion for MBAM?
- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring).
- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).

19
mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
View File

@ -7,7 +7,7 @@ ms.pagetype: mdop
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w8
ms.date: 07/26/2017
ms.date: 06/15/2018
---
@ -18,7 +18,6 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa
## MDOP Group Policy templates
**How to download and deploy the MDOP Group Policy templates**
1. Download the latest [MDOP Group Policy templates](https://www.microsoft.com/en-us/download/details.aspx?id=55531)
@ -28,17 +27,15 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa
**Warning**  
Do not extract the templates directly to the Group Policy deployment directory. Multiple technologies and versions are bundled in this file.
 
3. In the extracted folder, locate the technology-version .admx file. Certain MDOP technologies have multiple sets of Group Policy Objects (GPOs). For example, MBAM includes MBAM Management settings and MBAM User settings.
4. Locate the appropriate .adml file by language-culture (that is, *en-us* for English-United States).
5. Copy the .admx and .adml files to a policy definition folder. Depending on where you store the templates, you can configure Group Policy settings from the local device or from any computer on the domain.
**Local files:** To configure Group Policy settings from the local device, copy template files to the following locations:
- **Local files:** To configure Group Policy settings from the local device, copy template files to the following locations:
<table>
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
@ -61,11 +58,9 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa
</tbody>
</table>
 
- **Domain central store:** To enable Group Policy settings configuration by a Group Policy administrator from any computer on the domain, copy files to the following locations on the domain controller:
**Domain central store:** To enable Group Policy settings configuration by a Group Policy administrator from any computer on the domain, copy files to the following locations on the domain controller:
<table>
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
@ -89,9 +84,7 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa
</tbody>
</table>
 
6. Edit the Group Policy settings using Group Policy Management Console (GPMC) or Advanced Group Policy Management (AGPM) to configure Group Policy settings for the MDOP technology.
6. Edit the Group Policy settings using Group Policy Management Console (GPMC) or Advanced Group Policy Management (AGPM) to configure Group Policy settings for the MDOP technology.
### MDOP Group Policy by technology

2
store-for-business/whats-new-microsoft-store-business-education.md
View File

@ -68,7 +68,7 @@ Weve been working on bug fixes and performance improvements to provide you a
- Bug fixes and performance improvements
[October 2017](release-history-microsoft-store-business-education.md#october-2017)
- Bug fixes and permformance improvements
- Bug fixes and performance improvements
[September 2017](release-history-microsoft-store-business-education.md#september-2017)
- Manage Windows device deployment with Windows Autopilot Deployment

48
windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
View File

@ -1,42 +1,46 @@
---
title: How to Apply the Deployment Configuration File by Using Windows PowerShell (Windows 10)
description: How to Apply the Deployment Configuration File by Using Windows PowerShell
title: How to apply the deployment configuration file by using Windows PowerShell (Windows 10)
description: How to apply the deployment configuration file by using Windows PowerShell for Windows 10.
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.date: 06/15/2018
---
# How to apply the deployment configuration file by using Windows PowerShell
>Applies to: Windows 10, version 1607
# How to Apply the Deployment Configuration File by Using Windows PowerShell
When you add or set a package to a computer running the App-V client before it's been published, a dynamic deployment configuration file is applied to it. The dynamic deployment configuration file configures the default settings for the package that all users share on the computer running the App-V client. This section will tell you how to use a deployment configuration file.
**Applies to**
- Windows 10, version 1607
## Apply the deployment configuration file with Windows PowerShell
The dynamic deployment configuration file is applied when a package is added or set to a computer running the App-V client before the package has been published. The file configures the default settings for package for all users on the computer running the App-V client. This section describes the steps used to use a deployment configuration file. The procedure is based on the following example and assumes the following package and configuration files exist on a computer:
>[!NOTE]
>The following example cmdlet uses the following two file paths for the package and configuration files:
>
>* C:\\Packages\\Contoso\\MyApp.appv
>* C:\\Packages\\Contoso\\DynamicConfigurations\\deploymentconfig.xml
>
>If your package and configuration files use different file paths than the example, feel free to replace them as needed.
**c:\\Packages\\Contoso\\MyApp.appv**
To specify a new default set of configurations for all users who will run the package on a specific computer, in a Windows PowerShell console, enter the following cmdlet:
**c:\\Packages\\Contoso\\DynamicConfigurations\\deploymentconfig.xml**
```PowerShell
Add-AppVClientPackage -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentConfiguration C:\Packages\Contoso\DynamicConfigurations\deploymentconfig.xml
```
**To Apply the Deployment Configuration File Using Windows PowerShell**
>[!NOTE]
>This command captures the resulting object into $pkg. If the package is already present on the computer, you can use the **Set-AppVclientPackage** cmdlet to apply the deployment configuration document:
>
> ```PowerShell
> Set-AppVClientPackage -Name Myapp -Path C:\Packages\Contoso\MyApp.appv -DynamicDeploymentConfiguration C:\Packages\Contoso\DynamicConfigurations\deploymentconfig.xml
> ```
- To specify a new default set of configurations for all users who will run the package on a specific computer, in a Windows PowerShell console, type the following:
`Add-AppVClientPackage -Path c:\Packages\Contoso\MyApp.appv -DynamicDeploymentConfiguration c:\Packages\Contoso\DynamicConfigurations\deploymentconfig.xml`
**Note**<br>
This command captures the resulting object into $pkg. If the package is already present on the computer, the **Set-AppVclientPackage** cmdlet can be used to apply the deployment configuration document:
`Set-AppVClientPackage -Name Myapp -Path c:\Packages\Contoso\MyApp.appv -DynamicDeploymentConfiguration c:\Packages\Contoso\DynamicConfigurations\deploymentconfig.xml`
 
## Have a suggestion for App-V?
Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
## Related topics
[Operations for App-V](appv-operations.md)
* [Operations for App-V](appv-operations.md)

44
windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
View File

@ -1,41 +1,45 @@
---
title: How to Apply the User Configuration File by Using Windows PowerShell (Windows 10)
description: How to Apply the User Configuration File by Using Windows PowerShell
title: How to apply the user configuration file by using Windows PowerShell (Windows 10)
description: How to apply the user configuration file by using Windows PowerShell (Windows 10).
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.date: 06/15/2018
---
# How to apply the user configuration file by using Windows PowerShell
>Applies to: Windows 10, version 1607
# How to Apply the User Configuration File by Using Windows PowerShell
When you publish a package to a specific user, you'll also need to specify a dynamic user configuration file to tell that package how to run.
**Applies to**
- Windows 10, version 1607
## Apply a user configuration file
The dynamic user configuration file is applied when a package is published to a specific user and determines how the package will run.
Here's how to specify a user-specific configuration file:
Use the following procedure to specify a user-specific configuration file. The following procedure is based on the example:
>[!NOTE]
>The following example cmdlets use this example file path for its package:
>
>* C:\\Packages\\Contoso\\MyApp.appv.
>
>If your package file uses a different file path than the example, feel free to replace it as needed.
**c:\\Packages\\Contoso\\MyApp.appv**
1. Enter the following cmdlet in Windows PowerShell to add the package to the computer:
**To apply a user Configuration file**
1. To add the package to the computer using the Windows PowerShell console, type the following command:
`Add-AppVClientPackage c:\Packages\Contoso\MyApp.appv`
2. Use the following command to publish the package to the user and specify the updated the dynamic user configuration file:
`Publish-AppVClientPackage $pkg -DynamicUserConfigurationPath c:\Packages\Contoso\config.xml`
```PowerShell
Add-AppVClientPackage C:\Packages\Contoso\MyApp.appv
```
2. Enter the following cmdlet to publish the package to the user and specify the updated the dynamic user configuration file:
```PowerShell
Publish-AppVClientPackage $pkg -DynamicUserConfigurationPath C:\Packages\Contoso\config.xml
```
## Have a suggestion for App-V?
Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
## Related topics
[Operations for App-V](appv-operations.md)
* [Operations for App-V](appv-operations.md)

92
windows/application-management/app-v/appv-auto-batch-updating.md
View File

@ -41,29 +41,28 @@ Updating multiple apps at the same time requires that you create a **ConfigFile*
**Example:**
```XML
<?xml version="1.0"?>
<Applications>
<Application>
<AppName>Skype for Windows Update</AppName>
<InstallerFolder>D:\Install\Update\SkypeforWindows</InstallerFolder>
<Installer>SkypeSetup.exe</Installer>
<InstallerOptions>/S</InstallerOptions>
<Package>C:\App-V_Package\Microsoft_Apps\skypeupdate.appv</Package>
<TimeoutInMinutes>20</TimeoutInMinutes>
<Cmdlet>True</Cmdlet>
<Enabled>True</Enabled>
</Application>
<Application>
<AppName>Microsoft Power BI Update</AppName>
<InstallerFolder>D:\Install\Update\PowerBI</InstallerFolder>
<Installer>PBIDesktop.msi</Installer>
<InstallerOptions>/S</InstallerOptions>
<Package>C:\App-V_Package\MS_Apps\powerbiupdate.appv</Package>
<TimeoutInMinutes>20</TimeoutInMinutes>
<Cmdlet>True</Cmdlet>
<Enabled>True</Enabled>
</Application>
</Applications>
</xml>
<Applications>
<Application>
<AppName>Skype for Windows Update</AppName>
<InstallerFolder>D:\Install\Update\SkypeforWindows</InstallerFolder>
<Installer>SkypeSetup.exe</Installer>
<InstallerOptions>/S</InstallerOptions>
<Package>C:\App-V_Package\Microsoft_Apps\skypeupdate.appv</Package>
<TimeoutInMinutes>20</TimeoutInMinutes>
<Cmdlet>true</Cmdlet>
<Enabled>true</Enabled>
</Application>
<Application>
<AppName>Microsoft Power BI Update</AppName>
<InstallerFolder>D:\Install\Update\PowerBI</InstallerFolder>
<Installer>PBIDesktop.msi</Installer>
<InstallerOptions>/S</InstallerOptions>
<Package>C:\App-V_Package\MS_Apps\powerbiupdate.appv</Package>
<TimeoutInMinutes>20</TimeoutInMinutes>
<Cmdlet>true</Cmdlet>
<Enabled>true</Enabled>
</Application>
</Applications>
```
3. Save your completed file under the name **ConfigFile**.
@ -101,29 +100,28 @@ Updating multipe apps at the same time requires that you create a **ConfigFile**
```XML
<?xml version="1.0"?>
<Applications>
<Application>
<AppName>Skype for Windows Update</AppName>
<InstallerFolder>D:\Install\Update\SkypeforWindows</InstallerFolder>
<Installer>SkypeSetup.exe</Installer>
<InstallerOptions>/S</InstallerOptions>
<Package>C:\App-V_Package\Microsoft_Apps\skypeupdate.appv</Package>
<TimeoutInMinutes>20</TimeoutInMinutes>
<Cmdlet>False</Cmdlet>
<Enabled>True</Enabled>
</Application>
<Application>
<AppName>Microsoft Power BI Update</AppName>
<InstallerFolder>D:\Install\Update\PowerBI</InstallerFolder>
<Installer>PBIDesktop.msi</Installer>
<InstallerOptions>/S</InstallerOptions>
<Package>C:\App-V_Package\MS_Apps\powerbiupdate.appv</Package>
<TimeoutInMinutes>20</TimeoutInMinutes>
<Cmdlet>False</Cmdlet>
<Enabled>True</Enabled>
</Application>
</Applications>
</xml>
<Applications>
<Application>
<AppName>Skype for Windows Update</AppName>
<InstallerFolder>D:\Install\Update\SkypeforWindows</InstallerFolder>
<Installer>SkypeSetup.exe</Installer>
<InstallerOptions>/S</InstallerOptions>
<Package>C:\App-V_Package\Microsoft_Apps\skypeupdate.appv</Package>
<TimeoutInMinutes>20</TimeoutInMinutes>
<Cmdlet>false</Cmdlet>
<Enabled>true</Enabled>
</Application>
<Application>
<AppName>Microsoft Power BI Update</AppName>
<InstallerFolder>D:\Install\Update\PowerBI</InstallerFolder>
<Installer>PBIDesktop.msi</Installer>
<InstallerOptions>/S</InstallerOptions>
<Package>C:\App-V_Package\MS_Apps\powerbiupdate.appv</Package>
<TimeoutInMinutes>20</TimeoutInMinutes>
<Cmdlet>false</Cmdlet>
<Enabled>true</Enabled>
</Application>
</Applications>
```
### Start the App-V Sequencer interface and app installation process
@ -157,4 +155,4 @@ There are three types of log files that occur when you sequence multiple apps at
## Have a suggestion for App-V?
Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).

81
windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
View File

@ -1,77 +1,62 @@
---
title: Automatically cleanup unpublished packages on the App-V client (Windows 10)
description: How to automatically clean-up any unpublished packages on your App-V client devices.
title: Automatically clean up unpublished packages on the App-V client (Windows 10)
description: How to automatically clean up any unpublished packages on your App-V client devices.
author: eross-msft
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.date: 06/15/2018
---
# Automatically clean up unpublished packages on the App-V client
>Applies to: Windows 10, version 1703
# Automatically cleanup unpublished packages on the App-V client
If you wanted to free up additional storage space in previous versions of App-V, you would have had to manually remove your unpublished packages from your client devices. Windows 10, version 1703 introduces the ability to use PowerShell or Group Policy settings to automatically clean up your unpublished packages after restarting your device.
**Applies to**
- Windows 10, version 1703
## Clean up with PowerShell cmdlets
Previous versions of App-V have required you to manually remove your unpublished packages from your client devices, to free up additional storage space. Windows 10, version 1703 introduces the ability to use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart.
You can enter PowerShell cmdlets to turn on the **AutoCleanupEnabled** setting, which will automatically clean up your unpublished App-V packages from your App-V client devices.
## Cleanup by using PowerShell commands
Using PowerShell, you can turn on the **AutoCleanupEnabled** setting to automatically cleanup your unpublished App-V packages from your App-V client devices.
### Turn on the AutoCleanupEnabled option
**To turn on the AutoCleanupEnabled option**
1. Open PowerShell as an admin and enter the following cmdlet to turn on the automatic package cleanup functionality:
1. Open PowerShell as an admin and run the following command to turn on the automatic package cleanup functionality:
```ps1
```PowerShell
Set-AppvClientConfiguration -AutoCleanupEnabled 1
```
The command runs and you should see the following info on the PowerShell screen:
<table border="1">
<tr>
<thead>
<th>Name</th>
<th>Value</th>
<th>SetbyGroupPolicy</th>
</thead>
</tr>
<tbody>
<tr>
<td>AutoCleanupEnabled</td>
<td>1</td>
<td>False</td>
</tr>
</tbody>
</table>
After running the cmdlet, you should see the following info on the PowerShell screen:
2. Run the following command to make sure the configuration is ready to automatically cleanup your packages.
|Name|Value|SetbyGroupPolicy|
|---|---|---|
|AutoCleanupEnabled|1|False|
```ps1
1. Run the following cmdlet to check if the configuration has the cleanup setting turned on.
```PowerShell
Get-AppvClientConfiguration
```
You should see the **AutoCleanupEnabled** option turned on (shows a value of "1") in the configuration list.
If the **AutoCleanupEnabled** option shows a value of **1** in the configuration list, that means the setting is turned on.
## Cleanup by using Group Policy settings
Using Group Policy, you can turn on the **Enable automatic cleanup of unused appv packages** setting to automatically cleanup your unpublished App-V packages from your App-V client devices.
## Clean up with Group Policy settings
**To turn on the Enable automatic cleanup of unused appv packages setting**
Using Group Policy, you can turn on the **Enable automatic cleanup of unused App-V packages** setting to automatically clean up your unpublished App-V packages from your App-V client devices.
1. Open your Group Policy editor and double-click the Administrative Templates\System\App-V\PackageManagement\Enable automatic cleanup of unused appv packages setting.
### Turn on the Enable automatic cleanup of unused App-V packages setting
2. Click **Enabled**, and then click **OK**.
1. Open your Group Policy editor and select the **Administrative Templates\System\App-V\PackageManagement\Enable automatic cleanup of unused App-V packages** setting.
After your Group Policy updates, the setting is turned on and will cleanup any unpublished App-V packages on the App-V Client after restarting.
2. Select **Enabled**, then select **OK**.
After your Group Policy updates and you reset the client, the setting will clean up any unpublished App-V packages on the App-V client.
## Have a suggestion for App-V?
Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
## Related topics
### Related topics
- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
- [Download the Microsoft Application Virtualization 5.0 Client UI Application](https://www.microsoft.com/en-us/download/details.aspx?id=41186)
- [Using the App-V Client Management Console](appv-using-the-client-management-console.md)
**Have a suggestion for App-V?**<p>
Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
- [Using the App-V Client Management Console](appv-using-the-client-management-console.md)

221
windows/application-management/app-v/appv-available-mdm-settings.md
View File

