deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 13:53:39 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into App-v-revision

Browse Source
This commit is contained in:
Heidi Lohr
2018-08-08 14:10:21 -07:00
parent 3241360757 bdd07e0983
commit a0ceeec51b
32 changed files with 255 additions and 7721 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
browsers/edge/TOC.md
View File

@ -1,39 +1,39 @@
#[Microsoft Edge deployment for IT Pros](index.yml)
# [Microsoft Edge deployment for IT Pros](index.yml)
##[(Preview) New Microsoft Edge Group Policies and MDM settings](new-policies.md)
## [(Preview) New Microsoft Edge Group Policies and MDM settings](new-policies.md)
##[(Preview) Deploy Microsoft Edge kiosk mode](microsoft-edge-kiosk-mode-deploy.md)
## [(Preview) Deploy Microsoft Edge kiosk mode](microsoft-edge-kiosk-mode-deploy.md)
##[Group policies & configuration options](group-policies/index.yml)
###[All group policies](available-policies.md)
###[Address bar settings](group-policies/address-bar-settings-gp.md)
###[Adobe settings](group-policies/adobe-settings-gp.md)
###[Books Library management](group-policies/books-library-management-gp.md)
###[Browser settings management](group-policies/browser-settings-management-gp.md)
###[Developer settings](group-policies/developer-settings-gp.md)
###[Extensions management](group-policies/extensions-management-gp.md)
###[Favorites management](group-policies/favorites-management-gp.md)
###[Home button settings](group-policies/home-button-gp.md)
###[Interoperability and enterprise guidance](group-policies/interoperability-enterprise-guidance-gp.md)
###[New tab page settings](group-policies/new-tab-page-settings-gp.md)
###[Prelaunch Microsoft Edge and preload tabs](group-policies/prelaunch-preload-gp.md)
###[Search engine customization](group-policies/search-engine-customization-gp.md)
###[Security and privacy management](group-policies/security-privacy-management-gp.md)
###[Start pages settings](group-policies/start-pages-gp.md)
###[Sync browser settings](group-policies/sync-browser-settings-gp.md)
###[Telemetry and data collection](group-policies/telemetry-management-gp.md)
## [Group policies & configuration options](group-policies/index.yml)
### [All group policies](available-policies.md)
### [Address bar settings](group-policies/address-bar-settings-gp.md)
### [Adobe settings](group-policies/adobe-settings-gp.md)
### [Books Library management](group-policies/books-library-management-gp.md)
### [Browser settings management](group-policies/browser-settings-management-gp.md)
### [Developer settings](group-policies/developer-settings-gp.md)
### [Extensions management](group-policies/extensions-management-gp.md)
### [Favorites management](group-policies/favorites-management-gp.md)
### [Home button settings](group-policies/home-button-gp.md)
### [Interoperability and enterprise guidance](group-policies/interoperability-enterprise-guidance-gp.md)
### [New tab page settings](group-policies/new-tab-page-settings-gp.md)
### [Prelaunch Microsoft Edge and preload tabs](group-policies/prelaunch-preload-gp.md)
### [Search engine customization](group-policies/search-engine-customization-gp.md)
### [Security and privacy management](group-policies/security-privacy-management-gp.md)
### [Start pages settings](group-policies/start-pages-gp.md)
### [Sync browser settings](group-policies/sync-browser-settings-gp.md)
### [Telemetry and data collection](group-policies/telemetry-management-gp.md)
##[Change history for Microsoft Edge](change-history-for-microsoft-edge.md)
## [Change history for Microsoft Edge](change-history-for-microsoft-edge.md)
##[System requirements](about-microsoft-edge.md#minimum-system-requirements)
## [System requirements](about-microsoft-edge.md#minimum-system-requirements)
##[Supported languages](about-microsoft-edge.md#supported-languages)
## [Supported languages](about-microsoft-edge.md#supported-languages)
##[Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md)
## [Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md)
##[Microsoft Edge Frequently Asked Questions (FAQs)](microsoft-edge-faq.md)
## [Microsoft Edge Frequently Asked Questions (FAQs)](microsoft-edge-faq.md)

4
browsers/edge/group-policies/index.yml
View File

@ -14,9 +14,9 @@ metadata:
text: Some of the features coming to Microsoft Edge gives you the ability to set a custom URL for the New tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar.
keywords: Microsoft Edge, Windows 10
keywords: Microsoft Edge, Windows 10, Windows 10 Mobile
ms.localizationpriority: high
ms.localizationpriority: medium
author: shortpatti

16
browsers/edge/group-policies/sync-browser-settings-gp.md
View File

@ -3,7 +3,7 @@ title: Microsoft Edge - Sync browser settings options
description: By default, the “browser” group syncs automatically between the users devices, letting users make changes.
ms.author: pashort
author: shortpatti
ms.date: 07/23/2018
ms.date: 08/06/2018
---
# Sync browser settings options
@ -13,9 +13,8 @@ By default, the “browser” group syncs automatically between the users dev
## Relevant policies
- [Do not sync browser settings](../available-policies.md#do-not-sync-browser-settings)
- [Prevent users from turning on browser syncing](../new-policies.md#prevent-users-from-turning-on-browser-syncing)
- [Do not sync browser settings](#do-not-sync-browser-settings)
- [Prevent users from turning on browser syncing](#prevent-users-from-turning-on-browser-syncing)
## Configuration options
@ -27,6 +26,13 @@ By default, the “browser” group syncs automatically between the users dev
## Verify the configuration
To verify if syncing is turned on or off:
1. In the upper-right corner of Microsoft Edge, click the ellipses \(**...**\).
1. In the upper-right corner of Microsoft Edge, click **More** \(**...**\).
2. Click **Settings**.
3. Under Account, see if the setting is toggled on or off.<p>![Verify configuration](../images/sync-settings.PNG)
## Do not sync browser settings
[!INCLUDE [do-not-sync-browser-settings-include](../includes/do-not-sync-browser-settings-include.md)]
## Prevent users from turning on browser syncing
[!INCLUDE [prevent-users-to-turn-on-browser-syncing-include](../includes/prevent-users-to-turn-on-browser-syncing-include.md)]

7588
browsers/edge/images/load-any-start-page-let-users-make-changes.ai
View File

File diff suppressed because one or more lines are too long

10
browsers/edge/includes/do-not-sync-browser-settings-include.md
View File

@ -1,5 +1,5 @@
<!-- ## Do not sync browser settings -->
>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*<br>
>*Supported versions: Microsoft Edge on Windows 10*<br>
>*Default setting: Disabled or not configured (Allowed/turned on)*
[!INCLUDE [do-not-sync-browser-settings-shortdesc](../shortdesc/do-not-sync-browser-settings-shortdesc.md)]
@ -9,7 +9,7 @@
|Group Policy |MDM |Registry |Description |
|---|:---:|:---:|---|
|Disabled or not configured<br>**(default)** |0 |0 |Allowed/turned on. The “browser” group syncs automatically between users devices and lets users to make changes. |
|Enabled |2 |2 |Prevented/turned off. The “browser” group does not use the Sync your Settings option. |
|Enabled |2 |2 |Prevented/turned off. The “browser” group does not use the _Sync your Settings_ option. |
---
### Configuration options
@ -22,14 +22,14 @@ For more details about configuring the browser syncing options, see [Sync browse
### ADMX info and settings
#### ADMX info
- **GP English name:** Do not sync browser settings
- **GP name:** DoNotSyncBrowserSetting
- **GP name:** DoNotSyncBrowserSettings
- **GP path:** Windows Components/Sync your settings
- **GP ADMX file name:** SettingSync.admx
#### MDM settings
- **MDM name:** [Experience/DoNotSyncBrowserSetting](../available-policies.md#do-not-sync-browser-settings)
- **MDM name:** [Experience/DoNotSyncBrowserSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting)
- **Supported devices:** Desktop
- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/DoNotSyncBrowserSetting
- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/DoNotSyncBrowserSettings
- **Data type:** Integer
#### Registry settings

2
browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md
View File

@ -24,7 +24,7 @@ For more details about configuring the browser syncing options, see [Sync browse
- **GP ADMX file name:** MicrosoftEdge.admx
#### MDM settings
- **MDM name:** Experience/[PreventUsersFromTurningOnBrowserSyncing](../new-policies.md#prevent-users-from-turning-on-browser-syncing)
- **MDM name:** Experience/[PreventUsersFromTurningOnBrowserSyncing](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-preventusersfromturningonbrowsersyncing)
- **Supported devices:** Desktop
- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/PreventUsersFromTurningOnBrowserSyncing
- **Data type:** String

2
browsers/edge/index.yml
View File

@ -16,7 +16,7 @@ metadata:
keywords: Microsoft Edge, Windows 10
ms.localizationpriority: high
ms.localizationpriority: medium
author: shortpatti

13
browsers/edge/new-policies.md
View File

@ -1,13 +1,13 @@
---
description: Microsoft Edge now has new Group Policies and MDM Settings for IT administrators to configure Microsoft Edge. The new policies allow you to enable/disabled full-screen mode, printing, favorites bar, saving history. You can also prevent certificate error overrides, and configure New tab page, Home button and startup options, as well as manage extensions.
ms.assetid:
author: shortpatti
ms.author: pashort
ms.prod: edge
ms.mktglfcycl: explore
ms.sitesec: library
title: New Microsoft Edge Group Policies and MDM settings
ms.localizationpriority:
ms.localizationpriority: medium
author: shortpatti
ms.author: pashort
ms.date: 07/25/2018
---
@ -26,7 +26,7 @@ We are discontinuing the **Configure Favorites** group policy. Use the **[Provis
>>
>>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**_Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\_**
<p>
<!-- add links to the below policies -->
<!-- links to the policies -->
| **Group Policy** | **New/update?** | **MDM Setting** | **New/update?** |
@ -44,10 +44,10 @@ We are discontinuing the **Configure Favorites** group policy. Use the **[Provis
| [Configure kiosk mode](#configure-kiosk-mode) | New | [ConfigureKioskMode](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) | New |
| [Configure kiosk reset after idle timeout](#configure-kiosk-reset-after-idle-timeout) | New | [ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) | New |
| [Configure Open Microsoft Edge With](#configure-open-microsoft-edge-with) | New | [ConfigureOpenEdgeWith](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) | New |
| [Do not sync browser settings](available-policies.md#do-not-sync-browser-settings) | -- | Experience/DoNotSyncBrowserSetting | New |
| [Do not sync browser settings](available-policies.md#do-not-sync-browser-settings) | -- | [Experience/DoNotSyncBrowserSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting) | New |
| [Prevent certificate error overrides](#prevent-certificate-error-overrides) | New | [PreventCertErrorOverrides](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) | New |
| [Prevent users from turning on browser syncing](#preventusersfromturningonbrowsersyncing) | New | Experience/PreventUsersFromTurningOnBrowserSyncing | New |
| [Prevent turning off required extensions](#prevent-turning-off-required-extensions) | New | PreventTurningOffRequiredExtensions | New |
| [Prevent turning off required extensions](#prevent-turning-off-required-extensions) | New | [PreventTurningOffRequiredExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-preventusersfromturningonbrowsersyncing) | New |
| [Set Home button URL](#set-home-button-url) | New | [SetHomeButtonURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) | New |
| [Set New Tab page URL](#set-new-tab-page-url) | New | [SetNewTabPageURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl) | New |
| [Show message when opening sites in Internet Explorer](#showmessagewhenopeninginteretexplorersites) | Updated | [ShowMessageWhenOpeningSitesInInternetExplorer](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) | Updated |
@ -75,7 +75,6 @@ We are discontinuing the **Configure Favorites** group policy. Use the **[Provis
## Allow sideloading of Extensions
[!INCLUDE [allow-sideloading-extensions-include.md](includes/allow-sideloading-extensions-include.md)]
## Configure collection of browsing data for Microsoft 365 Analytics
[!INCLUDE [configure-browser-telemetry-for-m365-analytics-include](includes/configure-browser-telemetry-for-m365-analytics-include.md)]