@ -6,207 +6,26 @@ ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.date: 06/15/2018
---
# Available Mobile Device Management (MDM) settings for App-V
With Windows 10, version 1703, you can configure, deploy, and manage your App-V apps by using these Mobile Device Management (MDM) settings. For the full list of available settings, see the [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) page.
<table>
<tr>
<th>Policy name</th>
<th>Supported versions</th>
<th>Details</th>
</tr>
<tr>
<td>Name</td>
<td>Windows 10, version 1703</td>
<td>
<ul>
<li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<em>&lt;enterprise_id&gt;</em>/<em>&lt;package_family_name&gt;</em>/<em>&lt;package_full_name&gt;</em>/Name</li>
<li><strong>Data type.</strong> String</li>
<li><strong>Value.</strong> Read-only data, provided by your App-V packages.</li>
</ul>
</td>
</tr>
<tr>
<td>Version</td>
<td>Windows 10, version 1703</td>
<td>
<ul>
<li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<em>&lt;enterprise_id&gt;</em>/<em>&lt;package_family_name&gt;</em>/<em>&lt;package_full_name&gt;</em>/Version</li>
<li><strong>Data type.</strong> String</li>
<li><strong>Value.</strong> Read-only data, provided by your App-V packages.</li>
</ul>
</td>
</tr>
<tr>
<td>Publisher</td>
<td>Windows 10, version 1703</td>
<td>
<ul>
<li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<em>&lt;enterprise_id&gt;</em>/<em>&lt;package_family_name&gt;</em>/<em>&lt;package_full_name&gt;</em>/Publisher</li>
<li><strong>Data type.</strong> String</li>
<li><strong>Value.</strong> Read-only data, provided by your App-V packages.</li>
</ul>
</td>
</tr>
<tr>
<td>InstallLocation</td>
<td>Windows 10, version 1703</td>
<td>
<ul>
<li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<em>&lt;enterprise_id&gt;</em>/<em>&lt;package_family_name&gt;</em>/<em>&lt;package_full_name&gt;</em>/InstallLocation</li>
<li><strong>Data type.</strong> String</li>
<li><strong>Value.</strong> Read-only data, provided by your App-V packages.</li>
</ul>
</td>
</tr>
<tr>
<td>InstallDate</td>
<td>Windows 10, version 1703</td>
<td>
<ul>
<li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<em>&lt;enterprise_id&gt;</em>/<em>&lt;package_family_name&gt;</em>/<em>&lt;package_full_name&gt;</em>/InstallDate</li>
<li><strong>Data type.</strong> String</li>
<li><strong>Value.</strong> Read-only data, provided by your App-V packages.</li>
</ul>
</td>
</tr>
<tr>
<td>Users</td>
<td>Windows 10, version 1703</td>
<td>
<ul>
<li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<em>&lt;enterprise_id&gt;</em>/<em>&lt;package_family_name&gt;</em>/<em>&lt;package_full_name&gt;</em>/Users</li>
<li><strong>Data type.</strong> String</li>
<li><strong>Value.</strong> Read-only data, provided by your App-V packages.</li>
</ul>
</td>
</tr>
<tr>
<td>AppVPackageID</td>
<td>Windows 10, version 1703</td>
<td>
<ul>
<li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<em>&lt;enterprise_id&gt;</em>/<em>&lt;package_family_name&gt;</em>/<em>&lt;package_full_name&gt;</em>/AppVPackageID</li>
<li><strong>Data type.</strong> String</li>
<li><strong>Value.</strong> Read-only data, provided by your App-V packages.</li>
</ul>
</td>
</tr>
<tr>
<td>AppVVersionID</td>
<td>Windows 10, version 1703</td>
<td>
<ul>
<li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<em>&lt;enterprise_id&gt;</em>/<em>&lt;package_family_name&gt;</em>/<em>&lt;package_full_name&gt;</em>/AppVVersionID</li>
<li><strong>Data type.</strong> String</li>
<li><strong>Value.</strong> Read-only data, provided by your App-V packages.</li>
</ul>
</td>
</tr>
<tr>
<td>AppVPackageUri</td>
<td>Windows 10, version 1703</td>
<td>
<ul>
<li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<em>&lt;enterprise_id&gt;</em>/<em>&lt;package_family_name&gt;</em>/<em>&lt;package_full_name&gt;</em>/AppVPackageUri</li>
<li><strong>Data type.</strong> String</li>
<li><strong>Value.</strong> Read-only data, provided by your App-V packages.</li>
</ul>
</td>
</tr>
<tr>
<td>LastError</td>
<td>Windows 10, version 1703</td>
<td>
<ul>
<li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/LastError</li>
<li><strong>Data type.</strong> String</li>
<li><strong>Value.</strong> Read-only data, provided by your App-V client.</li>
</ul>
</td>
</tr>
<tr>
<td>LastErrorDescription</td>
<td>Windows 10, version 1703</td>
<td>
<ul>
<li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/LastErrorDescription</li>
<li><strong>Data type.</strong> String</li>
<li><strong>Values.</strong>
<ul>
<li><strong>0.</strong> No errors returned during publish.</li>
<li><strong>1.</strong> Unpublish groups failed during publish.</li>
<li><strong>2.</strong> Publish no-group packages failed during publish.</li>
<li><strong>3.</strong> Publish group packages failed during publish.</li>
<li><strong>4.</strong> Unpublish packages failed during publish.</li>
<li><strong>5.</strong> New policy write failed during publish.</li>
<li><strong>6.</strong> Multiple non-fatal errors occurred during publish.</li>
</ul>
</li>
</ul>
</td>
</tr>
<tr>
<td>SyncStatusDescription</td>
<td>Windows 10, version 1703</td>
<td>
<ul>
<li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/SyncStatusDescription</li>
<li><strong>Data type.</strong> String</li>
<li><strong>Values.</strong>
<ul>
<li><strong>0.</strong> App-V publishing is idle.</li>
<li><strong>1.</strong> App-V connection groups publish in progress.</li>
<li><strong>2.</strong> App-V packages (non-connection group) publish in progress.</li>
<li><strong>3.</strong> App-V packages (connection group) publish in progress.</li>
<li><strong>4.</strong> App-V packages unpublish in progress.</li>
</ul>
</li>
</ul>
</td>
</tr>
<tr>
<td>SyncProgress</td>
<td>Windows 10, version 1703</td>
<td>
<ul>
<li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/SyncProgress</li>
<li><strong>Data type.</strong> String</li>
<li><strong>Values.</strong>
<ul>
<li><strong>0.</strong> App-V Sync is idle.</li>
<li><strong>1.</strong> App-V Sync is initializing.</li>
<li><strong>2.</strong> App-V Sync is in progress.</li>
<li><strong>3.</strong> App-V Sync is complete.</li>
<li><strong>4.</strong> App-V Sync requires device reboot.</li>
</ul>
</li>
</ul>
</td>
</tr>
<tr>
<td>PublishXML</td>
<td>Windows 10, version 1703</td>
<td>
<ul>
<li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML</li>
<li><strong>Data type.</strong> String</li>
<li><strong>Value.</strong> Custom value, entered by admin.</li>
</ul>
</td>
</tr>
<tr>
<td>Policy</td>
<td>Windows 10, version 1703</td>
<td>
<ul>
<li><strong>URI full path.</strong> ./Vendor/MSFT/EnterpriseAppVManagement/AppVDynamicPolicy/configurationid/Policy</li>
<li><strong>Data type.</strong> String</li>
<li><strong>Value.</strong> Custom value, entered by admin.</li>
</ul>
</td>
</tr>
</table>
With Windows 10, version 1703, you can configure, deploy, and manage your App-V apps with the following Mobile Device Management (MDM) settings. For the full list of available settings, see the [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) page.
|Policy name|Supported versions|URI full path|Data type|Values|
|---|---|---|---|---|
|Name|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement/<enterprise_id>/ <package_family_name>/<package_full_name>/Name|String|Read-only data, provided by your App-V packages.|
|Version|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement/<enterprise_id>/ <package_family_name>/<package_full_name>/Version|String|Read-only data, provided by your App-V packages.|
|Publisher|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement/<enterprise_id>/ <package_family_name>/<package_full_name>/Publisher|String|Read-only data, provided by your App-V packages.|
|InstallLocation|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement/<enterprise_id>/ <package_family_name>/<package_full_name>/InstallLocation|String|Read-only data, provided by your App-V packages.|
|InstallDate|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement/<enterprise_id>/ <package_family_name>/<package_full_name>/InstallDate|String|Read-only data, provided by your App-V packages.|
|Users|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement/<enterprise_id>/ <package_family_name>/<package_full_name>/Users|String|Read-only data, provided by your App-V packages.|
|AppVPackageID|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement/<enterprise_id>/ <package_family_name>/<package_full_name>/AppVPackageID|String|Read-only data, provided by your App-V packages.|
|AppVVersionID|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement/<enterprise_id>/ <package_family_name>/<package_full_name>/AppVVersionID|String|Read-only data, provided by your App-V packages.|
|AppVPackageUri|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPackageManagement/<enterprise_id>/ <package_family_name>/<package_full_name>/AppVPackageUri|String|Read-only data, provided by your App-V packages.|
|LastError|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/<br>AppVPublishing/LastSync/LastError|String|Read-only data, provided by your App-V packages.|
|LastErrorDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/LastErrorDescription|String|- **0**: No errors returned during publish.<br>- **1**: Unpublish groups failed during publish.<br>- **2**: Publish no-group packages failed during publish.<br>- **3**: Publish group packages failed during publish.<br>- **4**: Unpublish packages failed during publish.<br>- **5**: New policy write failed during publish.<br>- **6**: Multiple non-fatal errors occurred during publish.|
|SyncStatusDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/SyncStatusDescription|String|- **0**: App-V publishing is idle.<br>- **1**: App-V connection groups publish in progress.<br>- **2**: App-V packages (non-connection group) publish in progress.<br>- **3**: App-V packages (connection group) publish in progress.<br>- **4**: App-V packages unpublish in progress.|
|SyncProgress|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/SyncProgress|String|- **0**: App-V Sync is idle.<br>- **1**: App-V Sync is initializing.<br>- **2**: App-V Sync is in progress.<br>- **3**: App-V Sync is complete.<br>- **4**: App-V Sync requires device reboot.|
|PublishXML|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/<br>AppVPublishing/Sync/PublishXML|String|Custom value, entered by admin.|
|Policy|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/<br>AppVDynamicPolicy/configurationid/Policy|String|Custom value, entered by admin.|

57
windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
View File

@ -1,67 +1,60 @@
---
title: How to Configure Access to Packages by Using the Management Console (Windows 10)
description: How to Configure Access to Packages by Using the Management Console
title: How to configure access to packages by using the Management Console (Windows 10)
description: How to configure access to packages by using the App-V Management Console.
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.date: 06/18/2018
---
# How to configure access to packages by using the Management Console
# How to Configure Access to Packages by Using the Management Console
**Applies to**
- Windows 10, version 1607
>Applies to: Windows 10, version 1607
Before you deploy an App-V virtualized package, you must configure the Active Directory Domain Services (AD DS) security groups that will be allowed to access and run the applications. The security groups may contain computers or users. Entitling a package to a computer group publishes the package globally to all computers in the group.
Use the following procedure to configure access to virtualized packages.
**To grant access to an App-V package**
## Grant access to an App-V package
1. Find the package you want to configure:
1. Find the package you want to configure:
1. Open the App-V Management console.
1. Open the App-V Management console.
2. To display the **AD ACCESS** page, right-click the package to be configured, and select **Edit active directory access**. Alternatively, select the package and click **EDIT** in the **AD ACCESS** pane.
1. Right-click the package to be configured, then select **Edit active directory access** to display the **AD Access** page. Alternatively, select the package and select **Edit** in the **AD Access** pane.
2. Provision a security group for the package:
2. Provision a security group for the package:
1. Go to the **FIND VALID ACTIVE DIRECTORY NAMES AND GRANT ACCESS** page.
1. Go to the **Find valid Active Directory names and grant access** page.
2. Using the format **mydomain** \\ **groupname**, type the name or part of the name of an Active Directory group object, and click **Check**.
1. Using the format **mydomain** \\ **groupname**, enter the name or part of the name of an Active Directory group object, then select **Check**.
**Note**  
Ensure that you provide an associated domain name for the group that you are searching for.
>[!NOTE]  
>Ensure that you provide an associated domain name for the group that you are searching for.
 
3. Grant access to the package by first selecting the desired group, then selecting **Grant Access**. The newly added group is displayed in the **AD entities with access** pane.
3. To grant access to the package, select the desired group and click **Grant Access**. The newly added group is displayed in the **AD ENTITIES WITH ACCESS** pane.
4. Select **Close** to accept the default configuration settings and close the AD Access page.
4.
To customize configurations for a specific group, select the **Assigned configurations** drop-down menu, then select **Custom**. To make changes to your custom configurations, select **Edit**. After you grant access, select **Close**.
To accept the default configuration settings and close the **AD ACCESS** page, click **Close**.
## Remove access to an App-V package
To customize configurations for a specific group, click the **ASSIGNED CONFIGURATIONS** drop-down and select **Custom**. To configure the custom configurations, click **EDIT**. After you grant access, click **Close**.
1. Find the package you want to configure:
**To remove access to an App-V package**
1. Open the App-V Management console.
1. Find the package you want to configure:
1. To display the **AD Access** page, right-click the package to be configured, then select **Edit active directory access**. Alternatively, select the package, then select **Edit** in the **AD Access** pane.
1. Open the App-V Management console.
2. Select the group you want to remove, then select **Delete**.
2. To display the **AD ACCESS** page, right-click the package to be configured, and select **Edit active directory access**. Alternatively, select the package and click **EDIT** in the **AD ACCESS** pane.
2. Select the group you want to remove, and click **DELETE**.
3. To close the **AD ACCESS** page, click **Close**.
3. Select **Close**.
## Have a suggestion for App-V?
Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
## Related topics
[Operations for App-V](appv-operations.md)
* [Operations for App-V](appv-operations.md)

59
windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
View File

@ -1,64 +1,65 @@
---
title: How to Make a Connection Group Ignore the Package Version (Windows 10)
description: How to Make a Connection Group Ignore the Package Version
title: How to make a connection group ignore the package version (Windows 10)
description: How to make a connection group ignore the package version.
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
ms.date: 06/18/2018
---
# How to make a connection group ignore the package version
> Applies to: Windows 10, version 1607
# How to Make a Connection Group Ignore the Package Version
You can use Application Virtualization (App-V) to configure a connection group to use any version of a package, simplifying package upgrades and reducing the number of connection groups you need to create.
**Applies to**
- Windows 10, version 1607
You can also configure a connection group to accept any version of a package, so that you can upgrade the package without having to disable the connection group.
Application Virtualization (App-V) lets you configure a connection group to use any version of a package, which simplifies package upgrades and reduces the number of connection groups you need to create.
- If the connection group has access to multiple versions of a package, App-V will use the latest version.
You can configure a connection group to accept any version of a package, which enables you to upgrade the package without having to disable the connection group:
- If the connection group contains an optional package with an incorrect version, App-V ignores the package and wont block the connection groups virtual environment from being created.
- If the connection group has access to multiple versions of a package, the latest version is used.
- If the connection group contains a non-optional package that has an incorrect version, App-V won't be able to create the connection groups virtual environment.
- If the connection group contains an optional package that has an incorrect version, the package is ignored and wont block the connection groups virtual environment from being created.
## Make a connection group ignore the package version with the App-V Server Management Console
- If the connection group contains a non-optional package that has an incorrect version, the connection groups virtual environment cannot be created.
## To make a connection group ignore the package version by using the App-V Server Management Console
1. In the Management Console, select **CONNECTION GROUPS**.
1. In the Management Console, select **Connection Groups**.
2. Select the correct connection group from the Connection Groups library.
3. Click **EDIT** in the CONNECTED PACKAGES pane.
3. Select **Edit** in the Connected Packages pane.
4. Select **Use Any Version** check box next to the package name, and click **Apply**.
4. Select the **Use Any Version** check box next to the package name, then select **Apply**.
For more about adding or upgrading packages, see [How to Add or Upgrade Packages by Using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md).
For more about adding or upgrading packages, see [How to add or upgrade packages by using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md).
## To make a connection group ignore the package version from the App-V client on a stand-alone computer
## Make a connection group ignore the package version from the App-V client on a stand-alone computer
1. Create the connection group XML document.
2. For the package to be upgraded, set the **Package** tag attribute **VersionID** to an asterisk (<strong>*</strong>).
2. Set the **Package** tag attribute **VersionID** to an asterisk (<strong>*</strong>) to upgrade the package.
3. Use the following cmdlet to add the connection group, and include the path to the connection group XML document:
3. Enter the following cmdlet (including the path to the connection group XML document) to add the connection group:
```PowerShell
Add-AppvClientConnectionGroup
```
For more information about how to use the **Add-AppvClientConnectionGroup** cmdlet, see [**Add-AppvClientConnectionGroup**](https://docs.microsoft.com/en-us/powershell/module/appvclient/add-appvclientconnectiongroup?view=win10-ps).
`Add-AppvClientConnectionGroup`
4. When you upgrade a package, use the following cmdlets to remove the old package, add the upgraded package, and publish the upgraded package:
- RemoveAppvClientPackage
- Add-AppvClientPackage
- Publish-AppvClientPackage
- [**Remove-AppvClientPackage**](https://docs.microsoft.com/en-us/powershell/module/appvclient/remove-appvclientpackage?view=win10-ps)
- [**Add-AppvClientPackage**](https://docs.microsoft.com/en-us/powershell/module/appvclient/add-appvclientpackage?view=win10-ps)
- [**Publish-AppvClientPackage**](https://docs.microsoft.com/en-us/powershell/module/appvclient/publish-appvclientpackage?view=win10-ps)
For more information, see [How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md).
For more information, see [How to manage App-V packages running on a stand-alone computer by using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md).
## Have a suggestion for App-V?
Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
## Related topics
[Managing Connection Groups](appv-managing-connection-groups.md)
- [Managing connection groups](appv-managing-connection-groups.md)

16
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -2048,12 +2048,18 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior" id="localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior">LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsalways" id="localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsalways">LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees" id="localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees">LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers" id="localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers">LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession" id="localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession">LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways" id="localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways">LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways</a>
</dd>
@ -2075,6 +2081,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam" id="localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam">LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowlocalsystemtousecomputeridentityforntlm" id="localpoliciessecurityoptions-networksecurity-allowlocalsystemtousecomputeridentityforntlm">LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests" id="localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests">LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</a>
</dd>
@ -2084,6 +2093,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel" id="localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel">LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients" id="localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients">LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers" id="localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers">LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</a>
</dd>
@ -4407,17 +4419,21 @@ The following diagram shows the Policy configuration service provider in tree fo
- [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon)
- [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon)
- [LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior)
- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsalways)
- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees)
- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers)
- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession)
- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways)
- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsifclientagrees)
- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccounts)
- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccountsandshares)
- [LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictanonymousaccesstonamedpipesandshares)
- [LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam)
- [LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowlocalsystemtousecomputeridentityforntlm)
- [LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests)
- [LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-donotstorelanmanagerhashvalueonnextpasswordchange)
- [LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel)
- [LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients)
- [LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers)
- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-addremoteserverexceptionsforntlmauthentication)
- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-auditincomingntlmtraffic)

6
windows/client-management/mdm/policy-csp-bluetooth.md
View File

@ -236,14 +236,14 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1803. This policy allows the IT admin to block users on these managed devices from using Quick Pair and other proximity based scenarios.
Added in Windows 10, version 1803. This policy allows the IT admin to block users on these managed devices from using Swift Pair and other proximity based scenarios.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 - Disallow. Block users on these managed devices from using Quick Pair and other proximity based scenarios
- 1 - Allow. Allow users on these managed devices to use Quick Pair and other proximity based scenarios
- 0 - Disallow. Block users on these managed devices from using Swift Pair and other proximity based scenarios
- 1 - Allow. Allow users on these managed devices to use Swift Pair and other proximity based scenarios
<!--/SupportedValues-->
<!--/Policy-->

365
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -6,11 +6,14 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 04/06/2018
ms.date: 06/05/2018
---
# Policy CSP - LocalPoliciesSecurityOptions
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>
@ -81,12 +84,18 @@ ms.date: 04/06/2018
<dd>
<a href="#localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior">LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsalways">LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees">LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers">LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession">LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways">LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways</a>
</dd>
@ -108,6 +117,9 @@ ms.date: 04/06/2018
<dd>
<a href="#localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam">LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-networksecurity-allowlocalsystemtousecomputeridentityforntlm">LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests">LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</a>
</dd>
@ -117,6 +129,9 @@ ms.date: 04/06/2018
<dd>
<a href="#localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel">LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients">LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers">LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</a>
</dd>
@ -838,15 +853,6 @@ GP Info:
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
@ -914,15 +920,6 @@ GP Info:
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
@ -985,15 +982,6 @@ GP Info:
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
@ -1495,6 +1483,83 @@ GP Info:
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsalways"></a>**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Microsoft network client: Digitally sign communications (always)
This security setting determines whether packet signing is required by the SMB client component.
The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted.
If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server.
Default: Disabled.
Notes
All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.
For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.
<!--/Description-->
<!--RegistryMapped-->
GP Info:
- GP English name: *Microsoft network client: Digitally sign communications (always)*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees"></a>**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees**
@ -1618,6 +1683,72 @@ GP Info:
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession"></a>**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Microsoft network server: Amount of idle time required before suspending a session
This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity.
Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished.
For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy.
Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.
<!--/Description-->
<!--RegistryMapped-->
GP Info:
- GP English name: *Microsoft network server: Amount of idle time required before suspending session*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways"></a>**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways**
@ -2051,6 +2182,78 @@ GP Info:
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-networksecurity-allowlocalsystemtousecomputeridentityforntlm"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Network security: Allow Local System to use computer identity for NTLM
This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication.
If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.
If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.
By default, this policy is enabled on Windows 7 and above.
By default, this policy is disabled on Windows Vista.
This policy is supported on at least Windows Vista or Windows Server 2008.
Note: Windows Vista or Windows Server 2008 do not expose this setting in Group Policy.
<!--/Description-->
<!--RegistryMapped-->
GP Info:
- GP English name: *Network security: Allow Local System to use computer identity for NTLM*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests**
@ -2246,6 +2449,75 @@ GP Info:
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated.
Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated.
Default:
Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.
Windows 7 and Windows Server 2008 R2: Require 128-bit encryption
<!--/Description-->
<!--RegistryMapped-->
GP Info:
- GP English name: *Network security: Minimum session security for NTLM SSP based (including secure RPC) clients*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers**
@ -2359,15 +2631,6 @@ GP Info:
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
@ -2429,15 +2692,6 @@ GP Info:
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
@ -2499,15 +2753,6 @@ GP Info:
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
@ -2569,15 +2814,6 @@ GP Info:
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
@ -3406,6 +3642,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in the next major release of Windows 10.
<!--/Policies-->

197
windows/client-management/mdm/supl-ddf-file.md
View File

@ -171,7 +171,7 @@ The XML below is the current version for this CSP.
</DFProperties>
</Node>
<Node>
<NodeName>MCCMNPairs</NodeName>
<NodeName>MCCMNCPairs</NodeName>
<DFProperties>
<AccessType>
<Get />
@ -477,7 +477,202 @@ The XML below is the current version for this CSP.
<DDFName></DDFName>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>RootCertificate4</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Specifies the root certificate for the H-SLP server.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Name</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>Specifies the name of the H-SLP root certificate as a string, in the format name.cer.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Data</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>The base 64 encoded blob of the H-SLP root certificate.</Description>
<DFFormat>
<b64 />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>RootCertificate5</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Specifies the root certificate for the H-SLP server.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Name</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>Specifies the name of the H-SLP root certificate as a string, in the format name.cer.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Data</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>The base 64 encoded blob of the H-SLP root certificate.</Description>
<DFFormat>
<b64 />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>RootCertificate6</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Specifies the root certificate for the H-SLP server.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Name</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>Specifies the name of the H-SLP root certificate as a string, in the format name.cer.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Data</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>The base 64 encoded blob of the H-SLP root certificate.</Description>
<DFFormat>
<b64 />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>

4
windows/configuration/customize-and-export-start-layout.md
View File

@ -91,9 +91,9 @@ When you have the Start layout that you want your users to see, use the [Export-
**To export the Start layout to an .xml file**
1. Right Click Start, select **Windows PowerShell (Admin)**.
1. While signed in with the same account that you used to customize Start, right-click Start, and select **Windows PowerShell**.
2. At the Administrator: Windows PowerShell command prompt, enter the following command:
2. At the Windows PowerShell command prompt, enter the following command:
`Export-StartLayout path <path><file name>.xml `

5
windows/configuration/lock-down-windows-10-to-specific-apps.md
View File

@ -52,7 +52,7 @@ You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provi
12. Enter a friendly name for the configuration.
10. In **Kiosk Mode**, select **Multi app kiosk**.
13. Select an app type.
- For **Add Win32 app**, enter the **App Name** and **Identifier**.
- For **Add Win32 app**, enter a friendly name for the app in **App Name**, and enter the path to the app executable in **Identifier**.
- For **Add managed apps**, select an app that you manage through Intune.
- For **Add app by AUMID**, enter the Application User Model ID (AUMID) for an installed UWP app.
14. Select whether to enable the taskbar.
@ -61,7 +61,8 @@ You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provi
17. Select **OK**. You can add additional configurations or finish.
18. Assign the profile to a device group to configure the devices in that group as kiosks.
>[!NOTE]
>Managed apps are apps that are in the Microsoft Store for Business that is synced with your Intune subscription.

4
windows/configuration/setup-kiosk-digital-signage.md
View File

@ -270,7 +270,9 @@ The following steps explain how to configure a kiosk in Microsoft Intune. For ot
7. Select **Windows 10 and later** for the platform.
8. Select **Kiosk (Preview)** for the profile type.
9. Enter a friendly name for the kiosk configuration.
10. In **Kiosk Mode**, select **Single full-screen app kiosk**.
10. Select **Kiosk - 1 setting available**.
10. Select **Add** to add a kiosk configuration.
10. Enter a friendly name for the kiosk configuration, and then in **Kiosk Mode**, select **Single full-screen app kiosk**.
10. Select either **Select a managed app** to choose a kiosk app that is managed by Intune, or **Enter UWP app AUMID** to specify the kiosk app by AUMID, and then select the app or enter the AUMID as appropriate.
1. For the user account, select either **Autologon** to create a user account for the kiosk that will sign in automatically, or **Local user account** to configure an existing user account to run the kiosk. **Local user account** can be a local standard user account on the device or an Azure Active Directory account.
14. Select **OK**, and then select **Create**.

2
windows/configuration/windows-10-start-layout-options-and-policies.md
View File

@ -30,6 +30,8 @@ Organizations might want to deploy a customized Start and taskbar configuration
>Start and taskbar configuration can be applied to devices running Windows 10 Pro, version 1703.
>
>Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/library/jj649079.aspx).
>
>Using CopyProfile for Start menu customization in Windows 10 isn't supported. For more information [Customize the Default User Profile by Using CopyProfile](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile)

13
windows/deployment/update/device-health-get-started.md
View File

@ -5,7 +5,7 @@ keywords: Device Health, oms, operations management suite, prerequisites, requir
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.date: 03/20/2018
ms.date: 06/12/2018
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
@ -24,13 +24,16 @@ Steps are provided in sections that follow the recommended setup process:
## Add Device Health to Microsoft Operations Management Suite
## Add Device Health to Microsoft Operations Management Suite or Azure Log Analytics
Device Health is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
Device Health is offered as a solution in the Microsoft Operations Management Suite (OMS) and Azure Log Analytics, a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/).
**If you are already using Windows Analytics**, you should use the same Azure Log Analytics workspace you're already using. find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already.
**If you are already using Windows Analytics**, you should use the same Azure Log Analytics workspace you're already using. Find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already.
**If you are not yet using Windows Analytics or Azure Log Analytics**, use the following steps to subscribe:
>[!NOTE]
>If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=DeviceHealthProd) to go directly to the Device Health solution and add it to your workspace.
**If you are not yet using Windows Analytics or Azure Log Analytics**, follow these steps to subscribe:
1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
[![Operations Management Suite bar with sign-in button](images/uc-02a.png)](images/uc-02.png)

8
windows/deployment/update/update-compliance-get-started.md
View File

@ -23,12 +23,16 @@ Steps are provided in sections that follow the recommended setup process:
## Add Update Compliance to Microsoft Operations Management Suite
## Add Update Compliance to Microsoft Operations Management Suite or Azure Log Analytics
Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/).
If you are already using OMS, skip to step **6** to add Update Compliance to your workspace.
>[!NOTE]
>If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=WaaSUpdateInsights) to go directly to the Update Compliance solution and add it to your workspace.
If you are not yet using OMS, use the following steps to subscribe to OMS Update Compliance:
1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.

2
windows/deployment/upgrade/upgrade-readiness-deployment-script.md
View File

@ -229,7 +229,7 @@ The deployment script displays the following exit codes to let you know if it wa
</tr>
<tr>
<td>32 - Appraiser version on the machine is outdated. </td>
<td>The configuration script detected a version of the compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Readiness solution. Use the latest version of the [compatibility update](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#deploy-the-compatibility-update-and-related-kbs) for Windows 7 SP1/Windows 8.1.</td>
<td>The configuration script detected a version of the compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Readiness solution. Use the latest version of the [compatibility update](https://docs.microsoft.com/en-us/windows/deployment/update/windows-analytics-get-started#deploy-the-compatibility-update-and-related-updates) for Windows 7 SP1/Windows 8.1.</td>
</tr>
<tr>
<td>33 - **CompatTelRunner.exe** exited with an exit code </td>

15
windows/deployment/upgrade/upgrade-readiness-get-started.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
ms.date: 03/20/2018
ms.date: 06/12/2018
ms.localizationpriority: high
---
@ -35,7 +35,7 @@ When you are ready to begin using Upgrade Readiness, perform the following steps
To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see the following topics, refer to [Frequently asked questions and troubleshooting Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-FAQ-troubleshooting), which discusses the issues and provides links to still more detailed information.
## Add Upgrade Readiness to Operations Management Suite
## Add Upgrade Readiness to Operations Management Suite or Azure Log Analytics
Upgrade Readiness is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/documentation/articles/operations-management-suite-overview/).
@ -44,11 +44,14 @@ Upgrade Readiness is offered as a solution in the Microsoft Operations Managemen
If you are already using OMS, youll find Upgrade Readiness in the Solutions Gallery. Select the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution's details page. Upgrade Readiness is now visible in your workspace. While you have this dialog open, you should also consider adding the [Device Health](../update/device-health-monitor.md) and [Update Compliance](../update/update-compliance-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions.
If you are not using OMS:
>[!NOTE]
>If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=CompatibilityAssessment) to go directly to the Upgrade Readiness solution and add it to your workspace.
1. Go to the [Upgrade Readiness page on Microsoft.com](https://go.microsoft.com/fwlink/?LinkID=799190&clcid=0x409) and select **New Customers >** to start the process.
2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
3. Create a new OMS workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**.
If you are not using OMS or Azure Log Analytics:
1. Go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, youll create a workspace and add the Upgrade Readiness solution to it.
2. Sign in to Operations Management Suite (OMS) or Azure Log Analytics. You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
3. Create a new workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**.
4. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organizations Azure administrator.
> If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. Your workspace opens.

17
windows/deployment/upgrade/upgrade-readiness-requirements.md
View File

@ -5,7 +5,7 @@ keywords: windows analytics, oms, operations management suite, prerequisites, re
ms.prod: w10
author: jaimeo
ms.author:
ms.date: 03/15/2018
ms.date: 06/12/2018
ms.localizationpriority: high
---
@ -21,7 +21,7 @@ To perform an in-place upgrade, user computers must be running the latest versio
The compatibility update that sends diagnostic data from user computers to Microsoft data centers works with Windows 7 SP1 and Windows 8.1 only. Upgrade Readiness cannot evaluate Windows XP or Windows Vista for upgrade eligibility.
<!--With Windows 10, edition 1607, the compatibility update KB is installed automatically.-->
<!--With Windows 10, edition 1607, the compatibility update is installed automatically.-->
If you need to update user computers to Windows 7 SP1 or Windows 8.1, use Windows Update or download and deploy the applicable package from the Microsoft Download Center.
@ -32,19 +32,20 @@ See [Windows 10 Specifications](http://www.microsoft.com/en-US/windows/windows-1
### Windows 10
Keeping Windows 10 up to date involves deploying a feature update, and Upgrade Readiness tools help you prepare and plan for these Windows updates.
The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility updates are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com).
The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility updates are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com).
While Upgrade Readiness can be used to assist with updating devices from Windows 10 Long-Term Servicing Channel (LTSC) to Windows 10 Semi-Annual Channel, Upgrade Readiness does not support updates to Windows 10 LTSC. The Long-Term Servicing Channel of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not a supported target with Upgrade Readiness. See [Windows as a service overview](../update/waas-overview.md#long-term-servicing-channel) to understand more about LTSC.
## Operations Management Suite
## Operations Management Suite or Azure Log Analytics
Upgrade Readiness is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing on premise and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
Upgrade Readiness is offered as a solution in Microsoft Operations Management Suite (OMS) and Azure Log Analytics, a collection of cloud based services for managing on premise and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/).
If youre already using OMS, youll find Upgrade Readiness in the Solutions Gallery. Click the Upgrade Readiness tile in the gallery and then click Add on the solutions details page. Upgrade Readiness is now visible in your workspace.
If youre already using OMS or Azure Log Analytics, youll find Upgrade Readiness in the Solutions Gallery. Click the **Upgrade Readiness** tile in the gallery and then click **Add** on the solutions details page. Upgrade Readiness is now visible in your workspace. You can also
If you are not using OMS, go to the [Upgrade Readiness page](https://www.microsoft.com/en-us/windowsforbusiness/simplified-updates) on Microsoft.com and select **Sign up** to kick off the OMS onboarding process. During the onboarding process, youll create an OMS workspace and add the Upgrade Readiness solution to it.
If you are not using OMS or Azure Log Analytics, go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, youll create a workspace and add the Upgrade Readiness solution to it.
Important: You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. You also need an Azure subscription to link to your OMS workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions.
>[!IMPORTANT]
>You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. You also need an Azure subscription to link to your OMS workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions.
## System Center Configuration Manager integration

6
windows/deployment/upgrade/windows-10-downgrade-paths.md
View File

@ -7,7 +7,7 @@ ms.sitesec: library
ms.localizationpriority: high
ms.pagetype: mobile
author: greg-lindsay
ms.date: 06/07/2018
ms.date: 06/15/2018
---
# Windows 10 downgrade paths
@ -77,9 +77,9 @@ Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a
<tr>
<td>Pro for Workstations</td>
<td></td>
<td align="center"></td>
<td></td>
<td align="center"></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>

26
windows/privacy/manage-windows-endpoints.md
View File

@ -34,7 +34,7 @@ We used the following methodology to derive these network endpoints:
2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
@ -502,8 +502,7 @@ In addition to the endpoints listed for Windows 10 Enterprise, the following end
| *.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. |
| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
| *prod.do.dsp.mp.microsoft.com | TLSv1.2/
HTTPS | Used for Windows Update downloads of apps and OS updates. |
| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. |
| .g.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
| 2.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
@ -530,8 +529,7 @@ HTTPS | Used for Windows Update downloads of apps and OS updates. |
| dual-a-0001.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2/
HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| g.live.com/1rewlive5skydrive/ | HTTPS | Used by a redirection service to automatically update URLs. |
@ -553,11 +551,9 @@ HTTPS | Enables connections to Windows Update, Microsoft Update, and the online
| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
| ris.api.iris.microsoft.com.akadns.net | TLSv1.2/
HTTPS | Used to retrieve Windows Spotlight metadata. |
| ris.api.iris.microsoft.com.akadns.net | TLSv1.2\/HTTPS | Used to retrieve Windows Spotlight metadata. |
| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
| sls.update.microsoft.com.nsatc.net | TLSv1.2/
HTTPS | Enables connections to Windows Update. |
| sls.update.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update. |
| star-mini.c10r.facebook.com | TLSv1.2 | Used for the Facebook Live Tile. |
| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
@ -579,8 +575,7 @@ HTTPS | Enables connections to Windows Update. |
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
| *.*.akamai.net | HTTP | Used to download content. |
| *.*.akamaiedge.net | HTTP/
TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
| *.*.akamaiedge.net | TLSv1.2\/HTTP | Used to check for updates to maps that have been downloaded for offline use. |
| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
| *.blob.core.windows.net | HTTPS | Used by Windows Update to update words used for language input methods. |
| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
@ -594,8 +589,7 @@ TLSv1.2 | Used to check for updates to maps that have been downloaded for offlin
| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. |
| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. |
| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
| *prod.do.dsp.mp.microsoft.com | TLSv1.2/
HTTPS | Used for Windows Update downloads of apps and OS updates. |
| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. |
| 3.dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
| 3.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
@ -620,8 +614,7 @@ HTTPS | Used for Windows Update downloads of apps and OS updates. |
| evoke-windowsservices-tas.msedge.net | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portals shared infrastructure, including Office Online. |
| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2/
HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
@ -706,8 +699,7 @@ HTTPS | Enables connections to Windows Update, Microsoft Update, and the online
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
| g.msn.com.nsatc.net | HTTP/
TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
| g.msn.com.nsatc.net | TLSv1.2\/HTTP | Used to retrieve Windows Spotlight metadata. |
| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |

2
windows/security/identity-protection/credential-guard/credential-guard-requirements.md
View File

@ -28,7 +28,7 @@ For Windows Defender Credential Guard to provide protection, the computers you a
To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Windows Defender Credential Guard uses:
- Support for Virtualization-based security (required)
- Secure boot (required)
- TPM 2.0 either discrete or firmware (preferred - provides binding to hardware)
- TPM 1.2 or 2.0, either discrete or firmware (preferred - provides binding to hardware)
- UEFI lock (preferred - prevents attacker from disabling with a simple registry key change)
The Virtualization-based security requires:

6
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
View File

@ -64,7 +64,7 @@ A TPM virtual smart card simulates a physical smart card, and it uses the TPM to
- **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that is offered by physical smart cards, and this is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM.
- **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for a period of time instead of blocking the card. This is also known as lockout.
For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
For more information, see [Blocked virtual smart card](#blocked-virtual-smart-card) and [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
There are several options for creating virtual smart cards, depending on the size of the deployment and budget of the organization. The lowest cost option is using Tpmvscmgr.exe to create cards individually on users computers. Alternatively, a virtual smart card management solution can be purchased to more easily accomplish virtual smart card creation on a larger scale and aid in further phases of deployment. Virtual smart cards can be created on computers that are to be provisioned for an employee or on those that are already in an employees possession. In either approach, there should be some central control over personalization and provisioning. If a computer is intended for use by multiple employees, multiple virtual smart cards can be created on a computer.
@ -261,7 +261,9 @@ The most common scenario in an organization is reissuing virtual smart cards, wh
#### Blocked virtual smart card
The anti-hammering behavior of a TPM virtual smart card is different from that of a physical smart card. A physical smart card blocks itself after the user enters the wrong PIN a few times. A TPM virtual smart card enters a timed delay after the user enters the wrong PIN a few times. If the TPM is in the timed-delay mode, when the user attempts to use the TPM virtual smart card, the user is notified that the card is blocked. Furthermore, if you enable the integrated unlock functionality, the user can see the user interface to unlock the virtual smart card. Unlocking the virtual smart card does not reset the TPM lockout. The user needs to perform an extra step to reset the TPM lockout or wait for the timed delay to expire.
The anti-hammering behavior of a TPM virtual smart card is different from that of a physical smart card. A physical smart card blocks itself after the user enters the wrong PIN a few times. A TPM virtual smart card enters a timed delay after the user enters the wrong PIN a few times. If the TPM is in the timed-delay mode, when the user attempts to use the TPM virtual smart card, the user is notified that the card is blocked. Furthermore, if you enable the integrated unlock functionality, the user can see the user interface to unlock the virtual smart card and change the PIN. Unlocking the virtual smart card does not reset the TPM lockout. The user needs to perform an extra step to reset the TPM lockout or wait for the timed delay to expire.
For more information about setting the Allow Integrated Unblock policy, see [Allow Integrated Unblock screen to be displayed at the time of logon](https://docs.microsoft.com/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings#allow-integrated-unblock-screen-to-be-displayed-at-the-time-of-logon).
## See also

80
windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
ms.date: 06/18/2018
---
# BitLocker: How to enable Network Unlock
@ -83,7 +83,7 @@ The server side configuration to enable Network Unlock also requires provisionin
The following steps allow an administrator to configure Network Unlock in a domain where the Domain Functional Level is at least Windows Server 2012.
### <a href="" id="bkmk-stepone"></a>Step One: Install the WDS Server role
### Install the WDS Server role
The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network Unlock you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the **Windows Deployment Services** role in Server Manager.
@ -95,7 +95,7 @@ Install-WindowsFeature WDS-Deployment
You must configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Doman Services) and the client computer. You can do using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration Wizard.
### <a href="" id="bkmk-steptwo"></a>Step Two: Confirm the WDS Service is running
### Confirm the WDS Service is running
To confirm the WDS service is running, use the Services Management Console or Windows PowerShell. To confirm the service is running in Services Management Console, open the console using **services.msc** and check the status of the Windows Deployment Services service.
@ -104,7 +104,7 @@ To confirm the service is running using Windows PowerShell, use the following co
``` syntax
Get-Service WDSServer
```
### <a href="" id="bkmk-stepthree"></a>Step Three: Install the Network Unlock feature
### Install the Network Unlock feature
To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console.
@ -113,7 +113,37 @@ To install the feature using Windows PowerShell, use the following command:
``` syntax
Install-WindowsFeature BitLocker-NetworkUnlock
```
### <a href="" id="bkmk-stepfour"></a>Step Four: Create the Network Unlock certificate
### Create the certificate template for Network Unlock
A properly configured Active Directory Services Certification Authority can use this certificate template to create and issue Network Unlock certificates.
1. Open the Certificates Template snap-in (certtmpl.msc).
2. Locate the User template. Right-click the template name and select **Duplicate Template**.
3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8 respectively. Ensure the **Show resulting changes** dialog box is selected.
4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the checkbox for the **Publish certificate in Active Directory** option.
5. Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop down menu. Ensure the **Allow private key to be exported** option is selected.
6. Select the **Cryptography** tab. Set the **Minimum key size** to 2048. (Any Microsoft cryptographic provider that supports RSA can be used for this template, but for simplicity and forward compatibility we recommend using the **Microsoft Software Key Storage Provider**.)
7. Select the **Requests must use one of the following providers** option and clear all options except for the cryptography provider you selected, such as the **Microsoft Software Key Storage Provider**.
8. Select the **Subject Name** tab. Select **Supply in the request**. Select **OK** if the certificate templates pop-up dialog appears.
9. Select the **Issuance Requirements** tab. Select both **CA certificate manager approval** and **Valid existing certificate** options.
10. Select the **Extensions** tab. Select **Application Policies** and choose **Edit…**.
11. In the **Edit Application Policies Extension** options dialog box, select **Client Authentication**, **Encrypting File System**, **and Secure Email** and choose **Remove**.
12. On the **Edit Application Policies Extension** dialog box, select **Add**.
13. On the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box enter the following information in the space provided and then click **OK** to create the BitLocker Network Unlock application policy:
- **Name:** **BitLocker Network Unlock**
- **Object Identifier:** **1.3.6.1.4.1.311.67.1.1**
14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**.
15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog, select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option.
16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission.
17. Select **OK** to complete configuration of the template.
To add the Network Unlock template to the Certification Authority, open the Certification Authority snap-in (certsrv.msc). Right-click the **Certificate Templates** item and choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate.
After adding the Network Unlock template to the Certification Authority, this certificate can be used to configure BitLocker Network Unlock.
### Create the Network Unlock certificate
Network Unlock can use imported certificates from an existing PKI infrastructure, or you can use a self-signed certificate.
@ -184,7 +214,7 @@ Certreq example:
5. Launch Certificates - Local Machine by running **certlm.msc**.
6. Create a .pfx file by opening the **Certificates Local Computer\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file.
### <a href="" id="bkmk-stepfive"></a>Step Five: Deploy the private key and certificate to the WDS server
### Deploy the private key and certificate to the WDS server
With the certificate and key created, deploy them to the infrastructure to properly unlock systems. To deploy the certificates, do the following:
@ -193,7 +223,7 @@ With the certificate and key created, deploy them to the infrastructure to prope
3. In the **File to Import** dialog, choose the .pfx file created previously.
4. Enter the password used to create the .pfx and complete the wizard.
### <a href="" id="bkmk-stepsix"></a>Step Six: Configure Group Policy settings for Network Unlock
### Configure Group Policy settings for Network Unlock
With certificate and key deployed to the WDS server for Network Unlock, the final step is to use Group Policy settings to deploy the public key certificate to computers that you want to be able to unlock using the Network Unlock key. Group Policy settings for BitLocker can be found under **\\Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** using the Local Group Policy Editor or the Microsoft Management Console.
@ -218,7 +248,7 @@ The following steps describe how to deploy the required Group Policy setting:
>**Note:**  Only one network unlock certificate can be available at a time. If a new certificate is required, delete the current certificate before deploying a new one. The Network Unlock certificate is located in the **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** key on the client computer.
 