4
devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
View File

@ -42,7 +42,7 @@ Management of SEMM with Configuration Manager requires the installation of Micro
#### Download SEMM scripts for Configuration Manager
After Microsoft Surface UEFI Manager is installed on the client Surface device, SEMM is deployed and managed with PowerShell scripts. You can download samples of the [SEMM management scripts](https://gallery.technet.microsoft.com/Sample-PowerShell-for-5eb5f03c) from the TechNet Gallery Script Center.
After Microsoft Surface UEFI Manager is installed on the client Surface device, SEMM is deployed and managed with PowerShell scripts. You can download samples of the [SEMM management scripts](https://www.microsoft.com/en-us/download/details.aspx?id=46703) from the Download Center.
## Deploy Microsoft Surface UEFI Manager
@ -269,7 +269,7 @@ The following code fragment, found on lines 352-363, is used to write this regis
### Settings names and IDs
To configure Surface UEFI settings or permissions for Surface UEFI settings, you must refer to each setting by either its setting name or setting ID. With each new update for Surface UEFI, new settings may be added. The best way to get a complete list of the settings available on a Surface device, along with the settings name and settings IDs, is to use the ShowSettingsOptions.ps1 script from [SEMM management scripts for Configuration Manager](https://gallery.technet.microsoft.com/Sample-PowerShell-for-5eb5f03c) in the TechNet Gallery Script Center.
To configure Surface UEFI settings or permissions for Surface UEFI settings, you must refer to each setting by either its setting name or setting ID. With each new update for Surface UEFI, new settings may be added. The best way to get a complete list of the settings available on a Surface device, along with the settings name and settings IDs, is to use the ShowSettingsOptions.ps1 script from SEMM_Powershell.zip in [Surface Tools for IT Downloads](https://www.microsoft.com/en-us/download/details.aspx?id=46703)
The computer where ShowSettingsOptions.ps1 is run must have Microsoft Surface UEFI Manager installed, but the script does not require a Surface device.

7
store-for-business/roles-and-permissions-microsoft-store-for-business.md
View File

@ -10,7 +10,7 @@ author: TrudyHa
ms.author: TrudyHa
ms.topic: conceptual
ms.localizationpriority: medium
ms.date: 3/30/2018
ms.date: 8/7/2018
---
# Roles and permissions in Microsoft Store for Business and Education
@ -31,10 +31,11 @@ This table lists the global user accounts and the permissions they have in Micro
| | Global Administrator | Billing Administrator |
| ------------------------------ | --------------------- | --------------------- |
| Sign up for Microsoft Store for Business and Education | X | |
| Sign up for Microsoft Store for Business and Education | X |
| Modify company profile settings | X | |
| Acquire apps | X | X |
| Distribute apps | X | X |
| Purchase subscription-based software | X | X |
 
- **Global Administrator** - IT Pros with this account have full access to Microsoft Store. They can do everything allowed in the Microsoft Store Admin role, plus they can sign up for Microsoft Store.
@ -43,7 +44,7 @@ This table lists the global user accounts and the permissions they have in Micro
## Microsoft Store roles and permissions
Microsoft Store has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access Microsoft Store.
Microsoft Store for Business has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access Microsoft Store.
This table lists the roles and their permissions.

1
windows/application-management/TOC.md
View File

@ -4,6 +4,7 @@
## [Enable or block Windows Mixed Reality apps in the enterprise](manage-windows-mixed-reality.md)
## [Understand apps in Windows 10](apps-in-windows-10.md)
## [Add apps and features in Windows 10](add-apps-and-features.md)
### [Repackage win32 apps in the MSIX format](msix-app-packaging-tool.md)
## [Application Virtualization (App-V) for Windows](app-v/appv-for-windows.md)
### [Getting Started with App-V](app-v/appv-getting-started.md)
#### [What's new in App-V for Windows 10, version 1703 and earlier](app-v/appv-about-appv.md)

71
windows/application-management/msix-app-packaging-tool.md Normal file
View File

@ -0,0 +1,71 @@
---
title: Repackage your existing win32 applications to the MSIX format.
description: Learn how to install and use the MSIX packaging tool.
keywords: ["MSIX", "application", "app", "win32", "packaging tool"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: medium
ms.author: mikeblodge
ms.topic: article
ms.date: 08/01/2018
---
# Repackage existing win32 applications to the MSIX format
The MSIX Packaging Tool (Preview) is now available to install from the Microsoft Store. The MSIX Packaging Tool enables you to repackage your existing win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your machine and upload to the Microsoft Store (coming soon).
> Prerequisites:
- Participation in the Windows Insider Program
- Minimum Windows 10 build 17701
- Admin privileges on your PC account
- A valid MSA alias (to access the app from the Store)
## What's new
v1.2018.808.0
- Ability to add/edit/remove file and registry exclusion items is now supported in Settings menu.
- Fixed an issue where signing in with password protected certificates would fail in the tool.
- Fixed an issue where the tool was crashing when editing an existing MSIX package.
- Fixed an issue where the tool was injecting whitespaces programmatically to install location paths that was causing conversion failures.
- Minor UI tweaks to add clarity.
- Minor updates to the logs for added clarity.
## Installing the MSIX Packaging Tool
1. Use the MSA login associated with your Windows Insider Program credentials in the [Microsoft Store](https://www.microsoft.com/store/r/9N5LW3JBCXKF).
2. Open the product description page.
3. Click the install icon to begin installation.
This is an early preview build and not all features are supported. Here is what you can expect to be able to do with this preview:
- Package your favorite application installer interactively (msi, exe, App-V 5.x and ClickOnce) to MSIX format by launching the tool and selecting **Application package** icon.
- Create a modification package for a newly created Application MSIX Package by launching the tool and selecting the **Modification package** icon.
- Open your MSIX package to view and edit its content/properties by navigating to the **Open package editor** tab. Browse to the MSIX package and select **Open package**.
Features not supported in the tool are currently greyed out. Here are some of the highlighted missing features:
- Package Support Framework integration. For more detail on how you can use Package Support Framework today, check out the article posted on the [MSIX blog](https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMSIX-Blog%2FMSIX-Package-Support-Framework-is-now-available-on-GitHub%2Fba-p%2F214548&data=02%7C01%7Cpezan%40microsoft.com%7Cbe2761c174cd465136ce08d5f1252d8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636680064344941094&sdata=uW3oOOEYQxd0iVgsJkZXZTQwlvf%2FimVCaOdFUXcRoeY%3D&reserved=0).
- Packaging on existing virtual machines. You can still install the Tool on a fresh VM, but the tool cannot currently spawn off a conversion from a local machine to an existing VM.
- Command Line Interface support
- Conversion of App-V 4.x packages
## How to file feedback
Open Feedback Hub. Alternatively, launch the tool and select the **Settings** gear icon in the top right corner to open the Feedback tab. Here you can file feedback for suggestions, problems, and see other feedback items.
## Best practices
- When Packaging ClickOnce installers, it is necessary to send a shortcut to the desktop if the installer is not doing so already. In general, it's a good practice to always send a shortcut to your desktop for the main app executable.
- When creating modification packages, you need to declare the **Package Name** (Identity Name) of the parent application in the tool UI so that the tool sets the correct package dependency in the manifest of the modification package.
- Declaring an installation location field on the Package information page is optional but *recommended*. Make sure that this path matches the installation location of application Installer.
- Performing the preparation steps on the **Prepare Computer** page is optional but *highly recommended*.
## Known issues
1. MSIX Packaging Tool Driver will fail to install if Windows Insider flight ring settings do no match the OS build of the conversion environment. Navigate to Settings, Updates & Security, Windows Insider Program to make sure your Insider preview build settings do not need attention. If you see this message click on the Fix me button to log in again. You might have to go to Windows Update page and check for update before settings change takes effect. Then try to run the tool again to download the MSIX Packaging Tool driver. If you are still hitting issues, try changing your flight ring to Canary or Insider Fast, install the latest Windows updates and try again.
2. You cannot edit the manifest manually from within the tool. (edit manifest button is disabled). Please use the SDK tools to unpack the MSIX package to edit the manifest manually.
3. Restarting the machine during application installation is not supported. Please ignore the restart request if possible or pass an argument to the installer to not require a restart.