### <a href="" id="bkmk-stepseven"></a>Step Seven: Require TPM+PIN protectors at startup
### Require TPM+PIN protectors at startup
An additional step is for enterprises to use TPM+PIN protectors for an extra level of security. To require TPM+PIN protectors in an environment, do the following:
@ -226,36 +256,6 @@ An additional step is for enterprises to use TPM+PIN protectors for an extra lev
2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option.
3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers.
### <a href="" id="bkmk-createcerttmpl"></a>Create the certificate template for Network Unlock
The following steps detail how to create a certificate template for use with BitLocker Network Unlock. A properly configured Active Directory Services Certification Authority can use this certificate to create and issue Network Unlock certificates.
1. Open the Certificates Template snap-in (certtmpl.msc).
2. Locate the User template. Right-click the template name and select **Duplicate Template**.
3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8 respectively. Ensure the **Show resulting changes** dialog box is selected.
4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the checkbox for the **Publish certificate in Active Directory** option.
5. Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop down menu. Ensure the **Allow private key to be exported** option is selected.
6. Select the **Cryptography** tab. Set the **Minimum key size** to 2048. (Any Microsoft cryptographic provider that supports RSA can be used for this template, but for simplicity and forward compatibility we recommend using the **Microsoft Software Key Storage Provider**.)
7. Select the **Requests must use one of the following providers** option and clear all options except for the cryptography provider you selected, such as the **Microsoft Software Key Storage Provider**.
8. Select the **Subject Name** tab. Select **Supply in the request**. Select **OK** if the certificate templates pop-up dialog appears.
9. Select the **Issuance Requirements** tab. Select both **CA certificate manager approval** and **Valid existing certificate** options.
10. Select the **Extensions** tab. Select **Application Policies** and choose **Edit…**.
11. In the **Edit Application Policies Extension** options dialog box, select **Client Authentication**, **Encrypting File System**, **and Secure Email** and choose **Remove**.
12. On the **Edit Application Policies Extension** dialog box, select **Add**.
13. On the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box enter the following information in the space provided and then click **OK** to create the BitLocker Network Unlock application policy:
- **Name:** **BitLocker Network Unlock**
- **Object Identifier:** **1.3.6.1.4.1.311.67.1.1**
14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**.
15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog, select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option.
16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission.
17. Select **OK** to complete configuration of the template.
To add the Network Unlock template to the Certification Authority, open the Certification Authority snap-in (certsrv.msc). Right-click the **Certificate Templates** item and choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate.
After adding the Network Unlock template to the Certification Authority, this certificate can be used to configure BitLocker Network Unlock.
### Subnet policy configuration files on WDS Server (Optional)
By default, all clients with the correct Network Unlock Certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which subnet(s) Network Unlock clients can use to unlock.
@ -285,13 +285,13 @@ The subnet policy configuration file must use a “\[SUBNETS\]” section to ide
To disallow the use of a certificate altogether, its subnet list may contain the line “DISABLED".
### <a href="" id="bkmk-turnoffnetworkunlock"></a>Turning off Network Unlock
## Turning off Network Unlock
To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors the **Allow Network Unlock at startup** Group Policy setting should be disabled. When this policy setting is updated to disabled on client computers any Network Unlock key protectors on the computer will be deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain.
>**Note:**  Removing the FVENKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the servers ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server.
 
### <a href="" id="bkmk-updatecerts"></a>Update Network Unlock certificates
## Update Network Unlock certificates
To update the certificates used by Network Unlock, administrators need to import or generate the new certificate for the server and then update the Network Unlock certificate Group Policy setting on the domain controller.

5
windows/security/information-protection/bitlocker/bitlocker-overview.md
View File

@ -18,12 +18,11 @@ ms.date: 10/16/2017
This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
## <a href="" id="bkmk-over"></a>
## <a href="" id="bkmk-over"></a>BitLocker overview
BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been
tampered with while the system was offline.
BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.
On computers that do not have a TPM version 1.2 or later, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, you can use an operating system volume password to protect the operating system volume on a computer without TPM. Both options do not provide the pre-startup system integrity verification offered by BitLocker with a TPM.

4
windows/security/information-protection/bitlocker/bitlocker-security-faq.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: brianlic-msft
ms.date: 05/03/2018
ms.date: 06/12/2018
---
# BitLocker Security FAQ
@ -27,7 +27,7 @@ The recommended practice for BitLocker configuration on an operating system driv
## What are the implications of using the sleep or hibernate power management options?
BitLocker on operating system drives in its basic configuration (with a TPM but without advanced authentication) provides additional security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an advanced authentication mode (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires BitLocker authentication. As a best practice, we recommend that sleep mode be disabled and that you use TPM+PIN for the authentication method.
BitLocker on operating system drives in its basic configuration (with a TPM but without additional startup authentication) provides additional security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an additional startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. For improved security, we recommend that sleep mode be disabled and that you use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#a-href-idbkmk-unlockpol1arequire-additional-authentication-at-startup) or Mobile Device Management with the [Bitlocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp).
## What are the advantages of a TPM?

2
windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
View File

@ -71,7 +71,7 @@ Passive mode | Windows Defender AV will not be used as the antivirus app, and th
Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)]]
Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
Passive mode is enabled if you are enrolled in Windows Defender ATP because [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
If you are enrolled in Windows Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats, Windows Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender AV engine to periodically check for threats in addition to your main antivirus app.

1
windows/security/threat-protection/windows-defender-application-control/TOC.md
View File

@ -18,6 +18,7 @@
### [Merge WDAC policies](merge-windows-defender-application-control-policies.md)
### [Enforce WDAC policies](enforce-windows-defender-application-control-policies.md)
### [Deploy WDAC with a managed installer](use-windows-defender-application-control-with-managed-installer.md)
### [Deploy WDAC with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md)
### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md)
### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md)
### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md)

4
windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 09/21/2017
ms.date: 06/08/2018
---
# Configure an AppLocker policy for audit only
@ -21,8 +21,6 @@ This topic for IT professionals describes how to set AppLocker policies to **Aud
After AppLocker rules are created within the rule collection, you can configure the enforcement setting to **Enforce rules** or **Audit only**.
When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log.
>**Note:**  There is no audit mode for the DLL rule collection. DLL rules affect specific apps. Therefore, test the impact of these rules first before deploying them to production. To enable the DLL rule collection, see [Enable the DLL rule collection](enable-the-dll-rule-collection.md).
 
You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).

549
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
author: jsuther1974
ms.date: 06/08/2018
ms.date: 06/14/2018
---
# Microsoft recommended block rules
@ -384,7 +384,278 @@ Microsoft recommends that you block the following Microsoft-signed applications
<Deny ID="ID_DENY_D_245" FriendlyName="PowerShell 245" Hash="4BFB3F95CA1B79DA3C6B0A2ECB432059E686F967"/>
<Deny ID="ID_DENY_D_246" FriendlyName="PowerShell 246" Hash="0C4688AACD02829850DE0F792AC06D3C87895412A910EA76F7F9BF31B3B4A3E9"/>
<Deny ID="ID_DENY_D_247" FriendlyName="PowerShell 247" Hash="6DC048AFA50B5B1B0AD7DD3125AC83D46FED730A"/>
<Deny ID="ID_DENY_D_248" FriendlyName="PowerShell 248" Hash="432F666CCE8CD222484E263AE02F63E0038143DD6AD07B3EB1633CD3C498C13D"/>
<Deny ID="ID_DENY_D_248" FriendlyName="PowerShell 248" Hash="432F666CCE8CD222484E263AE02F63E0038143DD6AD07B3EB1633CD3C498C13D"/>
<Deny ID="ID_DENY_D_287" FriendlyName="PowerShellShell 287" Hash="2B45C165F5E0BFD932397B18980BA680E2E82BD1"/>
<Deny ID="ID_DENY_D_288" FriendlyName="PowerShellShell 288" Hash="1DD0AD6B85DAEBAE7555DC37EA6C160EA38F75E3D4847176F77562A59025660A"/>
<Deny ID="ID_DENY_D_289" FriendlyName="PowerShellShell 289" Hash="A8C9E28F25C9C5F479691F2F49339F4448747638"/>
<Deny ID="ID_DENY_D_290" FriendlyName="PowerShellShell 290" Hash="F8FA17038CD532BF5D0D6D3AC55CE34E45EB690637D38D399CAB14B09807EB6C"/>
<Deny ID="ID_DENY_D_291" FriendlyName="PowerShellShell 291" Hash="4BAFD867B59328E7BB853148FE6D16B9411D7A12"/>
<Deny ID="ID_DENY_D_292" FriendlyName="PowerShellShell 292" Hash="D1F22B37902C2DD53FA27438436D9D236A196C10C8E492A8F4A14768644592D3"/>
<Deny ID="ID_DENY_D_293" FriendlyName="PowerShellShell 293" Hash="3BA0605C08935B340BEFDC83C0D92B1CE52B8348"/>
<Deny ID="ID_DENY_D_294" FriendlyName="PowerShellShell 294" Hash="B794B01CE561F2791D4ED3EADE523D03D2BE7B4CEFE9AAFC685ECE8ACF515ED2"/>
<Deny ID="ID_DENY_D_295" FriendlyName="PowerShellShell 295" Hash="8B74A22710A532A71532E4F0B1C60AABDCAA29AB"/>
<Deny ID="ID_DENY_D_296" FriendlyName="PowerShellShell 296" Hash="EB335007DF9897BCD2ED5C647BA724F07658E8597E73E353479201000CF2EF79"/>
<Deny ID="ID_DENY_D_297" FriendlyName="PowerShellShell 297" Hash="10E2CD3A2CFA0549590F740139F464626DEE2092"/>
<Deny ID="ID_DENY_D_298" FriendlyName="PowerShellShell 298" Hash="61DEC96B91F3F152DFDA84B28EBB184808A21C4C183CC0584C66AC7E20F0DDB6"/>
<Deny ID="ID_DENY_D_299" FriendlyName="PowerShellShell 299" Hash="98E84F46B3EB3AD7420C9715722145AFB0C065A7"/>
<Deny ID="ID_DENY_D_300" FriendlyName="PowerShellShell 300" Hash="67398990D42DFF84F8BE33B486BF492EBAF61671820BB9DCF039D1F8738EC5A4"/>
<Deny ID="ID_DENY_D_301" FriendlyName="PowerShellShell 301" Hash="58F399EC75708720E722FBD038F0EC089BF5A8C0"/>
<Deny ID="ID_DENY_D_302" FriendlyName="PowerShellShell 302" Hash="C523FFF884C44251337470870E0B158230961845FC1E953F877D515668524F2E"/>
<Deny ID="ID_DENY_D_303" FriendlyName="PowerShellShell 303" Hash="41EE8E9559FC0E772FC26EBA87ED4D77E60DC76C"/>
<Deny ID="ID_DENY_D_304" FriendlyName="PowerShellShell 304" Hash="219AD97976987C614B00C0CD1229B4245F2F1453F5AF90B907664D0BF6ADFE78"/>
<Deny ID="ID_DENY_D_305" FriendlyName="PowerShellShell 305" Hash="7F7E646892FCEB8D6A19647F00C1153014955C45"/>
<Deny ID="ID_DENY_D_306" FriendlyName="PowerShellShell 306" Hash="5825FF16398F12B4999B9A12849A757DD0884F9908220FB33E720F170DA288D5"/>
<Deny ID="ID_DENY_D_307" FriendlyName="PowerShellShell 307" Hash="7EA8A590583008446583F0AE7D66537FAD63619D"/>
<Deny ID="ID_DENY_D_308" FriendlyName="PowerShellShell 308" Hash="26DD094717B15B3D39600D909A9CAEBCF5C616C6277933BCC01326E8C475A128"/>
<Deny ID="ID_DENY_D_309" FriendlyName="PowerShellShell 309" Hash="5F6CDF52C1E184B080B89EB234DE179C19F110BA"/>
<Deny ID="ID_DENY_D_310" FriendlyName="PowerShellShell 310" Hash="41FB90606E3C66D21C703D84C943F8CB35772030B689D9A9895CB3EF7C863FB2"/>
<Deny ID="ID_DENY_D_311" FriendlyName="PowerShellShell 311" Hash="91C1DACBD6773BFC7F9305418A6683B8311949CF"/>
<Deny ID="ID_DENY_D_312" FriendlyName="PowerShellShell 312" Hash="EB678387D01938D88E6F2F46712269D54D845EB6A8AAC3FCA256DC2160D42975"/>
<Deny ID="ID_DENY_D_313" FriendlyName="PowerShellShell 313" Hash="A05294D23A4A7DC91692013C0EC4373598A28B21"/>
<Deny ID="ID_DENY_D_314" FriendlyName="PowerShellShell 314" Hash="ABEEA4903403D2C07489436E59955ECFEEF893C63D1FDBED234343F6A6D472B1"/>
<Deny ID="ID_DENY_D_315" FriendlyName="PowerShellShell 315" Hash="B155C278617845EC6318E4009E4CED6639FAB951"/>
<Deny ID="ID_DENY_D_316" FriendlyName="PowerShellShell 316" Hash="59549FEEB4D64BA3AF50F925FECC8107422D3F54AF6106E5B0152B2F50912980"/>
<Deny ID="ID_DENY_D_317" FriendlyName="PowerShellShell 317" Hash="465D848F11CECE4452E831D248D326360B73A319"/>
<Deny ID="ID_DENY_D_318" FriendlyName="PowerShellShell 318" Hash="B9C9F208C6E50AABF91D234227D09D7C6CAB2FDB229163103E7C1F541F71C213"/>
<Deny ID="ID_DENY_D_319" FriendlyName="PowerShellShell 319" Hash="F0B9D75B53A268C0AC30584738C3A5EC33420A2E"/>
<Deny ID="ID_DENY_D_320" FriendlyName="PowerShellShell 320" Hash="365A7812DFC448B1FE9CEA83CF55BC62189C4E72BAD84276BD5F1DAB47CB3EFF"/>
<Deny ID="ID_DENY_D_321" FriendlyName="PowerShellShell 321" Hash="8ADCDD18EB178B6A43CF5E11EC73212C90B91988"/>
<Deny ID="ID_DENY_D_322" FriendlyName="PowerShellShell 322" Hash="51BD119BE2FBEFEC560F618DBBBB8203A251F455B1DF825F37B1DFFDBE120DF2"/>
<Deny ID="ID_DENY_D_323" FriendlyName="PowerShellShell 323" Hash="D2011097B6038D8507B26B7618FF07DA0FF01234"/>
<Deny ID="ID_DENY_D_324" FriendlyName="PowerShellShell 324" Hash="BA3D20A577F355612E53428D573767C48A091AE965FCB30CC348619F1CB85A02"/>
<Deny ID="ID_DENY_D_325" FriendlyName="PowerShellShell 325" Hash="57ABBC8E2FE88E04C57CDDD13D58C9CE03455D25"/>
<Deny ID="ID_DENY_D_326" FriendlyName="PowerShellShell 326" Hash="0280C4714BC806BFC1863BE9E84D38F203942DD35C6AF2EB96958FD011E4D23D"/>
<Deny ID="ID_DENY_D_327" FriendlyName="PowerShellShell 327" Hash="DEB07053D6059B56109DFF885720D5721EB0F55C"/>
<Deny ID="ID_DENY_D_328" FriendlyName="PowerShellShell 328" Hash="E374A14871C35DB57D6D67281C16F5F9EF77ABE248DE92C1A937C6526133FA36"/>
<Deny ID="ID_DENY_D_329" FriendlyName="PowerShellShell 329" Hash="AC33BA432B35A662E2D9D015D6283308FD046251"/>
<Deny ID="ID_DENY_D_330" FriendlyName="PowerShellShell 330" Hash="93B22B0D5369327247DF491AABD3CE78421D0D68FE8A3931E0CDDF5F858D3AA7"/>
<Deny ID="ID_DENY_D_331" FriendlyName="PowerShellShell 331" Hash="05126413310F4A1BA2F7D2AD3305E2E3B6A1B00D"/>
<Deny ID="ID_DENY_D_332" FriendlyName="PowerShellShell 332" Hash="108A73F4AE78786C9955ED71EFD916465A36175F8DC85FD82DDA6410FBFCDB52"/>
<Deny ID="ID_DENY_D_333" FriendlyName="PowerShellShell 333" Hash="B976F316FB5EE6E5A325320E7EE5FBF487DA9CE5"/>
<Deny ID="ID_DENY_D_334" FriendlyName="PowerShellShell 334" Hash="D54CCD405D3E904CAECA3A6F7BE1737A9ACE20F7593D0F6192B811EF17744DD6"/>
<Deny ID="ID_DENY_D_335" FriendlyName="PowerShellShell 335" Hash="F3471DBF534995307AEA230D228BADFDCA9E4021"/>
<Deny ID="ID_DENY_D_336" FriendlyName="PowerShellShell 336" Hash="2048F33CCD924D224154307C28DDC6AC1C35A1859F118AB2B6536FB954FC44EF"/>
<Deny ID="ID_DENY_D_337" FriendlyName="PowerShellShell 337" Hash="1FAC9087885C2FEBD7F57CC9AACE8AF94294C8FB"/>
<Deny ID="ID_DENY_D_338" FriendlyName="PowerShellShell 338" Hash="942E0D0BA5ECBF64A3B2D0EA1E08C793712A4C89BC1BC3B6C32A419AE38FACC1"/>
<Deny ID="ID_DENY_D_339" FriendlyName="PowerShellShell 339" Hash="5B67EE19AA7E4B42E58127A63520D44A0679C6CE"/>
<Deny ID="ID_DENY_D_340" FriendlyName="PowerShellShell 340" Hash="2B6A59053953737D345B97FA1AFB23C379809D1532BAF31E710E48ED7FA2D735"/>
<Deny ID="ID_DENY_D_341" FriendlyName="PowerShellShell 341" Hash="1ABC67650B169E7C437853922805706D488EEEA2"/>
<Deny ID="ID_DENY_D_342" FriendlyName="PowerShellShell 342" Hash="754CA97A95464F1A1687C83AE3ECC6670B80A50503067DEBF6135077C886BCF4"/>
<Deny ID="ID_DENY_D_343" FriendlyName="PowerShellShell 343" Hash="0E280FF775F406836985ECA66BAA9BA17D12E38B"/>
<Deny ID="ID_DENY_D_344" FriendlyName="PowerShellShell 344" Hash="19C9A6D1AE90AEA163E35930FAB1B57D3EC78CA5FE192D6E510CED2DAB5DD03B"/>
<Deny ID="ID_DENY_D_345" FriendlyName="PowerShellShell 345" Hash="4E6081C3BBB2809C417E2D03412E29FF7317DA54"/>
<Deny ID="ID_DENY_D_346" FriendlyName="PowerShellShell 346" Hash="3AE4505A552EA04C7664C610E81172CA329981BF53ECC6758C03357EB653F5D1"/>
<Deny ID="ID_DENY_D_347" FriendlyName="PowerShellShell 347" Hash="61BED1C7CD54B2F60923D26CD2F6E48C063AFED5"/>
<Deny ID="ID_DENY_D_348" FriendlyName="PowerShellShell 348" Hash="9405CBE91B7519290F90577DCCF5796C514746DE6390322C1624BA258D284EE9"/>
<Deny ID="ID_DENY_D_349" FriendlyName="PowerShellShell 349" Hash="63AA55C3B46EFAFC8625F8D5562AB504E4CBB78F"/>
<Deny ID="ID_DENY_D_350" FriendlyName="PowerShellShell 350" Hash="FF54885D30A13008D60F6D0B96CE802209C89A2A7D9D86A85804E66B6DE29A5D"/>
<Deny ID="ID_DENY_D_351" FriendlyName="PowerShellShell 351" Hash="20845E4440DA2D9AB3559D4B6890691CACD0E93E"/>
<Deny ID="ID_DENY_D_352" FriendlyName="PowerShellShell 352" Hash="3C9098C4BFD818CE8CFA130F6E6C90876B97D57ABBEAFABB565C487F1DD33ECC"/>
<Deny ID="ID_DENY_D_353" FriendlyName="PowerShellShell 353" Hash="4A473F14012EB9BF7DCEA80B86C2612A6D9D914E"/>
<Deny ID="ID_DENY_D_354" FriendlyName="PowerShellShell 354" Hash="1C6914B58F70A9860F67311C32258CD9072A367BF30203DA9D8C48188D888E65"/>
<Deny ID="ID_DENY_D_355" FriendlyName="PowerShellShell 355" Hash="641871FD5D9875DB75BFC58B7B53672D2C645F01"/>
<Deny ID="ID_DENY_D_356" FriendlyName="PowerShellShell 356" Hash="C115A974DD2C56574E93A4800247A23B98B9495F6EF41460D1EC139266A2484D"/>
<Deny ID="ID_DENY_D_357" FriendlyName="PowerShellShell 357" Hash="A21E254C18D3D53B832AD381FF58B36E6737FFB6"/>
<Deny ID="ID_DENY_D_358" FriendlyName="PowerShellShell 358" Hash="D214AF2AD9204118EB670D08D80D4CB9FFD74A978726240360C35AD5A57F8E7D"/>
<Deny ID="ID_DENY_D_359" FriendlyName="PowerShellShell 359" Hash="102B072F29122BC3A89B924987A7BF1AC3C598DB"/>
<Deny ID="ID_DENY_D_360" FriendlyName="PowerShellShell 360" Hash="DA444773FE7AD8309FA9A0ABCDD63B302E6FC91E750903843FBA2A7F370DB0C0"/>
<Deny ID="ID_DENY_D_361" FriendlyName="PowerShellShell 361" Hash="EAD58EBB00001E678B9698A209308CC7406E1BCC"/>
<Deny ID="ID_DENY_D_362" FriendlyName="PowerShellShell 362" Hash="34A5F48629F9FDAEBAB9468EF7F1683EFA856AAD32E3C0CC0F92B5641D722EDC"/>
<Deny ID="ID_DENY_D_363" FriendlyName="PowerShellShell 363" Hash="727EDB00C15DC5D3C14368D88023FDD5A74C0B06"/>
<Deny ID="ID_DENY_D_364" FriendlyName="PowerShellShell 364" Hash="5720BEE5CBE7D724B67E07C53E22FB869F8F9B1EB95C4F71D61D240A1ED8D8AD"/>
<Deny ID="ID_DENY_D_365" FriendlyName="PowerShellShell 365" Hash="A43137EC82721A81C3E05DC5DE74F0549DE6A130"/>
<Deny ID="ID_DENY_D_366" FriendlyName="PowerShellShell 366" Hash="1731118D97F278C18E2C6922A016DA7C55970C6C4C5441710D1B0464EED6EAEB"/>
<Deny ID="ID_DENY_D_367" FriendlyName="PowerShellShell 367" Hash="17EC94CB9BF98E605F9352987CA33DCE8F5733CD"/>
<Deny ID="ID_DENY_D_368" FriendlyName="PowerShellShell 368" Hash="AFE0CC143108BBDBE60771B6894406785C471BA5730F06EE8185D0A71617B583"/>
<Deny ID="ID_DENY_D_369" FriendlyName="PowerShellShell 369" Hash="F6E9C098737F0905E53B92D4AD49C199EC76D24B"/>
<Deny ID="ID_DENY_D_370" FriendlyName="PowerShellShell 370" Hash="50A57BFCD20380DDEFD2A717D7937D49380D4D5931CC6CC403C904139546CB1D"/>
<Deny ID="ID_DENY_D_371" FriendlyName="PowerShellShell 371" Hash="2118ACC512464EE95946F064560C15C58341B80C"/>
<Deny ID="ID_DENY_D_372" FriendlyName="PowerShellShell 372" Hash="005990EE785C1CA7EAEC82DA29F5B363049DC117A18823D83C10B86B5E8D0A5F"/>
<Deny ID="ID_DENY_D_373" FriendlyName="PowerShellShell 373" Hash="54FAE3A389FDD2F5C21293D2317E87766AF0473D"/>
<Deny ID="ID_DENY_D_374" FriendlyName="PowerShellShell 374" Hash="70F4E503D7484DF5B5F73D9A753E585BFADB8B8EBA42EB482B6A66DB17C87881"/>
<Deny ID="ID_DENY_D_375" FriendlyName="PowerShellShell 375" Hash="B4831AF4B25527EF0C172DAA5E4CA26DE105D30B"/>
<Deny ID="ID_DENY_D_376" FriendlyName="PowerShellShell 376" Hash="D410A37042A2DC53AD1801EBB2EF507B4AE475870522A298567B79DA61C3E9C8"/>
<Deny ID="ID_DENY_D_377" FriendlyName="PowerShellShell 377" Hash="85BBC0CDC34BD5A56113B0DCB6795BCEBADE63FA"/>
<Deny ID="ID_DENY_D_378" FriendlyName="PowerShellShell 378" Hash="C6F8E3A3F2C513CEDD2F21D486BF0116BAF2E2EE4D631A9BE4760860B1161848"/>
<Deny ID="ID_DENY_D_379" FriendlyName="PowerShellShell 379" Hash="46105ACE7ABEC3A6E6226183F2F7F8E90E3639A5"/>
<Deny ID="ID_DENY_D_380" FriendlyName="PowerShellShell 380" Hash="F60BE088F226CA1E2308099C3B1C2A54DB4C41D2BE678504D03547B9E1E023F6"/>
<Deny ID="ID_DENY_D_381" FriendlyName="PowerShellShell 381" Hash="C9478352ACE4BE6D6B70BBE710C2E2128FEFC7FE"/>
<Deny ID="ID_DENY_D_382" FriendlyName="PowerShellShell 382" Hash="F4A81E7D4BD3B8762FAED760047877E06E40EC991D968BD6A6929B848804C1A4"/>
<Deny ID="ID_DENY_D_383" FriendlyName="PowerShellShell 383" Hash="9E56E910919FF65BCCF5D60A8F9D3EBE27EF1381"/>
<Deny ID="ID_DENY_D_384" FriendlyName="PowerShellShell 384" Hash="34887B225444A18158B632CAEA4FEF6E7D691FEA3E36C12D4152AFAB260668EB"/>
<Deny ID="ID_DENY_D_385" FriendlyName="PowerShellShell 385" Hash="1FD04D4BD5F9E41FA8278F3F9B05FE8702ADB4C8"/>
<Deny ID="ID_DENY_D_386" FriendlyName="PowerShellShell 386" Hash="6586176AEBE8307829A1E03D878EF6F500E8C5032E50198DF66F54D3B56EA718"/>
<Deny ID="ID_DENY_D_387" FriendlyName="PowerShellShell 387" Hash="DEBC3DE2AD99FC5E885A358A6994E6BD39DABCB0"/>
<Deny ID="ID_DENY_D_388" FriendlyName="PowerShellShell 388" Hash="FDF54A4A3089062FFFA4A41FEBF38F0ABC9D502B57749348DF6E78EA2A33DDEA"/>
<Deny ID="ID_DENY_D_389" FriendlyName="PowerShellShell 389" Hash="6AA06D07D9DE8FE7E13B66EDFA07232B56F7E21D"/>
<Deny ID="ID_DENY_D_390" FriendlyName="PowerShellShell 390" Hash="DD3E74CFB8ED64FA5BE9136C305584CD2E529D92B360651DD06A6DC629E23449"/>
<Deny ID="ID_DENY_D_391" FriendlyName="PowerShellShell 391" Hash="5C858042246FDDDB281C1BFD2FEFC9BAABC3F7AD"/>
<Deny ID="ID_DENY_D_392" FriendlyName="PowerShellShell 392" Hash="20E65B1BE06A99507412FC0E75D158EE1D9D43AE5F492BE4A87E3AA29A148310"/>
<Deny ID="ID_DENY_D_393" FriendlyName="PowerShellShell 393" Hash="2ABCD0525D31D4BB2D0131364FBE1D94A02A3E2A"/>
<Deny ID="ID_DENY_D_394" FriendlyName="PowerShellShell 394" Hash="806EC87F1EFA428627989318C882CD695F55F60A1E865C621C9F2B14E4E1FC2E"/>
<Deny ID="ID_DENY_D_395" FriendlyName="PowerShellShell 395" Hash="E2967D755D0F79FA8EA7A8585106926CA87F89CB"/>
<Deny ID="ID_DENY_D_396" FriendlyName="PowerShellShell 396" Hash="07382BE9D8ACBAFDA953C842BAAE600A82A69183D6B63F91B061671C4AF9434B"/>
<Deny ID="ID_DENY_D_397" FriendlyName="PowerShellShell 397" Hash="75EF6F0B78098FB1766DCC853E004476033499CF"/>
<Deny ID="ID_DENY_D_398" FriendlyName="PowerShellShell 398" Hash="699A9D17E1247F05767E82BFAFBD96DBE07AE521E23D39613D4A39C3F8CF4971"/>
<Deny ID="ID_DENY_D_399" FriendlyName="PowerShellShell 399" Hash="E73178C487AF6B9F182B2CCA25774127B0303093"/>
<Deny ID="ID_DENY_D_400" FriendlyName="PowerShellShell 400" Hash="0BD1FE62BE97032ADDAAB41B445D00103302D3CE8A03A798A36FEAA0F89939FF"/>
<Deny ID="ID_DENY_D_401" FriendlyName="PowerShellShell 401" Hash="EBF20FEECA95F83B9F5C22B97EB44DD7EB2C7B5F"/>
<Deny ID="ID_DENY_D_402" FriendlyName="PowerShellShell 402" Hash="B5AE0EAA5AF4245AD9B37C8C1FC5220081B92A13950C54D82E824D2D3B840A7C"/>
<Deny ID="ID_DENY_D_403" FriendlyName="PowerShellShell 403" Hash="5E53A4235DC549D0195A9DDF607288CEDE7BF115"/>
<Deny ID="ID_DENY_D_404" FriendlyName="PowerShellShell 404" Hash="FE57195757977E4485BF5E5D72A24EA65E33F8EAA7245381453960D5646FAF58"/>
<Deny ID="ID_DENY_D_405" FriendlyName="PowerShellShell 405" Hash="014BC30E1FC12F270824F01DC7C934497A573124"/>
<Deny ID="ID_DENY_D_406" FriendlyName="PowerShellShell 406" Hash="65B3B357C356DAE26E5B036820C193989C0F9E8E08131B3186F9443FF9A511E4"/>
<Deny ID="ID_DENY_D_407" FriendlyName="PowerShellShell 407" Hash="128D7D03E4B85DBF95427D72EFF833DAB5E92C33"/>
<Deny ID="ID_DENY_D_408" FriendlyName="PowerShellShell 408" Hash="EACFC615FDE29BD858088AF42E0917E4B4CA5991EFB4394FB3129735D7299235"/>
<Deny ID="ID_DENY_D_409" FriendlyName="PowerShellShell 409" Hash="C7D70B96440D215173F35412D56CF9329886D8D3"/>
<Deny ID="ID_DENY_D_410" FriendlyName="PowerShellShell 410" Hash="B00C54F1AA77D88335675EAF07ED834E68FD96DD7606914C2867F9C506AB0A56"/>
<Deny ID="ID_DENY_D_411" FriendlyName="PowerShellShell 411" Hash="8287B536E8E63F024DE1248D0FE3E6A759E9ACEE"/>
<Deny ID="ID_DENY_D_412" FriendlyName="PowerShellShell 412" Hash="B714D4A700A56BC1D4B3F59DFC1F5835CB97CBEF3927523BF71AF96B00F0FFA4"/>
<Deny ID="ID_DENY_D_413" FriendlyName="PowerShellShell 413" Hash="6BC1E70F0EA84E88AC28BEAF74C10F3ABDF99209"/>
<Deny ID="ID_DENY_D_414" FriendlyName="PowerShellShell 414" Hash="93CB3907D1A9473E8A90593250C4A95EAE3A7066E9D8A57535CBDF82AA4AD4C2"/>
<Deny ID="ID_DENY_D_415" FriendlyName="PowerShellShell 415" Hash="AC9F095DD4AE80B124F55541761AA1F35E49A575"/>
<Deny ID="ID_DENY_D_416" FriendlyName="PowerShellShell 416" Hash="0D8A0FB3BF3CF80D44ED20D9F1E7292E9EE5A49ABCE68592DED55A71B0ACAECE"/>
<Deny ID="ID_DENY_D_417" FriendlyName="PowerShellShell 417" Hash="3C7265C3393C585D32E509B2D2EC048C73AC5EE6"/>
<Deny ID="ID_DENY_D_418" FriendlyName="PowerShellShell 418" Hash="7F1E03E956CA38CC0C491CB958D6E61A52491269CDB363BC488B525F80C56424"/>
<Deny ID="ID_DENY_D_419" FriendlyName="PowerShellShell 419" Hash="89CEAB6518DA4E7F75B3C75BC04A112D3637B737"/>
<Deny ID="ID_DENY_D_420" FriendlyName="PowerShellShell 420" Hash="6581E491FBFF954A1A4B9CEA69B63951D67EB56DF871ED8B055193595F042B0D"/>
<Deny ID="ID_DENY_D_421" FriendlyName="PowerShellShell 421" Hash="4BFB3F95CA1B79DA3C6B0A2ECB432059E686F967"/>
<Deny ID="ID_DENY_D_422" FriendlyName="PowerShellShell 422" Hash="0C4688AACD02829850DE0F792AC06D3C87895412A910EA76F7F9BF31B3B4A3E9"/>
<Deny ID="ID_DENY_D_423" FriendlyName="PowerShellShell 423" Hash="BDBE541D269EC8235563842D024F9E37883DFB57"/>
<Deny ID="ID_DENY_D_424" FriendlyName="PowerShellShell 424" Hash="441076C7FD0AD481E6AC3198F08BE80EA9EB2926CA81D733F798D03DBEFD683E"/>
<Deny ID="ID_DENY_D_425" FriendlyName="PowerShellShell 425" Hash="BDB3DAC80667A0B931835D5D658C08F236B413D1"/>
<Deny ID="ID_DENY_D_426" FriendlyName="PowerShellShell 426" Hash="51287BACB692AAC5A8659774D982B304DC0C0B4A4D8F41CBCCD47D69796786DE"/>
<Deny ID="ID_DENY_D_427" FriendlyName="PowerShellShell 427" Hash="EA157E01147629D1F59503D8335FB6EBC688B2C1"/>
<Deny ID="ID_DENY_D_428" FriendlyName="PowerShellShell 428" Hash="14C160DF95736EC1D7C6C55B9D0F81832E8FE0DB6C5931B23E45A559995A1000"/>
<Deny ID="ID_DENY_D_429" FriendlyName="PowerShellShell 429" Hash="272EF88BBA9B4B54D242FFE1E96D07DBF53497A0"/>