7
windows/client-management/mdm/networkproxy-csp.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 04/12/2018
ms.date: 08/08/2018
---
# NetworkProxy CSP
@ -34,7 +34,10 @@ The following diagram shows the NetworkProxy configuration service provider in t
The root node for the NetworkProxy configuration service provider..</p>
<a href="" id="proxysettingsperuser"></a>**ProxySettingsPerUser**
Added in Windows 10, version 1803. When set to 0, it enables proxy configuration as global, machine wide; set to 1 for proxy configuratio per user.
Added in Windows 10, version 1803. When set to 0, it enables proxy configuration as global, machine wide.
> [!Note]
> Per user proxy configuration setting is not supported.
<a href="" id="autodetect"></a>**AutoDetect**
Automatically detect settings. If enabled, the system tries to find the path to a PAC script.</p>

40
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -1381,6 +1381,24 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>Authentication/EnableFastFirstSignIn</li>
<li>Authentication/EnableWebSignIn</li>
<li>Authentication/PreferredAadTenantDomainName</li>
<li>Browser/AllowFullScreenMode</li>
<li>Browser/AllowPrelaunch</li>
<li>Browser/AllowPrinting</li>
<li>Browser/AllowSavingHistory</li>
<li>Browser/AllowSideloadingOfExtensions</li>
<li>Browser/AllowTabPreloading</li>
<li>Browser/AllowWebContentOnNewTabPage</li>
<li>Browser/ConfigureFavoritesBar</li>
<li>Browser/ConfigureHomeButton</li>
<li>Browser/ConfigureKioskMode</li>
<li>Browser/ConfigureKioskResetAfterIdleTimeout</li>
<li>Browser/ConfigureOpenMicrosoftEdgeWith</li>
<li>Browser/ConfigureTelemetryForMicrosoft365Analytics</li>
<li>Browser/ForceEnabledExtensions</li>
<li>Browser/PreventCertErrorOverrides</li>
<li>Browser/SetHomeButtonURL</li>
<li>Browser/SetNewTabPageURL</li>
<li>Browser/UnlockHomeButton</li>
<li>Defender/CheckForSignaturesBeforeRunningScan</li>
<li>Defender/DisableCatchupFullScan </li>
<li>Defender/DisableCatchupQuickScan </li>
@ -1396,6 +1414,8 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>Experience/AllowClipboardHistory</li>
<li>Experience/DoNotSyncBrowserSetting</li>
<li>Experience/PreventUsersFromTurningOnBrowserSyncing</li>
<li>Privacy/AllowCrossDeviceClipboard</li>
<li>Privacy/UploadUserActivities</li>
<li>Security/RecoveryEnvironmentAuthentication</li>
<li>TaskManager/AllowEndTask</li>
<li>Update/EngagedRestartDeadlineForFeatureUpdates</li>
@ -1741,8 +1761,28 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Added the following new policies in Windows 10, next major version:</p>
<ul>
<li>Browser/AllowFullScreenMode</li>
<li>Browser/AllowPrelaunch</li>
<li>Browser/AllowPrinting</li>
<li>Browser/AllowSavingHistory</li>
<li>Browser/AllowSideloadingOfExtensions</li>
<li>Browser/AllowTabPreloading</li>
<li>Browser/AllowWebContentOnNewTabPage</li>
<li>Browser/ConfigureFavoritesBar</li>
<li>Browser/ConfigureHomeButton</li>
<li>Browser/ConfigureKioskMode</li>
<li>Browser/ConfigureKioskResetAfterIdleTimeout</li>
<li>Browser/ConfigureOpenMicrosoftEdgeWith</li>
<li>Browser/ConfigureTelemetryForMicrosoft365Analytics</li>
<li>Browser/ForceEnabledExtensions</li>
<li>Browser/PreventCertErrorOverrides</li>
<li>Browser/SetHomeButtonURL</li>
<li>Browser/SetNewTabPageURL</li>
<li>Browser/UnlockHomeButton</li>
<li>Experience/DoNotSyncBrowserSetting</li>
<li>Experience/PreventUsersFromTurningOnBrowserSyncing</li>
<li>Privacy/AllowCrossDeviceClipboard</li>
<li>Privacy/UploadUserActivities</li>
</ul>
</td></tr>
</tbody>