<Deny ID="ID_DENY_D_430" FriendlyName="PowerShellShell 430" Hash="AFC0968EDCE9E5FC1BC392382833EBEF3265B32D3ECBB529D89A1DF33A31E9BD"/>
<Deny ID="ID_DENY_D_431" FriendlyName="PowerShellShell 431" Hash="029198F05598109037A0E9E332EC052317E834DA"/>
<Deny ID="ID_DENY_D_432" FriendlyName="PowerShellShell 432" Hash="70B4BB6C2B7E9237FB14ABBC94955012285E2CAA74F91455EE52809CDAD4E7FC"/>
<Deny ID="ID_DENY_D_433" FriendlyName="PowerShellShell 433" Hash="5B8E45EECA32C2F0968C2252229D768B0DB796A0"/>
<Deny ID="ID_DENY_D_434" FriendlyName="PowerShellShell 434" Hash="B4D336B32C27E3D3FEBE4B06252DDE9683814E7E903C98448972AAB7389DFC02"/>
<Deny ID="ID_DENY_D_435" FriendlyName="PowerShellShell 435" Hash="6792915D3C837A39BD04AD169488009BB1EA372C"/>
<Deny ID="ID_DENY_D_436" FriendlyName="PowerShellShell 436" Hash="23B10EC5FC7EAEB9F8D147163463299328FAED4B973BB862ECD3F28D6794DA9D"/>
<Deny ID="ID_DENY_D_437" FriendlyName="PowerShellShell 437" Hash="EC41A3FB8D6E3B0F55F6583C14C45B6238753019"/>
<Deny ID="ID_DENY_D_438" FriendlyName="PowerShellShell 438" Hash="76CA6B396796351685198D6189E865AFD7FB9E6C5CEFA9EA0B5F0A9F1FC98D57"/>
<Deny ID="ID_DENY_D_439" FriendlyName="PowerShellShell 439" Hash="A15964475D213FB752B42E7DCDDBF4B14D623D14"/>
<Deny ID="ID_DENY_D_440" FriendlyName="PowerShellShell 440" Hash="61A68B436D828193E0C7B44D2AF83D22A9CB557B90186E4E6AC998CE5E3BFE8A"/>
<Deny ID="ID_DENY_D_441" FriendlyName="PowerShellShell 441" Hash="24F9CF6C5E9671A295AD0DEED74737FB6E9146DE"/>
<Deny ID="ID_DENY_D_442" FriendlyName="PowerShellShell 442" Hash="C2E862CC578F54A53496EEE2DCB534A106AFD55C7288362AF6499B45F8D8755E"/>
<Deny ID="ID_DENY_D_443" FriendlyName="PowerShellShell 443" Hash="F87C726CCB5E64C6F363C21255935D5FEA9E4A0E"/>
<Deny ID="ID_DENY_D_444" FriendlyName="PowerShellShell 444" Hash="B7B42C3C8C61FD2616C16BBCF36EA15EC26A67536E94764D72A91CE04B89AAA4"/>
<Deny ID="ID_DENY_D_445" FriendlyName="PowerShellShell 445" Hash="4EB2C3A4B551FC028E00F2E7DA9D0F1E38728571"/>
<Deny ID="ID_DENY_D_446" FriendlyName="PowerShellShell 446" Hash="30EAC589069FB79D540080B04B7FDBB8A9B1DF4E96B9D7C98519E49A1ED56851"/>
<Deny ID="ID_DENY_D_447" FriendlyName="PowerShellShell 447" Hash="2DF4350DE3C97C9D4FD2973F8C5EA8AE621D22A8"/>
<Deny ID="ID_DENY_D_448" FriendlyName="PowerShellShell 448" Hash="015CE571E8503A353E2250D4D0DA19493B3311F3437527E6DDD2D2B6439FA2EB"/>
<Deny ID="ID_DENY_D_449" FriendlyName="PowerShellShell 449" Hash="993425279D204D1D14C3EB989DEB4805ADC558CF"/>
<Deny ID="ID_DENY_D_450" FriendlyName="PowerShellShell 450" Hash="BDADDD710E47EB8D24B78E542F3996B0EA2CA577ABD515785819302DB15839DD"/>
<Deny ID="ID_DENY_D_451" FriendlyName="PowerShellShell 451" Hash="1A16008D330330182AA555B1D3E9BE0B2D6BECBF"/>
<Deny ID="ID_DENY_D_452" FriendlyName="PowerShellShell 452" Hash="D7685E259D0328937487856A3AB68B6D9D420DD4E02541F4D71164DFA65B4644"/>
<Deny ID="ID_DENY_D_453" FriendlyName="PowerShellShell 453" Hash="2CB781B3BD79FD277D92332ACA22C04430F9D692"/>
<Deny ID="ID_DENY_D_454" FriendlyName="PowerShellShell 454" Hash="92AE03F0090C0A5DF329B4B3FFEDBA622B0521BA699FA303C24120A30ED4C9E6"/>
<Deny ID="ID_DENY_D_455" FriendlyName="PowerShellShell 455" Hash="BA4B3A92123FBCE66398020AFBCC0BCA1D1AAAD7"/>
<Deny ID="ID_DENY_D_456" FriendlyName="PowerShellShell 456" Hash="D8D361E3690676C7FDC483003BFC5C0C39FB16B42DFC881FB8D42A1064740B0B"/>
<Deny ID="ID_DENY_D_457" FriendlyName="PowerShellShell 457" Hash="D5A9460A941FB5B49EAFDD57575CFB23F27779D3"/>
<Deny ID="ID_DENY_D_458" FriendlyName="PowerShellShell 458" Hash="4BDAAC1654328E4D37B6ED89DA351155438E558F51458F2129AFFAC5B596CD61"/>
<Deny ID="ID_DENY_D_459" FriendlyName="PowerShellShell 459" Hash="3E5294910C59394DA93962128968E6C23016A028"/>
<Deny ID="ID_DENY_D_460" FriendlyName="PowerShellShell 460" Hash="DA700D4F58BCEA1D5A9CAD4F20AC725C6A354F9DA40E4F8F95E1C3DC7B84F550"/>
<Deny ID="ID_DENY_D_461" FriendlyName="PowerShellShell 461" Hash="C30355B5E6FA3F793A3CC0A649945829723DD85C"/>
<Deny ID="ID_DENY_D_462" FriendlyName="PowerShellShell 462" Hash="4EB14099165177F0F3A1FACE32E72CF2DD221DB44155E73AFF94CB7DA195EF22"/>
<Deny ID="ID_DENY_D_463" FriendlyName="PowerShellShell 463" Hash="C647D17850941CFB5B9C8AF49A48569B52230274"/>
<Deny ID="ID_DENY_D_464" FriendlyName="PowerShellShell 464" Hash="0BCBDE8791E3D6D7A7C8FC6F25E14383014E6B43D9720A04AF0BD4BDC37F79E0"/>
<Deny ID="ID_DENY_D_465" FriendlyName="PowerShellShell 465" Hash="CA6E0BAB6B28E1592D0FC5940023C7A81E2568F8"/>
<Deny ID="ID_DENY_D_466" FriendlyName="PowerShellShell 466" Hash="366E00E2F517D4D404133AEFEF6F917DFA156E3E46D350A8CBBE59BE1FB877A2"/>
<Deny ID="ID_DENY_D_467" FriendlyName="PowerShellShell 467" Hash="7D9FFFA86DDCD227A3B4863D995456308BAC2403"/>
<Deny ID="ID_DENY_D_468" FriendlyName="PowerShellShell 468" Hash="4439BBF61DC012AFC8190199AF5722C3AE26F365DEE618D0D945D75FD1AABF3C"/>
<Deny ID="ID_DENY_D_469" FriendlyName="PowerShellShell 469" Hash="8FFDD4576F2B6D4999326CFAF67727BFB471FA21"/>
<Deny ID="ID_DENY_D_470" FriendlyName="PowerShellShell 470" Hash="94630AB6F60A7193A6E27E312AF9B71DA265D42AD49465F4EEA11EBF134BA54A"/>
<Deny ID="ID_DENY_D_471" FriendlyName="PowerShellShell 471" Hash="78B8454F78E216B629E43B4E40765F73BFE0D6C6"/>
<Deny ID="ID_DENY_D_472" FriendlyName="PowerShellShell 472" Hash="498BB1688410EE243D61FB5C7B37457FA6C0A9A32D136AF70FAD43D5F37D7A81"/>
<Deny ID="ID_DENY_D_473" FriendlyName="PowerShellShell 473" Hash="B1CF2A18B281F73FE6685B5CE74D1BA50BE9AFE5"/>
<Deny ID="ID_DENY_D_474" FriendlyName="PowerShellShell 474" Hash="095B79953F9E3E2FB721693FBFAD5841112D592B6CA7EB2055B262DEB7C7008A"/>
<Deny ID="ID_DENY_D_475" FriendlyName="PowerShellShell 475" Hash="8AF579DE1D7E590A13BD1DAE5BFDB39476068A05"/>
<Deny ID="ID_DENY_D_476" FriendlyName="PowerShellShell 476" Hash="9917A3055D194F47AB295FA3F917E4BD2F08DDF45C04C65C591A020E1507A573"/>
<Deny ID="ID_DENY_D_477" FriendlyName="PowerShellShell 477" Hash="DD64046BAB221CF4110FF230FA5060310A4D9610"/>
<Deny ID="ID_DENY_D_478" FriendlyName="PowerShellShell 478" Hash="A55AF37229D7E249C8CAFED3432E595AA77FAF8B62990C07938220E957679081"/>
<Deny ID="ID_DENY_D_479" FriendlyName="PowerShellShell 479" Hash="421D1142105358B8360454E43FD15767DA111DBA"/>
<Deny ID="ID_DENY_D_480" FriendlyName="PowerShellShell 480" Hash="692CABD40C1EDFCB6DC50591F31FAE30848E579D6EF4D2CA0811D06B086CF8BE"/>
<Deny ID="ID_DENY_D_481" FriendlyName="PowerShellShell 481" Hash="720D826A84284E18E0003526A0CD9B7FF0C4A98A"/>
<Deny ID="ID_DENY_D_482" FriendlyName="PowerShellShell 482" Hash="CB5DF9D0D25571948C3D257882E07C7FA5E768448E0DEBF637E110F9FF575808"/>
<Deny ID="ID_DENY_D_483" FriendlyName="PowerShellShell 483" Hash="2F587293F16DFCD06F3BF8B8348FF68827ECD307"/>
<Deny ID="ID_DENY_D_484" FriendlyName="PowerShellShell 484" Hash="B2F4A5FE21D5961F464CAB3E88C0ED88154B0C1A422629474AD5C9EDC11880B6"/>
<Deny ID="ID_DENY_D_485" FriendlyName="PowerShellShell 485" Hash="6DC048AFA50B5B1B0AD7DD3125AC83D46FED730A"/>
<Deny ID="ID_DENY_D_486" FriendlyName="PowerShellShell 486" Hash="432F666CCE8CD222484E263AE02F63E0038143DD6AD07B3EB1633CD3C498C13D"/>
<Deny ID="ID_DENY_D_487" FriendlyName="PowerShellShell 487" Hash="CD9D9789B3B31562C4BE44B6BEEA8815C5EDAE1F"/>
<Deny ID="ID_DENY_D_488" FriendlyName="PowerShellShell 488" Hash="FCAF8DC3C7A5D3B29B19A9C5F89324BF65B50C440AC0316B08532CEA2F1FF9B0"/>
<Deny ID="ID_DENY_D_489" FriendlyName="PowerShellShell 489" Hash="4F5D66B449C4D2FDEA532F9B5DBECA5ACA8195EF"/>
<Deny ID="ID_DENY_D_490" FriendlyName="PowerShellShell 490" Hash="39F2F19A5C6708CE8CE4E1ABBEBA8D3D1A6220391CA86B2D319E347B46005C97"/>
<Deny ID="ID_DENY_D_491" FriendlyName="PowerShellShell 491" Hash="A4390EF2D77F76DC4EFE55FF74EE1D06C303FDAE"/>
<Deny ID="ID_DENY_D_492" FriendlyName="PowerShellShell 492" Hash="3246A0CB329B030DA104E04B1A0728DE83724B08C724FD0238CE4578A0245576"/>
<Deny ID="ID_DENY_D_493" FriendlyName="PowerShellShell 493" Hash="E180486F0CC90AF4FB8283ADCF571884894513C8"/>
<Deny ID="ID_DENY_D_494" FriendlyName="PowerShellShell 494" Hash="3800E38275E6BB3B4645CDAD14CD756239BB9A87EF261DC1B68072B6DB2850C0"/>
<Deny ID="ID_DENY_D_495" FriendlyName="PowerShellShell 495" Hash="AC53AE4C8AB56D84393D67D820BEBDC3218739D3"/>
<Deny ID="ID_DENY_D_496" FriendlyName="PowerShellShell 496" Hash="49580C9459C3917E6F982C8E0D753D293DFA2E4FD1152F78FF7C73CF8B422507"/>
<Deny ID="ID_DENY_D_497" FriendlyName="PowerShellShell 497" Hash="00419E981EDC8613E600C939677F7B460855BF7E"/>
<Deny ID="ID_DENY_D_498" FriendlyName="PowerShellShell 498" Hash="61B724BCFC3DA1CC1583DB0BC42EFE166E92D8D3CE91E58A29F7AEBEFAE2149F"/>
<Deny ID="ID_DENY_D_499" FriendlyName="PowerShellShell 499" Hash="25F52340199A0EA352C8B1A7014BCB610B232523"/>
<Deny ID="ID_DENY_D_500" FriendlyName="PowerShellShell 500" Hash="64D6D1F3A053908C5635BD6BDA36BC8E72D518C7ECE8DA761C0DDE70C50BB632"/>
<Deny ID="ID_DENY_D_501" FriendlyName="PowerShellShell 501" Hash="F4DB0CDF3A3FD163A9B90789CC6D14D326AD609C"/>
<Deny ID="ID_DENY_D_502" FriendlyName="PowerShellShell 502" Hash="5D249D8366077713024552CA8D08F164E975AFF89E8909E35A43F02B0DC66F70"/>
<Deny ID="ID_DENY_D_503" FriendlyName="PowerShellShell 503" Hash="231A02EAB7EB192638BC89AB61A5077346FF22B9"/>
<Deny ID="ID_DENY_D_504" FriendlyName="PowerShellShell 504" Hash="4D544170DE5D9916678EA43A7C6F796FC02EFA9197C6E0C01A1D832BF554F748"/>
<Deny ID="ID_DENY_D_505" FriendlyName="PowerShellShell 505" Hash="A9745E20419EC1C90B23FE965D3C2DF028AF39DC"/>
<Deny ID="ID_DENY_D_506" FriendlyName="PowerShellShell 506" Hash="71B5B58EAA0C90397BC9546BCCA8C657500499CD2087CD7D7E1753D54C07E71D"/>
<Deny ID="ID_DENY_D_507" FriendlyName="PowerShellShell 507" Hash="15EF1F7DBC474732E122A0147640ACBD9DA1775C"/>
<Deny ID="ID_DENY_D_508" FriendlyName="PowerShellShell 508" Hash="04724BF232D5F169FBB0DB6821E35D772619FB4F24069BE0EC571BA622ACC4D2"/>
<Deny ID="ID_DENY_D_509" FriendlyName="PowerShellShell 509" Hash="7959AB2B34A5F490AD54782D135BF155592DF13F"/>
<Deny ID="ID_DENY_D_510" FriendlyName="PowerShellShell 510" Hash="DD03CD6B5655B4EB9DD259F26E1585389804C23DB39C10122B6BC0E8886B4C2A"/>
<Deny ID="ID_DENY_D_511" FriendlyName="PowerShellShell 511" Hash="CCA8C8FB699496BD50AE296B20CC9ADC3496DECE"/>
<Deny ID="ID_DENY_D_512" FriendlyName="PowerShellShell 512" Hash="75E6C2DD81FE2664DF466C9C2EB0F923B0C6D992FF653B673793A896D8860957"/>
<Deny ID="ID_DENY_D_513" FriendlyName="PowerShellShell 513" Hash="080DEC3B15AD5AFE9BF3B0943A36285E92BAF469"/>
<Deny ID="ID_DENY_D_514" FriendlyName="PowerShellShell 514" Hash="F1391E78F17EA6097906B99C6F4F0AE8DD2E519856F837A3BCC58FBB87DAAE62"/>
<Deny ID="ID_DENY_D_515" FriendlyName="PowerShellShell 515" Hash="B3B7A653DD1A10EE9A3D35C818D227E2E3C3B5FB"/>
<Deny ID="ID_DENY_D_516" FriendlyName="PowerShellShell 516" Hash="43E2D91C0C6A8473BE178F1793E5E34966D700F71362297ECF4B5D46239603E3"/>
<Deny ID="ID_DENY_D_517" FriendlyName="PowerShellShell 517" Hash="D82583F7D5EA477C94630AC5AAEB771C85BD4B0A"/>
<Deny ID="ID_DENY_D_518" FriendlyName="PowerShellShell 518" Hash="9B0F39AB233628A971ACEC53029C9B608CAB99868F1A1C5ABE20BC1BD1C2B70E"/>
<Deny ID="ID_DENY_D_519" FriendlyName="PowerShellShell 519" Hash="AAE22FD137E8B7217222974DCE60B9AD4AF2A512"/>
<Deny ID="ID_DENY_D_520" FriendlyName="PowerShellShell 520" Hash="DAC9E963A3897D7F7AB2B4FEBBD4894A15441246639CE3E8EE74B0228F312742"/>
<Deny ID="ID_DENY_D_521" FriendlyName="PowerShellShell 521" Hash="8DAB1D74CAEDBAA8D17805CF00D64A44F5831C12"/>
<Deny ID="ID_DENY_D_522" FriendlyName="PowerShellShell 522" Hash="AC1CE3AA9023E23F2F63D5A3536294B914686057336402E059DEF6559D1CE723"/>
<Deny ID="ID_DENY_D_523" FriendlyName="PowerShellShell 523" Hash="266896FD257AD8EE9FC73B3A50306A573714EA8A"/>
<Deny ID="ID_DENY_D_524" FriendlyName="PowerShellShell 524" Hash="8E36BD08084C73AF674F2DAD568EE3BA2C85769FA7B3400CB62F7A7BD028BE9A"/>
<Deny ID="ID_DENY_D_525" FriendlyName="PowerShellShell 525" Hash="2AB804E1FF982AE0EDB591BC61AA909CF32E99C5"/>
<Deny ID="ID_DENY_D_526" FriendlyName="PowerShellShell 526" Hash="253120422B0DD987C293CAF5928FA820414C0A01622FD0EAF304A750FC5AEEFE"/>
<Deny ID="ID_DENY_D_527" FriendlyName="PowerShellShell 527" Hash="25CA971D7EDFAA7A48FA19B8399301853809D7CC"/>
<Deny ID="ID_DENY_D_528" FriendlyName="PowerShellShell 528" Hash="0A10C71CB5CC8A801F84F2CCD8041D13DB55711435388D9500C53D122688D4E5"/>
<Deny ID="ID_DENY_D_529" FriendlyName="PowerShellShell 529" Hash="46E05FD4D62451C1DCB0287B32B3D77AD41544EA"/>
<Deny ID="ID_DENY_D_530" FriendlyName="PowerShellShell 530" Hash="D86F930445F0715D0D7E4C3B089399280FBA2ACE0E4125BA5D3DAB9FAC1A6D3A"/>
<Deny ID="ID_DENY_D_531" FriendlyName="PowerShellShell 531" Hash="479C9429691314D3E21E4F4CA8B95D5BD2BDDEDA"/>
<Deny ID="ID_DENY_D_532" FriendlyName="PowerShellShell 532" Hash="2BA4E369D267A9ABDEBA50DA2CB5FC56A8EE4382C5BCFCFFD121350B88A6F0E1"/>
<Deny ID="ID_DENY_D_533" FriendlyName="PowerShellShell 533" Hash="FF205856A3209227D571EAD4B8C1E611E7FF9924"/>
<Deny ID="ID_DENY_D_534" FriendlyName="PowerShellShell 534" Hash="A63B38CE17DA60C4C431FC42C4507A0B7C19B384AC9E121E2988AD026E71ED63"/>
<Deny ID="ID_DENY_D_535" FriendlyName="PowerShellShell 535" Hash="7FCB424E67DDAC49413B45D7DCD636AD70E23B41"/>
<Deny ID="ID_DENY_D_536" FriendlyName="PowerShellShell 536" Hash="7E6F9A738520F78D1E9D0D0883FB07DD9188408CBE7C2937BDE1590F90C61753"/>
<Deny ID="ID_DENY_D_537" FriendlyName="PowerShellShell 537" Hash="46936F4F0AFE4C87D2E55595F74DDDFFC9AD94EE"/>
<Deny ID="ID_DENY_D_538" FriendlyName="PowerShellShell 538" Hash="9843DC862BC7491A279A09EFD8FF122EB23C57CA"/>
<Deny ID="ID_DENY_D_539" FriendlyName="PowerShellShell 539" Hash="11F11FB1E57F299383A615D6A28436E02A1C1A83"/>
<Deny ID="ID_DENY_D_540" FriendlyName="PowerShellShell 540" Hash="C593ABE79DFFB1504CFCDB1A6AD65D24996E7B97"/>
<Deny ID="ID_DENY_D_541" FriendlyName="PowerShellShell 541" Hash="93E22F2BA6C8B1C09F100F9C0E3B06FAF2D1DDB6"/>
<Deny ID="ID_DENY_D_542" FriendlyName="PowerShellShell 542" Hash="5A8D9712CF7893C335FFB7414748625D524227FE"/>
<Deny ID="ID_DENY_D_543" FriendlyName="PowerShellShell 543" Hash="B5FFFEE20F25691A59F3894644AEF088B4845761"/>
<Deny ID="ID_DENY_D_544" FriendlyName="PowerShellShell 544" Hash="3334059FF4484C43A5D08CEC3E43E2D27EDB927B"/>
<Deny ID="ID_DENY_D_545" FriendlyName="PowerShellShell 545" Hash="00B6993F59990C3DFEA33584BDB050F91313B17A"/>
<Deny ID="ID_DENY_D_546" FriendlyName="PowerShellShell 546" Hash="7518F60A0B33011D19873908559961F96A9B4FC0"/>
<Deny ID="ID_DENY_D_547" FriendlyName="PowerShellShell 547" Hash="A1D1AF7675C2596D0DF977F57B54372298A56EE0F3E1FF2D974D387D7F69DD4E"/>
<Deny ID="ID_DENY_D_548" FriendlyName="PowerShellShell 548" Hash="3C1743CBC43B80F5AF5B17239B03A8727B4BE81F14052BDE37685E2D54214071"/>
<Deny ID="ID_DENY_D_549" FriendlyName="PowerShellShell 549" Hash="C7DC8B00F0BDA000D1F3CF0FBC7AB32D443C377C0130BB5153A0390E712DDDE5"/>
<Deny ID="ID_DENY_D_550" FriendlyName="PowerShellShell 550" Hash="ED5A4747C8AEEB1AC2F4FDB8EB0B9BFC240F2B3C00BF7C6CDB372BFFEC0F8ABE"/>
<Deny ID="ID_DENY_D_551" FriendlyName="PowerShellShell 551" Hash="939C291D4A2592209EC7664EC832670FA0AC1009F974F47489D866751F4B862F"/>
<Deny ID="ID_DENY_D_552" FriendlyName="PowerShellShell 552" Hash="497A2D4207B2AE6EF09424591624A86A64A2C8E451389ED9A3256E6274556A7B"/>
<Deny ID="ID_DENY_D_553" FriendlyName="PowerShellShell 553" Hash="732BC385B191C8436B42CD1441DC234FFDD5EC1BD18A32894F093EECA3DD8FBC"/>
<Deny ID="ID_DENY_D_554" FriendlyName="PowerShellShell 554" Hash="CBD19FDB6338DB02299A3F3FFBBEBF216B18013B3377D1D31E51491C0C5F074C"/>
<Deny ID="ID_DENY_D_555" FriendlyName="PowerShellShell 555" Hash="3A316A0A470744EB7D18339B76E786564D1E96130766A9895B2222C4066CE820"/>
<Deny ID="ID_DENY_D_556" FriendlyName="PowerShellShell 556" Hash="68A4A1E8F4E1B903408ECD24608659B390B9E7154EB380D94ADE7FEB5EA470E7"/>
<!-- pubprn.vbs
-->
<!-- rs2 x86fre
@ -797,7 +1068,277 @@ Microsoft recommends that you block the following Microsoft-signed applications
<FileRuleRef RuleID="ID_DENY_D_283"/>
<FileRuleRef RuleID="ID_DENY_D_284"/>
<FileRuleRef RuleID="ID_DENY_D_285"/>
<FileRuleRef RuleID="ID_DENY_D_286"/>
<FileRuleRef RuleID="ID_DENY_D_286"/>
<FileRuleRef RuleID="ID_DENY_D_287"/>
<FileRuleRef RuleID="ID_DENY_D_288"/>
<FileRuleRef RuleID="ID_DENY_D_289"/>
<FileRuleRef RuleID="ID_DENY_D_290"/>
<FileRuleRef RuleID="ID_DENY_D_291"/>
<FileRuleRef RuleID="ID_DENY_D_292"/>
<FileRuleRef RuleID="ID_DENY_D_293"/>
<FileRuleRef RuleID="ID_DENY_D_294"/>
<FileRuleRef RuleID="ID_DENY_D_295"/>
<FileRuleRef RuleID="ID_DENY_D_296"/>
<FileRuleRef RuleID="ID_DENY_D_297"/>
<FileRuleRef RuleID="ID_DENY_D_298"/>
<FileRuleRef RuleID="ID_DENY_D_299"/>
<FileRuleRef RuleID="ID_DENY_D_300"/>
<FileRuleRef RuleID="ID_DENY_D_301"/>
<FileRuleRef RuleID="ID_DENY_D_302"/>
<FileRuleRef RuleID="ID_DENY_D_303"/>
<FileRuleRef RuleID="ID_DENY_D_304"/>
<FileRuleRef RuleID="ID_DENY_D_305"/>
<FileRuleRef RuleID="ID_DENY_D_306"/>
<FileRuleRef RuleID="ID_DENY_D_307"/>
<FileRuleRef RuleID="ID_DENY_D_308"/>
<FileRuleRef RuleID="ID_DENY_D_309"/>
<FileRuleRef RuleID="ID_DENY_D_310"/>
<FileRuleRef RuleID="ID_DENY_D_311"/>
<FileRuleRef RuleID="ID_DENY_D_312"/>
<FileRuleRef RuleID="ID_DENY_D_313"/>
<FileRuleRef RuleID="ID_DENY_D_314"/>
<FileRuleRef RuleID="ID_DENY_D_315"/>
<FileRuleRef RuleID="ID_DENY_D_316"/>
<FileRuleRef RuleID="ID_DENY_D_317"/>
<FileRuleRef RuleID="ID_DENY_D_318"/>
<FileRuleRef RuleID="ID_DENY_D_319"/>
<FileRuleRef RuleID="ID_DENY_D_320"/>
<FileRuleRef RuleID="ID_DENY_D_321"/>
<FileRuleRef RuleID="ID_DENY_D_322"/>
<FileRuleRef RuleID="ID_DENY_D_323"/>
<FileRuleRef RuleID="ID_DENY_D_324"/>
<FileRuleRef RuleID="ID_DENY_D_325"/>
<FileRuleRef RuleID="ID_DENY_D_326"/>
<FileRuleRef RuleID="ID_DENY_D_327"/>
<FileRuleRef RuleID="ID_DENY_D_328"/>
<FileRuleRef RuleID="ID_DENY_D_329"/>
<FileRuleRef RuleID="ID_DENY_D_330"/>
<FileRuleRef RuleID="ID_DENY_D_331"/>
<FileRuleRef RuleID="ID_DENY_D_332"/>
<FileRuleRef RuleID="ID_DENY_D_333"/>
<FileRuleRef RuleID="ID_DENY_D_334"/>
<FileRuleRef RuleID="ID_DENY_D_335"/>
<FileRuleRef RuleID="ID_DENY_D_336"/>
<FileRuleRef RuleID="ID_DENY_D_337"/>
<FileRuleRef RuleID="ID_DENY_D_338"/>
<FileRuleRef RuleID="ID_DENY_D_339"/>
<FileRuleRef RuleID="ID_DENY_D_340"/>
<FileRuleRef RuleID="ID_DENY_D_341"/>
<FileRuleRef RuleID="ID_DENY_D_342"/>
<FileRuleRef RuleID="ID_DENY_D_343"/>
<FileRuleRef RuleID="ID_DENY_D_344"/>
<FileRuleRef RuleID="ID_DENY_D_345"/>
<FileRuleRef RuleID="ID_DENY_D_346"/>
<FileRuleRef RuleID="ID_DENY_D_347"/>
<FileRuleRef RuleID="ID_DENY_D_348"/>