45
windows/client-management/mdm/policy-csp-experience.md
View File

@ -91,7 +91,7 @@ ms.date: 07/30/2018
<a href="#experience-donotshowfeedbacknotifications">Experience/DoNotShowFeedbackNotifications</a>
</dd>
<dd>
<a href="#experience-donotsyncbrowsersetting">Experience/DoNotSyncBrowserSetting</a>
<a href="#experience-donotsyncbrowsersetting">Experience/DoNotSyncBrowserSettings</a>
</dd>
<dd>
<a href="#experience-preventusersfromturningonbrowsersyncing">Experience/PreventUsersFromTurningOnBrowserSyncing</a>
@ -1399,7 +1399,7 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="experience-donotsyncbrowsersetting"></a>**Experience/DoNotSyncBrowserSetting**
<a href="" id="experience-donotsyncbrowsersetting"></a>**Experience/DoNotSyncBrowserSettings**
<!--SupportedSKUs-->
<table>
@ -1434,14 +1434,10 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
By default, the "browser" group syncs automatically between users devices and allowing users to choose to make changes. The "browser" group uses the **Sync your Settings** option in Settings to sync information like history and favorites. Enabling this policy prevents the "browser" group from using the **Sync your Settings** option. If you want syncing turned off by default but not disabled, select the Allow users to turn "browser" syncing option.
[!INCLUDE [do-not-sync-browser-settings-shortdesc](../../../browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md)]
Related policy: PreventUsersFromTurningOnBrowserSyncing.
Value type is integer. Supported values:
- 0 (default) - Allowed/turned on. The "browser" group syncs automatically between users devices and lets users to make changes.
- 2 - Prevented/turned off. The "browser" group does not use the **Sync your Settings** option.
Related policy:
PreventUsersFromTurningOnBrowserSyncing
<!--/Description-->
<!--ADMXMapped-->
@ -1453,7 +1449,12 @@ ADMX Info:
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values:
- 0 (default) - Allowed/turned on. The "browser" group syncs automatically between users devices and lets users to make changes.
- 2 - Prevented/turned off. The "browser" group does not use the _Sync your Settings_ option.
Value type is integer.
<!--/SupportedValues-->
<!--Example-->
@ -1501,25 +1502,21 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
By default, the "browser" group syncs automatically between the users devices, letting users make changes. With this policy, though, you can prevent the "browser" group from syncing and prevent users from turning on the Sync your Settings toggle in Settings. If you want syncing turned off by default but not disabled, select the Allow users to turn "browser" syncing option in the Do not sync browser policy. For this policy to work correctly, you must enable the Do not sync browser policy.
[!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../../../browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)]
Related policy: DoNotSyncBrowserSetting
Related policy:
DoNotSyncBrowserSettings
Value type is integer. Supported values:
- 0 - Allowed/turned on. Users can sync the browser settings.
- 1 (default) - Prevented/turned off.
This policy only works with the Experience/DoNotSyncBrowserSetting policy, and for this policy to work correctly, you must set Experience/DoNotSynBrowserSettings to 2 (enabled). By default, when you set this policy and the Experience/DoNotSyncBrowserSetting policy to 0 (disabled or not configured), the browser settings sync automatically. However, with this policy, you can prevent the syncing of browser settings and prevent users from turning on the Sync your Settings option. Additionally, you can prevent syncing the browser settings but give users a choice to turn on syncing.
If you want to prevent syncing of browser settings and prevent users from turning it on:
1. Set Experience/DoNotSyncBrowserSetting to 2 (enabled).
1. Set Experience/DoNotSyncBrowserSettings to 2 (enabled).
1. Set this policy (Experience/PreventUsersFromTurningOnBrowserSyncing) to 1 (enabled or not configured).
If you want to prevent syncing of browser settings but give users a choice to turn on syncing:
1. Set Experience/DoNotSyncBrowserSetting to 2 (enabled).
1. Set Experience/DoNotSyncBrowserSettings to 2 (enabled).
1. Set this policy (Experience/PreventUsersFromTurningOnBrowserSyncing) to 0 (disabled).
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
@ -1531,7 +1528,12 @@ ADMX Info:
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values:
- 0 - Allowed/turned on. Users can sync the browser settings.
- 1 (default) - Prevented/turned off.
Value type is integer.
<!--/SupportedValues-->
<!--Example-->
@ -1540,15 +1542,12 @@ ADMX Info:
**Validation procedure:**
Microsoft Edge on your PC:
1. Select More > Settings.
1. Select **More > Settings**.
1. See if the setting is enabled or disabled based on your setting.
<!--/Validation-->
<!--/Policy-->
<<<<<<< HEAD
=======
>>>>>>> 3c06afe9875ad82fff960313bea663f49a2f7d2c
<hr/>
Footnote:

4
windows/client-management/mdm/policy-csp-privacy.md
View File

@ -433,7 +433,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Updated in Windows 10, version 1709. Allows the usage of cloud based speech services for Cortana, dictation, or Store applications. Setting this policy to 1, lets Microsoft use the user's voice data to improve cloud speech services for all users.
Updated in Windows 10, next major version. This policy specifies whether users on the device have the option to enable online speech recognition. When enabled, users can use their voice for dictation and to talk to Cortana and other apps that use Microsoft cloud-based speech recognition. Microsoft will use voice input to help improve our speech services. If the policy value is set to 0, online speech recognition will be disabled and users cannot enable online speech recognition via settings. If policy value is set to 1 or is not configured, control is deferred to users.
Most restricted value is 0.
@ -450,7 +450,7 @@ ADMX Info:
The following list shows the supported values:
- 0 Not allowed.
- 1 (default) Allowed.
- 1 (default) Choice deferred to user's preference.
<!--/SupportedValues-->
<!--/Policy-->

4
windows/client-management/mdm/policy-csp-update.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 07/30/2018
ms.date: 08/06/2018
---
# Policy CSP - Update
@ -428,7 +428,7 @@ The following list shows the supported values:
- 3 Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
- 4 Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only.
- 5 Turn off automatic updates.
- 6 - When AllowAutoUpdate is set to 6, Windows will automatically check, download, and install updates. The device will reboot as per Windows default settings unless configured by other policies. (Added Windows 10, next major version).
<!--/SupportedValues-->
<!--/Policy-->

4
windows/configuration/wcd/wcd-firstexperience.md
View File

@ -8,7 +8,7 @@ author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
ms.topic: article
ms.date: 04/30/2018
ms.date: 08/08/2018
---
# FirstExperience (Windows Configuration Designer reference)
@ -27,5 +27,5 @@ PreferredRegion | Enter the [geographical location identifier](https://msdn.micr
PreferredTimezone | Enter the timezone. [Microsoft Time Zone Index Values](https://msdn.microsoft.com/library/ms912391.aspx)
SkipCalibration | Initial setup of HoloLens includes a calibration step. Set to **True** to skip calibration.
SkipTraining | Initial setup of HoloLens includes training on how to perform the gestures to operate HoloLens. Set to **True** to skip training.
SkipWifi | Set to **True** to skip connecting to a Wi-fi network.
SkipWifi | Set to **True** to skip connecting to a Wi-Fi network.<br><br>**Note:** HoloLens [requires a Wi-Fi connection during setup to verify the account](https://docs.microsoft.com/hololens/hololens-setup). To skip the Wi-Fi connection page during setup, your provisioning package must provide the network configuration. You can configure the network configuration [in the HoloLens wizard](https://docs.microsoft.com/hololens/hololens-provisioning#create-a-provisioning-package-for-hololens-using-the-hololens-wizard) and then switch to the advanced editor to configure **FirstExperience** settings, or in advanced settings, configure a WLAN [connectivity profile](wcd-connectivityprofiles.md).