<FileRuleRef RuleID="ID_DENY_D_349"/>
<FileRuleRef RuleID="ID_DENY_D_350"/>
<FileRuleRef RuleID="ID_DENY_D_351"/>
<FileRuleRef RuleID="ID_DENY_D_352"/>
<FileRuleRef RuleID="ID_DENY_D_353"/>
<FileRuleRef RuleID="ID_DENY_D_354"/>
<FileRuleRef RuleID="ID_DENY_D_355"/>
<FileRuleRef RuleID="ID_DENY_D_356"/>
<FileRuleRef RuleID="ID_DENY_D_357"/>
<FileRuleRef RuleID="ID_DENY_D_358"/>
<FileRuleRef RuleID="ID_DENY_D_359"/>
<FileRuleRef RuleID="ID_DENY_D_360"/>
<FileRuleRef RuleID="ID_DENY_D_361"/>
<FileRuleRef RuleID="ID_DENY_D_362"/>
<FileRuleRef RuleID="ID_DENY_D_363"/>
<FileRuleRef RuleID="ID_DENY_D_364"/>
<FileRuleRef RuleID="ID_DENY_D_365"/>
<FileRuleRef RuleID="ID_DENY_D_366"/>
<FileRuleRef RuleID="ID_DENY_D_367"/>
<FileRuleRef RuleID="ID_DENY_D_368"/>
<FileRuleRef RuleID="ID_DENY_D_369"/>
<FileRuleRef RuleID="ID_DENY_D_370"/>
<FileRuleRef RuleID="ID_DENY_D_371"/>
<FileRuleRef RuleID="ID_DENY_D_372"/>
<FileRuleRef RuleID="ID_DENY_D_373"/>
<FileRuleRef RuleID="ID_DENY_D_374"/>
<FileRuleRef RuleID="ID_DENY_D_375"/>
<FileRuleRef RuleID="ID_DENY_D_376"/>
<FileRuleRef RuleID="ID_DENY_D_377"/>
<FileRuleRef RuleID="ID_DENY_D_378"/>
<FileRuleRef RuleID="ID_DENY_D_379"/>
<FileRuleRef RuleID="ID_DENY_D_380"/>
<FileRuleRef RuleID="ID_DENY_D_381"/>
<FileRuleRef RuleID="ID_DENY_D_382"/>
<FileRuleRef RuleID="ID_DENY_D_383"/>
<FileRuleRef RuleID="ID_DENY_D_384"/>
<FileRuleRef RuleID="ID_DENY_D_385"/>
<FileRuleRef RuleID="ID_DENY_D_386"/>
<FileRuleRef RuleID="ID_DENY_D_387"/>
<FileRuleRef RuleID="ID_DENY_D_388"/>
<FileRuleRef RuleID="ID_DENY_D_389"/>
<FileRuleRef RuleID="ID_DENY_D_390"/>
<FileRuleRef RuleID="ID_DENY_D_391"/>
<FileRuleRef RuleID="ID_DENY_D_392"/>
<FileRuleRef RuleID="ID_DENY_D_393"/>
<FileRuleRef RuleID="ID_DENY_D_394"/>
<FileRuleRef RuleID="ID_DENY_D_395"/>
<FileRuleRef RuleID="ID_DENY_D_396"/>
<FileRuleRef RuleID="ID_DENY_D_397"/>
<FileRuleRef RuleID="ID_DENY_D_398"/>
<FileRuleRef RuleID="ID_DENY_D_399"/>
<FileRuleRef RuleID="ID_DENY_D_400"/>
<FileRuleRef RuleID="ID_DENY_D_401"/>
<FileRuleRef RuleID="ID_DENY_D_402"/>
<FileRuleRef RuleID="ID_DENY_D_403"/>
<FileRuleRef RuleID="ID_DENY_D_404"/>
<FileRuleRef RuleID="ID_DENY_D_405"/>
<FileRuleRef RuleID="ID_DENY_D_406"/>
<FileRuleRef RuleID="ID_DENY_D_407"/>
<FileRuleRef RuleID="ID_DENY_D_408"/>
<FileRuleRef RuleID="ID_DENY_D_409"/>
<FileRuleRef RuleID="ID_DENY_D_410"/>
<FileRuleRef RuleID="ID_DENY_D_411"/>
<FileRuleRef RuleID="ID_DENY_D_412"/>
<FileRuleRef RuleID="ID_DENY_D_413"/>
<FileRuleRef RuleID="ID_DENY_D_414"/>
<FileRuleRef RuleID="ID_DENY_D_415"/>
<FileRuleRef RuleID="ID_DENY_D_416"/>
<FileRuleRef RuleID="ID_DENY_D_417"/>
<FileRuleRef RuleID="ID_DENY_D_418"/>
<FileRuleRef RuleID="ID_DENY_D_419"/>
<FileRuleRef RuleID="ID_DENY_D_420"/>
<FileRuleRef RuleID="ID_DENY_D_421"/>
<FileRuleRef RuleID="ID_DENY_D_422"/>
<FileRuleRef RuleID="ID_DENY_D_423"/>
<FileRuleRef RuleID="ID_DENY_D_424"/>
<FileRuleRef RuleID="ID_DENY_D_425"/>
<FileRuleRef RuleID="ID_DENY_D_426"/>
<FileRuleRef RuleID="ID_DENY_D_427"/>
<FileRuleRef RuleID="ID_DENY_D_428"/>
<FileRuleRef RuleID="ID_DENY_D_429"/>
<FileRuleRef RuleID="ID_DENY_D_430"/>
<FileRuleRef RuleID="ID_DENY_D_431"/>
<FileRuleRef RuleID="ID_DENY_D_432"/>
<FileRuleRef RuleID="ID_DENY_D_433"/>
<FileRuleRef RuleID="ID_DENY_D_434"/>
<FileRuleRef RuleID="ID_DENY_D_435"/>
<FileRuleRef RuleID="ID_DENY_D_436"/>
<FileRuleRef RuleID="ID_DENY_D_437"/>
<FileRuleRef RuleID="ID_DENY_D_438"/>
<FileRuleRef RuleID="ID_DENY_D_439"/>
<FileRuleRef RuleID="ID_DENY_D_440"/>
<FileRuleRef RuleID="ID_DENY_D_441"/>
<FileRuleRef RuleID="ID_DENY_D_442"/>
<FileRuleRef RuleID="ID_DENY_D_443"/>
<FileRuleRef RuleID="ID_DENY_D_444"/>
<FileRuleRef RuleID="ID_DENY_D_445"/>
<FileRuleRef RuleID="ID_DENY_D_446"/>
<FileRuleRef RuleID="ID_DENY_D_447"/>
<FileRuleRef RuleID="ID_DENY_D_448"/>
<FileRuleRef RuleID="ID_DENY_D_449"/>
<FileRuleRef RuleID="ID_DENY_D_450"/>
<FileRuleRef RuleID="ID_DENY_D_451"/>
<FileRuleRef RuleID="ID_DENY_D_452"/>
<FileRuleRef RuleID="ID_DENY_D_453"/>
<FileRuleRef RuleID="ID_DENY_D_454"/>
<FileRuleRef RuleID="ID_DENY_D_455"/>
<FileRuleRef RuleID="ID_DENY_D_456"/>
<FileRuleRef RuleID="ID_DENY_D_457"/>
<FileRuleRef RuleID="ID_DENY_D_458"/>
<FileRuleRef RuleID="ID_DENY_D_459"/>
<FileRuleRef RuleID="ID_DENY_D_460"/>
<FileRuleRef RuleID="ID_DENY_D_461"/>
<FileRuleRef RuleID="ID_DENY_D_462"/>
<FileRuleRef RuleID="ID_DENY_D_463"/>
<FileRuleRef RuleID="ID_DENY_D_464"/>
<FileRuleRef RuleID="ID_DENY_D_465"/>
<FileRuleRef RuleID="ID_DENY_D_466"/>
<FileRuleRef RuleID="ID_DENY_D_467"/>
<FileRuleRef RuleID="ID_DENY_D_468"/>
<FileRuleRef RuleID="ID_DENY_D_469"/>
<FileRuleRef RuleID="ID_DENY_D_470"/>
<FileRuleRef RuleID="ID_DENY_D_471"/>
<FileRuleRef RuleID="ID_DENY_D_472"/>
<FileRuleRef RuleID="ID_DENY_D_473"/>
<FileRuleRef RuleID="ID_DENY_D_474"/>
<FileRuleRef RuleID="ID_DENY_D_475"/>
<FileRuleRef RuleID="ID_DENY_D_476"/>
<FileRuleRef RuleID="ID_DENY_D_477"/>
<FileRuleRef RuleID="ID_DENY_D_478"/>
<FileRuleRef RuleID="ID_DENY_D_479"/>
<FileRuleRef RuleID="ID_DENY_D_480"/>
<FileRuleRef RuleID="ID_DENY_D_481"/>
<FileRuleRef RuleID="ID_DENY_D_482"/>
<FileRuleRef RuleID="ID_DENY_D_483"/>
<FileRuleRef RuleID="ID_DENY_D_484"/>
<FileRuleRef RuleID="ID_DENY_D_485"/>
<FileRuleRef RuleID="ID_DENY_D_486"/>
<FileRuleRef RuleID="ID_DENY_D_487"/>
<FileRuleRef RuleID="ID_DENY_D_488"/>
<FileRuleRef RuleID="ID_DENY_D_489"/>
<FileRuleRef RuleID="ID_DENY_D_490"/>
<FileRuleRef RuleID="ID_DENY_D_491"/>
<FileRuleRef RuleID="ID_DENY_D_492"/>
<FileRuleRef RuleID="ID_DENY_D_493"/>
<FileRuleRef RuleID="ID_DENY_D_494"/>
<FileRuleRef RuleID="ID_DENY_D_495"/>
<FileRuleRef RuleID="ID_DENY_D_496"/>
<FileRuleRef RuleID="ID_DENY_D_497"/>
<FileRuleRef RuleID="ID_DENY_D_498"/>
<FileRuleRef RuleID="ID_DENY_D_499"/>
<FileRuleRef RuleID="ID_DENY_D_500"/>
<FileRuleRef RuleID="ID_DENY_D_501"/>
<FileRuleRef RuleID="ID_DENY_D_502"/>
<FileRuleRef RuleID="ID_DENY_D_503"/>
<FileRuleRef RuleID="ID_DENY_D_504"/>
<FileRuleRef RuleID="ID_DENY_D_505"/>
<FileRuleRef RuleID="ID_DENY_D_506"/>
<FileRuleRef RuleID="ID_DENY_D_507"/>
<FileRuleRef RuleID="ID_DENY_D_508"/>
<FileRuleRef RuleID="ID_DENY_D_509"/>
<FileRuleRef RuleID="ID_DENY_D_510"/>
<FileRuleRef RuleID="ID_DENY_D_511"/>
<FileRuleRef RuleID="ID_DENY_D_512"/>
<FileRuleRef RuleID="ID_DENY_D_513"/>
<FileRuleRef RuleID="ID_DENY_D_514"/>
<FileRuleRef RuleID="ID_DENY_D_515"/>
<FileRuleRef RuleID="ID_DENY_D_516"/>
<FileRuleRef RuleID="ID_DENY_D_517"/>
<FileRuleRef RuleID="ID_DENY_D_518"/>
<FileRuleRef RuleID="ID_DENY_D_519"/>
<FileRuleRef RuleID="ID_DENY_D_520"/>
<FileRuleRef RuleID="ID_DENY_D_521"/>
<FileRuleRef RuleID="ID_DENY_D_522"/>
<FileRuleRef RuleID="ID_DENY_D_523"/>
<FileRuleRef RuleID="ID_DENY_D_524"/>
<FileRuleRef RuleID="ID_DENY_D_525"/>
<FileRuleRef RuleID="ID_DENY_D_526"/>
<FileRuleRef RuleID="ID_DENY_D_527"/>
<FileRuleRef RuleID="ID_DENY_D_528"/>
<FileRuleRef RuleID="ID_DENY_D_529"/>
<FileRuleRef RuleID="ID_DENY_D_530"/>
<FileRuleRef RuleID="ID_DENY_D_531"/>
<FileRuleRef RuleID="ID_DENY_D_532"/>
<FileRuleRef RuleID="ID_DENY_D_533"/>
<FileRuleRef RuleID="ID_DENY_D_534"/>
<FileRuleRef RuleID="ID_DENY_D_535"/>
<FileRuleRef RuleID="ID_DENY_D_536"/>
<FileRuleRef RuleID="ID_DENY_D_537"/>
<FileRuleRef RuleID="ID_DENY_D_538"/>
<FileRuleRef RuleID="ID_DENY_D_539"/>
<FileRuleRef RuleID="ID_DENY_D_540"/>
<FileRuleRef RuleID="ID_DENY_D_541"/>
<FileRuleRef RuleID="ID_DENY_D_542"/>
<FileRuleRef RuleID="ID_DENY_D_543"/>
<FileRuleRef RuleID="ID_DENY_D_544"/>
<FileRuleRef RuleID="ID_DENY_D_545"/>
<FileRuleRef RuleID="ID_DENY_D_546"/>
<FileRuleRef RuleID="ID_DENY_D_547"/>
<FileRuleRef RuleID="ID_DENY_D_548"/>
<FileRuleRef RuleID="ID_DENY_D_549"/>
<FileRuleRef RuleID="ID_DENY_D_550"/>
<FileRuleRef RuleID="ID_DENY_D_551"/>
<FileRuleRef RuleID="ID_DENY_D_552"/>
<FileRuleRef RuleID="ID_DENY_D_553"/>
<FileRuleRef RuleID="ID_DENY_D_554"/>
<FileRuleRef RuleID="ID_DENY_D_555"/>
<FileRuleRef RuleID="ID_DENY_D_556"/>
</FileRulesRef>
</ProductSigners>
</SigningScenario>
@ -806,7 +1347,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
<CiSigners />
<HvciOptions>0</HvciOptions>
</SiPolicy>
```
<br />

97
windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md Normal file
View File

@ -0,0 +1,97 @@
---
title: Deploy Windows Defender Application Control with Intelligent Security Graph (ISG) (Windows 10)
description: Automatically authorize applications that Microsofts ISG recognizes as having known good reputation.
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
author: mdsakibMSFT
ms.date: 06/14/2018
---
# Use Windows Defender Application Control (WDAC) with the Microsoft Intelligent Security Graph
**Applies to:**
- Windows 10
- Windows Server 2016
Application execution control can be difficult to implement in enterprises that do not have processes to effectively control the deployment of applications centrally through an IT managed system.
In such environments, users are empowered to acquire the applications they need for work, making accounting for all the applications that would need to be authorized for execution control a daunting task.
Windows 10, version 1709 (also known as the Windows 10 Fall Creators Update) provides a new option, known as Intelligent Security Graph (ISG) authorization, that allows IT administrators to automatically authorize applications that Microsofts ISG recognizes as having known good reputation. The ISG option helps IT organizations take a significant first step towards going from having no application control at all to a simple means of preventing the execution of unknown and known bad software.
## How does the integration between WDAC and the Intelligent Security Graph work?
The ISG relies on Microsofts vast security intelligence and machine learning analytics to help classify applications as having known good reputation. When users download applications on a system with WDAC enabled with the ISG authorization option specified, the reputation of the downloaded file, commonly an installer, is used to determine whether to run the installer and then that original reputation information is passed along to any files that were written by the installer. When any of these files try to execute after they are installed, the reputation data is used to help make the right policy authorization decision.
After that initial download and installation, the WDAC component will check for the presence of the positive reputation information when evaluating other application execution control rules specified in the policy. If there are no deny rules present for the file, it will be authorized based on the known good reputation classification.
The reputation data on the client is rechecked periodically and enterprises can also specify that any cached reputation results are flushed on reboot.
>[!NOTE]
>Admins needs to ensure that there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be classified as being known good by the Intelligent Security Graph, for example custom line-of-business (LOB) apps. Since the Intelligent Security Graph is powered by global prevalence data, internal LOB apps may not be recognized as being known good. Other mechanisms like managed installer and explicit rules will help cover internal applications. Both System Center Configuration Manager (SCCM) and Microsoft Intune can be used to create and push a WDAC policy to your client machines.
Other examples of WDAC policies are available in C:\Windows\schemas\CodeIntegrity\ExamplePolicies and can help authorize Windows OS components, WHQL signed drivers and all Store apps. Admins can reference and customize them as needed for their Windows Defender Application Control deployment or [create a custom WDAC policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy).
## Configuring Intelligent Security Graph authorization for Windows Defender Application Control
Setting up the ISG authorization is easy regardless of what management solution you use. Configuring the ISG option involves these basic steps:
- [Ensure that the ISG option is enabled in the WDAC policy XML](#ensure-that-the-intelligent-security-graph-option-is-enabled-in-the-wdac-policy-xml)
- [Enable the necessary services to allow WDAC to use the ISG correctly on the client](#enable-the-necessary-services-to-allow-wdac-to-use-the-isg-correctly-on-the-client)
### Ensure that the Intelligent Security Graph option is enabled in the WDAC policy XML
In order to enable trust for executables based on classifications in the ISG, the **Enabled:Intelligent Security Graph authorization** option must be specified in the WDAC policy. This can be done with the Set-RuleOption cmdlet. In addition, it is recommended from a security perspective to also enable the **Enabled:Invalidate EAs on Reboot** option to invalidate the cached ISG results on reboot to force rechecking of applications against the ISG. Caution is advised if devices will regularly transition to and from environments that may not be able to access the ISG. The following example shows both options being set.
```code
<Rules>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
<Rule>
<Option>Enabled:Advanced Boot Options Menu</Option>
</Rule>
<Rule>
<Option>Required:Enforce Store Applications</Option>
</Rule>
<Rule>
<Option>Enabled:UMCI</Option>
</Rule>
<Rule>
<Option>Enabled:Managed Installer</Option>
</Rule>
<Rule>
<Option>Enabled:Intelligent Security Graph Authorization</Option>
</Rule>
<Rule>
<Option>Enabled:Invalidate EAs on Reboot</Option>
</Rule>
</Rules>
```
### Enable the necessary services to allow WDAC to use the ISG correctly on the client
In order for the heuristics used by the ISG to function properly, a number of component in Windows need to be enabled. The easiest way to do this is to run the appidtel executable in c:\windows\system32.
```
appidtel start
```
For WDAC policies deployed over MDM using the AppLocker CSP this step is not required as the CSP will enable the necessary components. ISG enabled through the SCCM WDAC UX will not need this step but if custom policies are being deployed outside of the WDAC UX through SCCM then this step is required.
## Security considerations with using the Intelligent Security Graph
Since the ISG is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do. It is best suited for deployment to systems where each user is configured as a standard user and there are other monitoring systems in place like Windows Defender Advanced Threat Protection to help provide optics into what users are doing.
Users with administrator privileges or malware running as an administrator user on the system may be able to circumvent the intent of WDAC when the ISG option is allowed by circumventing or corrupting the heuristics used to assign reputation to application executables. The ISG option uses the same heuristic tracking as managed installer and so for application installers that include an option to automatically run the application at the end of the installation process the heuristic may over-authorize.
## Known limitations with using the Intelligent Security Graph
Since the ISG relies on identifying executables as being known good, there are cases where it may classify legitimate executables as unknown, leading to blocks that need to be resolved either with a rule in the WDAC policy, a catalog signed by a certificate trusted in the WDAC policy or by deployment through a WDAC managed installer. Typically, this is due to an installer or application using a dynamic file as part of execution. These files do not tend to build up known good reputation. Auto-updating applications have also been observed using this mechanism and may be flagged by the ISG.
Modern apps are not supported with the ISG heuristic and will need to be separately authorized in your WDAC policy. As modern apps are signed by the Microsoft Store and Microsoft Store for Business. it is straightforward to authorize modern apps with signer rules in the WDAC policy.
The ISG heuristic does not authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run.
In some cases, the code integrity logs where WDAC errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, the error is functionally benign as a blocked native image will result in the corresponding assembly being re-interpreted. Review for functionality and performance for the related applications using the native images maybe necessary in some cases.

2
windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
author: mdsakibMSFT
ms.date: 03/01/2018
ms.date: 06/13/2018
---
# Deploy Managed Installer for Windows Defender Application Control

1
windows/security/threat-protection/windows-defender-atp/TOC.md
View File

@ -7,6 +7,7 @@
### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
## [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md)
### [Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)
### [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
#### [Onboard machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
#### [Onboard machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)

4
windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 04/24/2018
ms.date: 06/13/2018
---
# Query data using Advanced hunting in Windows Defender ATP
@ -54,6 +54,8 @@ We then add a filter on the _FileName_ to contain only instances of _powershell
Afterwards, we add a filter on the _ProcessCommandLine_
Finally, we project only the columns we're interested in exploring and limit the results to 100 and click **Run query**.
You have the option of expanding the screen view so you can focus on your hunting query and related results.
### Use operators
The query language is very powerful and has a lot of available operators, some of them are -

6
windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 03/06/2018
ms.date: 06/13/2018
---
# Windows Defender ATP data storage and privacy
@ -27,7 +27,7 @@ This section covers some of the most frequently asked questions regarding privac
## What data does Windows Defender ATP collect?
Microsoft will collect and store information from your configured machines in a database specific to the service for administration, tracking, and reporting purposes.
Windows Defender ATP will collect and store information from your configured machines in a customer dedicated and segregated tenant specific to the service for administration, tracking, and reporting purposes.
Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as machine identifiers, names, and the operating system version).
@ -51,7 +51,7 @@ In all scenarios, data is encrypted using 256-bit [AES encyption](https://en.wik
## Do I have the flexibility to select where to store my data?
When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in the United Kingdom, Europe, or in the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Customer data in de-identified form may also be stored in the central storage and processing systems in the United States.
When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in the European Union, the United Kingdom, or the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Customer data in de-identified form may also be stored in the central storage and processing systems in the United States.
## Is my data isolated from other customer data?
Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides.

2
windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md
View File

@ -66,7 +66,7 @@ When accessing the [Windows Defender ATP portal](https://SecurityCenter.Windows.
You will need to set up your preferences for the Windows Defender ATP portal.
3. When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the United Kingdom, Europe, or The United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
3. When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the European Union, the United Kingdom, or the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
> [!WARNING]
> This option cannot be changed without completely offboarding from Windows Defender ATP and completing a new enrollment process.

18
windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 04/24/2018
ms.date: 06/14/2018
---
# Manage automation allowed/blocked lists
@ -38,30 +38,28 @@ You can define the conditions for when entities are identified as malicious or s
## Create an allowed or blocked list
1. In the navigation pane, select **Settings** > **Automation allowed/blocked list**.
2. Select the type of entity you'd like to create an exclusion for. You can choose any of the following entities:
2. Select the tab of the type of entity you'd like to create an exclusion for. You can choose any of the following entities:
- File hash
- Certificate
- IP address
3. Click **Add system exclusion**.
4. For each attribute specify the exclusion type, details, and the following required values:
- **Files** - Hash value
- **Certificate** - PEM certificate file
4. For each attribute specify the exclusion type, details, and their corresponding required values.
5. Click **Update rule**.
5. Click **Add rule**.
## Edit a list
1. In the navigation pane, select **Settings** > **Automation allowed/blocked list**.
2. Select the type of entity you'd like to edit the list from.
2. Select the tab of the entity type you'd like to edit the list from.
3. Update the details of the rule and click **Update rule**.
## Delete a list
1. In the navigation pane, select **Settings** > **Automation allowed/blocked list**.
2. Select the type of entity you'd like to delete the list from.
2. Select the tab of the entity type you'd like to delete the list from.
3. Select the list type by clicking the check-box beside the list type.

11
windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 06/04/2018
ms.date: 06/15/2018
---
# Minimum requirements for Windows Defender ATP
@ -36,14 +36,17 @@ For more information, see [Windows 10 Enterprise edition](https://www.microsoft.
### Licensing requirements
Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
- Windows 10 Enterprise E5
- Windows 10 Education E5
- Windows 10 Enterprise E5
- Windows 10 Education E5
- Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2).
### Browser requirements
Internet Explorer and Microsoft Edge are supported. Any HTML5 compliant browsers are also supported.
### Network and data storage and configuration requirements
When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: in the United Kingdom, Europe, or United States datacenter.
When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: in the European Union, the United Kingdom, or the United States datacenter.
> [!NOTE]
> - You cannot change your data storage location after the first-time setup.

139
windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
View File

@ -1,70 +1,71 @@
---
title: Onboard machines to the Windows Defender ATP service
description: Onboard Windows 10 machines, servers, non-Windows machines and learn how to run a detection test.
keywords: onboarding, windows defender advanced threat protection onboarding, windows atp onboarding, sccm, group policy, mdm, local script, detection test
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 04/24/2018
---
# Onboard machines to the Windows Defender ATP service
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- macOS
- Linux
- Windows Server 2012 R2
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
You need to onboard to Windows Defender ATP before you can use the service.
For more information, see [Onboard your Windows 10 machines to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be).
## Licensing requirements
Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
- Windows 10 Enterprise E5
- Windows 10 Education E5
- Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5
For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2).
## Windows Defender Antivirus configuration requirement
The Windows Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them.
You must configure the signature updates on the Windows Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md).
When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows Defender ATP must be excluded from this group policy.
If you are onboarding servers and Windows Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Windows Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md).
For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
## In this section
Topic | Description
:---|:---
[Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to onboard machines for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure machines in your enterprise.
[Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) | Onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP
[Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) | Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products' sensor data.
[Run a detection test on a newly onboarded machine](run-detection-test-windows-defender-advanced-threat-protection.md) | Run a script on a newly onboarded machine to verify that it is properly reporting to the Windows Defender ATP service.
[Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings.
[Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding.
---
title: Onboard machines to the Windows Defender ATP service
description: Onboard Windows 10 machines, servers, non-Windows machines and learn how to run a detection test.
keywords: onboarding, windows defender advanced threat protection onboarding, windows atp onboarding, sccm, group policy, mdm, local script, detection test
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 06/18/2018
---
# Onboard machines to the Windows Defender ATP service
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- macOS
- Linux
- Windows Server 2012 R2
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
You need to onboard to Windows Defender ATP before you can use the service.
For more information, see [Onboard your Windows 10 machines to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be).
## Licensing requirements
Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
- Windows 10 Enterprise E5
- Windows 10 Education E5
- Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5
For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2).
## Windows Defender Antivirus configuration requirement
The Windows Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them.
You must configure the signature updates on the Windows Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md).
When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows Defender ATP must be excluded from this group policy.
If you are onboarding servers and Windows Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Windows Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md).
For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
## In this section
Topic | Description
:---|:---
[Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to onboard machines for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure machines in your enterprise.
[Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)| Onboard Windows 7 and Windows 8.1 machines to Windows Defender ATP
[Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) | Onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP
[Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) | Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products' sensor data.
[Run a detection test on a newly onboarded machine](run-detection-test-windows-defender-advanced-threat-protection.md) | Run a script on a newly onboarded machine to verify that it is properly reporting to the Windows Defender ATP service.
[Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings.
[Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding.
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)

107
windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,107 @@
---
title: Onboard previous versions of Windows on Windows Defender ATP
description: Onboard supported previous versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor
keywords: onboard, windows, 7, 81, oms, sp1, enterprise, pro, down level
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 06/18/2018
---
# Onboard previous versions of Windows
**Applies to:**
- Windows 7 SP1 Enterprise
- Windows 7 SP1 Pro
- Windows 8.1 Pro
- Windows 8.1 Enterprise
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Windows Defender ATP extends support to include down-level operating systems, providing advanced attack detection and investigation capabilities on supported Windows versions.
To onboard down-level Windows client endpoints to Windows Defender ATP, you'll need to:
- Configure and update System Center Endpoint Protection clients.
- Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP as instructed below.
>[!TIP]
> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
## Configure and update System Center Endpoint Protection clients
>[!IMPORTANT]
>This step is required only if your organization uses System Center Endpoint Protection (SCEP).
Windows Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware.
The following steps are required to enable this integration:
- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/en-us/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie)
- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting
## Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP
### Before you begin
Review the following details to verify minimum system requirements:
- Install the [February monthly update rollout](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
>[!NOTE]
>Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
- Install the [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
>[!NOTE]
>Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
- Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in you environment with Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-concept-hybrid#prerequisites)
1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603) or [Windows 32-bit agent](https://go.microsoft.com/fwlink/?LinkId=828604).
2. Obtain the workspace ID:
- In the Windows Defender ATP navigation pane, select **Settings > Machine management > Onboarding**
- Select **Windows 7 SP1 and 8.1** as the operating system
- Copy the workspace ID and workspace key
3. Using the Workspace ID and Workspace key choose any of the following installation methods to install the agent:
- Manually install the agent using setup<br>
On the **Agent Setup Options** page, select **Connect the agent to Azure Log Analytics (OMS)**
- [Install the agent using command line](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-agent-windows#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-agent-windows#add-a-workspace-using-a-script)
4. If you're using a proxy to connect to the Internet see the Configure proxy settings section.
Once completed, you should see onboarded endpoints in the portal within an hour.
### Configure proxy and Internet connectivity settings
- Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway).
- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service:
Agent Resource | Ports
:---|:---
| *.oms.opinsights.azure.com | 443 |
| *.blob.core.windows.net | 443 |
| *.azure-automation.net | 443 |
| *.ods.opinsights.azure.com | 443 |
| winatp-gw-cus.microsoft.com | 443 |
| winatp-gw-eus.microsoft.com | 443 |
| winatp-gw-neu.microsoft.com | 443 |
| winatp-gw-weu.microsoft.com | 443 |
|winatp-gw-uks.microsoft.com | 443 |
|winatp-gw-ukw.microsoft.com | 443 |
## Offboard client endpoints
To offboard, you can uninstall the MMA agent from the endpoint or detach it from reporting to your Windows Defender ATP workspace. After offboarding the agent, the endpoint will no longer send sensor data to Windows Defender ATP.
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-downlevele-belowfoldlink)

9
windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 04/24/2018
ms.date: 06/18/2018
---
# Windows Defender ATP preview features
@ -42,12 +42,19 @@ Turn on the preview experience setting to be among the first to try upcoming fea
## Preview features
The following features are included in the preview release:
- [Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)<br>
Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor
- Windows 7 SP1 Enterprise
- Windows 7 SP1 Pro
- Windows 8.1 Enterprise
- Windows 8.1 Pro
- [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md)<br>
Windows Defender ATP supports the onboarding of the following servers:
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server, version 1803
- [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)<br>
Windows Defender ATP supports the use of Power BI data connectors to enable you to connect and access Windows Defender ATP data using Microsoft Graph.

8
windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
View File

@ -63,10 +63,10 @@ If you encounter an error when trying to get a refresh token when using the thre
- For Threat intelligence API: `https://WindowsDefenderATPCustomerTiConnector`
5. Add the following URL:
- For US: `https://winatpmanagement-us.securitycenter.windows.com/UserAuthenticationCallback`.
- For Europe: `https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback`
- For United Kingdom: `https://winatpmanagement-uk.securitycenter.windows.com/UserAuthenticationCallback`
- For the European Union: `https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback`
- For the United Kingdom: `https://winatpmanagement-uk.securitycenter.windows.com/UserAuthenticationCallback`
- For the United States: `https://winatpmanagement-us.securitycenter.windows.com/UserAuthenticationCallback`.
6. Click **Save**.
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootsiem-belowfoldlink)

8
windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 06/13/2018
---
@ -123,7 +123,7 @@ This rule blocks the following file types from being run or launched from an ema
### Rule: Block Office applications from creating child processes
Office apps, such as Word or Excel, will not be allowed to create child processes.
Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, Outlook, and Access.
This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
@ -174,7 +174,6 @@ This rule attempts to block Office files that contain macro code that is capable
This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list:
- Executable files (such as .exe, .dll, or .scr)
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
### Rule: Use advanced protection against ransomware
@ -187,6 +186,9 @@ Local Security Authority Subsystem Service (LSASS) authenticates users who log i
>[!IMPORTANT]
>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
>[!NOTE]
>Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat.
### Rule: Block process creations originating from PSExec and WMI commands
This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks.

4
windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 06/15/2018
---
# Customize Attack surface reduction
@ -54,7 +54,7 @@ This could potentially allow unsafe files to run and infect your devices.
You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode) and that allow exclusions.
Windows 10, version 1803 supports environment variables and wildcards. For information about using wildcards in Windows Defender Exploit Guard, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
Windows 10, version 1803 supports environment variables and wildcards. For information about using wildcards in Windows Defender Exploit Guard, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
Exclusions will only be applied to certain rules. Some rules will not honor the exclusion list. This means that even if you have added a file to the exclusion list, some rules will still evaluate and potentially block that file if the rule determines the file to be unsafe.

4
windows/whats-new/whats-new-windows-10-version-1803.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: greg-lindsay
ms.date: 05/10/2018
ms.date: 06/08/2018
ms.localizationpriority: high
---
@ -169,7 +169,7 @@ In the Feedback and Settings page under Privacy Settings you can now delete the
### Security Baselines
A draft of the new [security baseline for Windows 10 version 1803](https://blogs.technet.microsoft.com/secguide/2018/03/27/security-baseline-for-windows-10-v1803-redstone-4-draft/) has been published.
The new [security baseline for Windows 10 version 1803](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10) has been published.
### Windows Defender Antivirus