3
windows/configuration/wcd/wcd-sharedpc.md
View File

@ -15,8 +15,7 @@ ms.date: 10/16/2017
Use SharedPC settings to optimize Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail.
>[!TIP]
>You can use the [ApplicationManagement](wcd-applicationmanagement.md) settings node to configure only the account management settings without enabling shared PC mode.
## Applies to

1
windows/security/identity-protection/how-hardware-based-containers-help-protect-windows.md
View File

@ -48,4 +48,5 @@ While Windows Defender System Guard provides advanced protection that will help
As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the devices Trusted Platform Module 2.0 (TPM 2.0). This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the devices firmware, hardware configuration state, and Windows boot-related components, just to name a few. After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or System Center Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
![Windows Defender System Guard](images/windows-defender-system-guard-validate-system-integrity.png)

1
windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
View File

@ -351,6 +351,7 @@ The following steps can be used to configure Network Unlock on these older syste
6. [Step Six: Configure registry settings for Network Unlock](#bkmk-stepsix)
Apply the registry settings by running the following certutil script on each computer running any of the client operating systems designated in the **Applies To** list at the beginning of this topic.
certutil -f -grouppolicy -addstore FVE_NKP BitLocker-NetworkUnlock.cer
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v OSManageNKP /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 1 /f

8
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -8,7 +8,7 @@ ms.pagetype: security
author: justinha
ms.author: justinha
ms.localizationpriority: medium
ms.date: 07/10/2018
ms.date: 08/08/2018
---
# Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune
@ -348,14 +348,14 @@ If you're running into compatibility issues where your app is incompatible with
## Manage the WIP protection mode for your enterprise data
After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, **Hide Overrides**.
We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, **Block**.
>[!NOTE]
>For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
**To add your protection mode**
1. From the **App policy** blade, click the name of your policy, and then click **Required settings** from the menu that appears.
1. From the **App protection policy** blade, click the name of your policy, and then click **Required settings** from the menu that appears.
The **Required settings** blade appears.
@ -363,7 +363,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi
|Mode |Description |
|-----|------------|
|Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that wouldve been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<br><br>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isnt automatically reapplied if you turn WIP protection back on.|

6
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.author: justinha
ms.date: 05/30/2018
ms.date: 08/08/2018
ms.localizationpriority: medium
---
@ -308,11 +308,11 @@ If you're running into compatibility issues where your app is incompatible with
## Manage the WIP protection mode for your enterprise data
After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Allow Overrides** or **Hide Overrides**.
We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Allow Overrides** or **Block**.
|Mode |Description |
|-----|------------|
|Hide Overrides|WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Block|WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Allow Overrides|WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). |
|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that wouldve been prompted for employee interaction while in Allow Overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isnt automatically reapplied if you turn WIP protection back on.|

6
windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
View File

@ -7,7 +7,7 @@ ms.sitesec: library
ms.pagetype: security
author: justinha
ms.author: justinha
ms.date: 05/30/2018
ms.date: 08/08/2018
localizationpriority: medium
---
@ -377,7 +377,7 @@ In the **Required settings** blade you must pick your Windows Information Protec
### Manage the WIP protection mode for your enterprise data
After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Hide Overrides**.
We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**.
>[!NOTE]
>For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
@ -392,7 +392,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi
|Mode |Description |
|-----|------------|
|Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that wouldve been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<br><br>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isnt automatically reapplied if you turn WIP protection back on.|

6
windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
author: justinha
ms.localizationpriority: medium
ms.date: 10/16/2017
ms.date: 08/08/2018
---
# Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager
@ -340,14 +340,14 @@ If you're running into compatibility issues where your app is incompatible with
## Manage the WIP-protection level for your enterprise data
After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Hide Overrides**.
We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
>[!NOTE]
>For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
|Mode |Description |
|-----|------------|
|Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. |
|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that wouldve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isnt automatically reapplied if you turn WIP protection back on.|

2
windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
author: justinha
ms.localizationpriority: medium
ms.date: 09/11/2017
ms.date: 08/08/2018
---
# Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune

6
windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
View File

@ -77,13 +77,13 @@ WIP gives you a new way to manage data policy enforcement for apps and documents
- **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device.
- **Using allowed apps.** Managed apps (apps that you've included on the **Allowed apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Hide overrides**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldnt paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
- **Using allowed apps.** Managed apps (apps that you've included on the **Allowed apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldnt paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
- **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your allowed apps list, the app is trusted with enterprise data. All apps not on this list are stopped from accessing your enterprise data, depending on your WIP management-mode.
You dont have to modify line-of-business apps that never touch personal data to list them as allowed apps; just include them in the allowed apps list.
- **Deciding your level of data access.** WIP lets you hide overrides, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
- **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
- **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media.
@ -132,7 +132,7 @@ You can set your WIP policy to use 1 of 4 protection and management modes:
|Mode|Description|
|----|-----------|
|Hide overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organizations network.|
|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organizations network.|
|Allow overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.|
|Silent |WIP runs silently, logging inappropriate data sharing, without stopping anything that wouldve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
|Off |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isnt automatically reapplied if you turn WIP protection back on.<p>**Note**<br>For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. |

6
windows/security/information-protection/windows-information-protection/wip-learning.md
View File

@ -10,7 +10,7 @@ ms.sitesec: library
ms.pagetype: security
author: coreyp-at-msft
ms.localizationpriority: medium
ms.date: 04/18/2018
ms.date: 08/08/2018
---
# Fine-tune Windows Information Protection (WIP) with WIP Learning
@ -21,7 +21,7 @@ ms.date: 04/18/2018
With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports are accessed from Microsoft Azure Intune, and you can alternately access the App learning report from Microsoft Operations Management Suite (OMS).
The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [Hide overrides](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly.
The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [Block](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly.
In the **Website learning report**, you can view a summary of the devices that have shared work data with websites. You can use this information to determine which websites should be added to group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps so you can decide which ones are cloud or personal, and add them to the resource list.
@ -95,7 +95,7 @@ Here, you can copy the **WipAppid** and use it to adjust your WIP protection pol
9. Go back to OMS one more time and note the version number of the app and type it in **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny**
When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Hide overrides**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes)
When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes)
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

24
windows/security/threat-protection/TOC.md
View File

@ -306,18 +306,18 @@
###### [Requirements for virtualization-based protection of code integrity](windows-defender-exploit-guard\requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
###### [Enable virtualization-based protection of code integrity](windows-defender-exploit-guard\enable-virtualization-based-protection-of-code-integrity.md)
#### [Attack surface reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
#### [Evaluate Attack surface reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
#### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
#### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
#### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md)
##### [Evaluate Attack surface reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
##### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
##### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
##### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md)
#### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md)
#### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
#### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md)
#### [Troubleshoot Network protection](windows-defender-exploit-guard\troubleshoot-np.md)
##### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
##### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md)
##### [Troubleshoot Network protection](windows-defender-exploit-guard\troubleshoot-np.md)
#### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md)
#### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
#### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
#### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
##### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
##### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
##### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
@ -908,8 +908,8 @@
### [Windows security baselines](windows-security-baselines.md)
### [Security Compliance Toolkit](security-compliance-toolkit-10.md)
### [Get support](get-support-for-security-baselines.md)
#### [Security Compliance Toolkit](security-compliance-toolkit-10.md)
#### [Get support](get-support-for-security-baselines.md)
### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)

2
windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
View File

@ -25,8 +25,8 @@ The following topics provide a discussion of each policy setting's implementatio
| Topic | Description |
| - | - |
| [Account lockout duration](account-lockout-duration.md) | Describes the best practices, location, values, and security considerations for the **Account lockout duration** security policy setting. |
| [Account lockout threshold](account-lockout-threshold.md) | Describes the best practices, location, values, and security considerations for the **Account lockout threshold** security policy setting. |
| [Account lockout duration](account-lockout-duration.md) | Describes the best practices, location, values, and security considerations for the **Account lockout duration** security policy setting. |
| [Reset account lockout counter after](reset-account-lockout-counter-after.md) | Describes the best practices, location, values, and security considerations for the **Reset account lockout counter after** security policy setting. |
 
## Related topics

2
windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
View File

@ -25,6 +25,8 @@ For info about testing an AppLocker policy to see what rules affect which files
You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer
AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
These steps apply only for locally managed devices. If the device has AppLocker policies applied by using MDM or a GPO, the local policy will not override those settings.
**To delete a rule in an AppLocker policy**
1. Open the AppLocker console.

9
windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/30/2018
ms.date: 08/08/2018
---
@ -68,14 +68,13 @@ This section covers requirements for each feature in Windows Defender EG.
|--------|---------|
| ![not supported](./images/ball_empty.png) | Not supported |
| ![supported](./images/ball_50.png) | Supported |
| ![supported, enhanced](./images/ball_75.png) | Includes advanced exploit protection for the kernel mode via [HVCI](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity) |
| ![supported, full reporting](./images/ball_full.png) | Includes automated reporting into the Windows Defender ATP console|
| ![supported, full reporting](./images/ball_full.png) | Recommended. Includes full, automated reporting into the Windows Defender ATP console. Provides additional cloud-powered capabilities, including the Network protection ability to block apps from accessing low-reputation websites and an Attack surface reduction rule that blocks executable files that meet age or prevalence criteria.|
| Feature | Windows 10 Home | Windows 10 Professional | Windows 10 E3 | Windows 10 E5 |
| ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: |
| Exploit protection | ![supported](./images/ball_50.png) | ![supported](./images/ball_50.png) | ![supported, enhanced](./images/ball_75.png) | ![supported, full reporting](./images/ball_full.png) |
| Attack surface reduction | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
| Exploit protection | ![supported](./images/ball_50.png) | ![supported](./images/ball_50.png) | ![supported, enhanced](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
| Attack surface reduction | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, full reporting](./images/ball_full.png) |
| Network protection | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
| Controlled folder access | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |